On the 1st of December 2020, the new Privacy Act came into effect. In this short blog, we cut to the chase and summarise the key changes to the Act you need to know about. So grab a ‘cuppa’ and we’ll be done in no time!

In this blog, Engaging Partners share their insights into the Privacy Act changes.

Want to learn more about the Act? Read our full interview with Keith Norris, Regulatory Consultant at the NZMA here.

Most NZ marketers and business owners follow best practice when it comes to privacy. But with the recent changes to the Act that came into force on 1 December 2020, now is a good time to check your privacy practices are still in line with the Act and make sure you and your team are aware of the key changes.

The key changes to be aware of:

  1. Privacy breach notifications
  2. Information disclosure overseas
  3. Compliance notices
  4. Enforceable access directions and extraterritorial effect
  5. New criminal offences

1. Privacy breach notifications

The new law states that if an organisation has a privacy breach that it believes has caused (or likely to cause) serious harm, it will need to notify the Office of the Privacy Commissioner and affected individuals as soon as possible. Failure to do so is considered an offence.

In a nutshell:

  • The purpose of this is to ensure privacy breaches are mitigated and those responsible are held accountable
  • Definition of ‘harm’ - according to Keith Norris, Regulatory advisor to the NZ Marketing Association, harm can be seen as intimidation, a breach causing physical harm, or exposing medical or financial records for example.
  • If your organisation is responsible for a privacy breach you must report it immediately.

2. Information disclosure overseas

Privacy Principle 12 has been added to the new Act. This states that an organisation may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the NZ Privacy Act. If not, the individual has to be fully informed that their information may not be protected and they have to give authorisation first.

This won’t apply to cloud providers who simply store or handle information on your behalf (not using the information for their own business purposes), or if the information disclosure is to a foreign business operating in NZ.

In a nutshell:

  • This part of the Act aims to regulate the way personal information can be sent overseas.
  • Definition of ‘agency’: basically means anyone other than your own entity - so broadly applies to individuals, groups of individuals, private and public entities etc.
  • Don’t share data with other entities unless they follow the same (or stricter) privacy principles we do here in NZ.

3. Compliance notices

If an organisation is not complying with the Privacy Act, the Privacy Commissioner can now issue compliance notices to organisations to require them to do something, or stop doing something.

In a nutshell:

  • The Privacy Commission now has more power to take action, even if a complaint has not been made.
  • Expect a knock on the door if you’re doing anything dodgy with customer data!

4. Enforceable access directions with ‘extraterritorial effect’

Faster resolutions of complaints relating to information access has now been supported. The Privacy Commissioner is now able to direct agencies to provide individuals access to their personal information. This will be enforceable in the Human Rights Review Tribunal.

Even if not having any physical presence in New Zealand, any overseas organisation that is conducting any type of business in New Zealand will be subject to the Act’s privacy obligations.

In a nutshell:

  • The Privacy Commission has power to enforce entities to take action if they don’t comply with our legislation
  • This applies to any entity operating in NZ - including the likes of global giants such as Google and Facebook!

5. New criminal offences

It is now an offence to mislead an agency through means such as impersonation to access someone else’s personal information. It will also be an offence for an organisation to destroy personal information, knowing that a request has been made to access it. The penalty for these offences is a fine of up to $10,000.

In addition The Human Rights Review Tribunal can award up to $350,000 to each member of a class action.

In a nutshell:

  • Fines will apply to any entity that knowingly flaunts privacy compliance
  • According to Keith “…a breach that causes harm to a number of people could be really expensive, not to mention the reputational damage.”

Read our full interview with Keith Norris on the changes to the Privacy Act here.

What you must do, right now…

Keith advises that now is a good time to do quick audit of your Privacy Policy:

  • Make sure it is up to date with all principles of the Act
  • In particular, add a new clause that tells people they have the right to complain to the Privacy Commission if they believe there has been a breach of their privacy
  • Double check all points of data collection include a simple privacy statement that links to your full Privacy Policy.