On the 1st of December 2020, the new Privacy Act came into effect. In this short blog, we cut to the chase and summarise the key changes to the Act you need to know about. So grab a ‘cuppa’ and we’ll be done in no time!
In this blog, Engaging Partners share their insights into the Privacy Act changes.
Most NZ marketers and business owners follow best practice when it comes to privacy. But with the recent changes to the Act that came into force on 1 December 2020, now is a good time to check your privacy practices are still in line with the Act and make sure you and your team are aware of the key changes.
The new law states that if an organisation has a privacy breach that it believes has caused (or likely to cause) serious harm, it will need to notify the Office of the Privacy Commissioner and affected individuals as soon as possible. Failure to do so is considered an offence.
In a nutshell:
Privacy Principle 12 has been added to the new Act. This states that an organisation may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the NZ Privacy Act. If not, the individual has to be fully informed that their information may not be protected and they have to give authorisation first.
This won’t apply to cloud providers who simply store or handle information on your behalf (not using the information for their own business purposes), or if the information disclosure is to a foreign business operating in NZ.
In a nutshell:
If an organisation is not complying with the Privacy Act, the Privacy Commissioner can now issue compliance notices to organisations to require them to do something, or stop doing something.
In a nutshell:
Faster resolutions of complaints relating to information access has now been supported. The Privacy Commissioner is now able to direct agencies to provide individuals access to their personal information. This will be enforceable in the Human Rights Review Tribunal.
Even if not having any physical presence in New Zealand, any overseas organisation that is conducting any type of business in New Zealand will be subject to the Act’s privacy obligations.
In a nutshell:
It is now an offence to mislead an agency through means such as impersonation to access someone else’s personal information. It will also be an offence for an organisation to destroy personal information, knowing that a request has been made to access it. The penalty for these offences is a fine of up to $10,000.
In addition The Human Rights Review Tribunal can award up to $350,000 to each member of a class action.
In a nutshell:
Read our full interview with Keith Norris on the changes to the Privacy Act here.
Keith advises that now is a good time to do quick audit of your Privacy Policy: