In NZ we’re lucky to have two things: The Privacy Act which protects the use of our personal information; and Keith Norris, Regulatory Consultant to the NZ Marketing Association.

In this blog Engaging Partners interview Keith Norris about recent updates to the Privacy Act.

If you’ve been around the NZ marketing industry for any length of time, Keith Norris is a name you’ll all be familiar with. As the former CEO of the NZ Marketing Association, Keith’s name has become synonymous with all things Privacy. Keith was one of the original advisors to the Privacy Commissioner when the Privacy Act was first formed in 1993 and continues to advise marketers and businesses on privacy compliance today, in his role as Regulatory Consultant to the NZMA.

So when the latest update to the Privacy Act came into force on 1 December 2020, we jumped at the chance to interview Keith. We wanted to explore the history of the Act, what has changed and why, and what we should all be doing as marketers to ensure our Privacy practises are ‘top notch’. We interviewed Kieth to find out why change was necessary, and we got his advice on the key do’s and don'ts to help you stay within the law. Here’s what he had to say…

Short on time? Read our quick guide to the Privacy Act changes here.

Keith, you've had a long association with the Privacy Act in New Zealand. Can you tell us about that?

“In the late 80s to early 1990s direct marketing was flourishing,” said Keith who was then the President of the NZ Direct Marketing Association.

“Around the mid 80s there was a feeling that we should have a national identity card (like a drivers licence). But this was causing a lot of concern, particularly amongst university professors and some radicals, who were nervous about personal privacy. They were concerned about the State having too much control over individuals.”

As momentum was gaining, Keith approached the Privacy Commission to be part of a small group appointed to assist the Commissioner in preparing the 1993 Privacy Act.

“My goal was purely to make sure Direct Marketing was not negatively affected by the Act.”

What were the original objectives of the Act and how successful was it in achieving those objectives?

“The purpose of the Act was very simple. To ensure there was transparency about what information can be collected and how it is used. And that has not changed today.”

Keith went on to explain that the 2020 update to the Act is the first major change to the Act in 27 years, with one additional clause coming into effect in 1998 (principle 11 related to information disclosure).

Many people may confuse the Privacy Act and the UEM Act (Unsolicited Electronic Messages Act) which came into force in 2007. The UEM Act was brought in specifically to deal with commercial promotional emails. “What most people don’t realise is that the Privacy Act overrides the UEM Act. You've got to get your privacy policy right first,” stated Keith.

So it is a testament to the original Privacy Act that it has remained relevant to how we collect, use and manage data today - 27 years on - thanks to Keith and his colleagues.

We asked Keith if many organisations had been prosecuted under the original Act. His answer was very interesting.

“Very few have been prosecuted. The only major breaches of the Act have been government departments. Commercial breaches have been very few.”

When asked why that was the case, Keith explained that this is one of the fundamental reasons for the changes to the Act today.

“Up until 1 Dec 2020, the Privacy Commission was not able to act without a complaint. But now they can act with or without a complaint. They now also have more power to investigate breaches by multinational companies operating in New Zealand.”

So could companies like Facebook be accountable under NZ Privacy Law?

“Yes. However, taking action may have to go through the Human Rights Tribunal.”

When it comes to the use of cloud-based platforms such as HubSpot, we asked Keith where the responsibility for data protection lies - is it with the software provider, or the organisation using the platform? His response was that under the Act “...there is an assumption that cloud-based data is under the ownership of the organisation that collects and uses the data.” So if you collect it, you’re responsible for it.

What are the drivers behind changing to this new version of the Act?

“The key reason for this update to the Act is to give the Privacy Commissioner some power to investigate and if necessary, take action when breaches are reported, or suspected,” stated Keith. “The Commissioner now has permission to take offending organisations to court with requests to clean up their act.”

What are the penalties if they don’t comply with this request?

“Under the new Act, the maximum fine is $10,000. However, if a class action for a privacy breach is successful, further penalties may apply depending on the extent of potential ‘harm’ incurred by the breach.”

According to the Privacy Commission blog “The updated Act will allow the Human Rights Review Tribunal to award up to $350,000 to each member of a class action.”

“So a breach that causes harm to a number of people could be really expensive, not to mention the reputational damage,” stated Keith.

An interesting observation Keith shared is how the marketing industry has “...been very well behaved…” when it comes to Privacy compliance. “Marketers are, in general, highly conscious of the need to handle personal data carefully and responsibly. And perhaps because we were there in the very beginning, the industry has encouraged everyone to be fair and transparent.”

Does this version of the Act more closely align to GDPR?

Keith explained that there are two key aspects of the new Act that bring us in closer alignment with GDPR:

The reporting of breaches principle now follows GDPR, although the fines in the EU are far greater;

A principle related to the transfer of data overseas requires organisations to make sure that those countries have similar privacy laws and follow similar principles to NZ Privacy Law.

However, the area of 'deemed' consent is still an area open to interpretation in New Zealand. What was Keith’s advice on this?

“In New Zealand, if you deem your service or product is relevant to the person whose data you’ve collected (or whose contact information is publicly available), then you have permission to send them communications as long as this is covered in your Privacy Policy.” However Keith pointed out that this is actually a requirement of the UEM Act, not the Privacy Act.

So, when is it advisable to collect explicit consent?

“You need to follow GDPRs guidelines on explicit consent if you are communicating with individuals in EU countries. But if you’re in doubt, or in an industry dealing with particularly sensitive data (think: harm) then erring on the side of explicit consent is recommended.

In the future, we will probably move closer to GDPR.”

So, what would you say is the key change to the Act that all marketers should be aware of and why?

“The reporting of breaches is the key change in that organisations are required to notify the affected people and Privacy Commissioner if a breach that may cause harm has occurred,” explained Keith. “Harm can be seen as intimidation, a breach causing physical harm, or exposing medical or financial records for example.”

On this basis are banks, health services, government departments and local government more at risk? “The legislation covers everybody - and everybody can be prosecuted, unlike in the past,” states Keith.

Can you share guiding principles that marketers and organisations should follow to stay within the law?

“If you follow marketing best practices then you’re covered,” Keith stated. “Principle 3 under the Act is the most important one to remember: when you collect info, you must tell people you’re collecting it and how you're going to use it.”

So, in a nutshell:

  1. Be transparent. Don’t hide anything.
  2. Make sure you have consent.
  3. Always give people the opportunity to opt-out or unsubscribe.

Do we all need to update our privacy policies in light of the new Act?

Keith advises that an important clause to add is to tell people they have the right to complain to the Privacy Commission if they believe there has been a breach of their privacy.

“In addition, if your business communicates or collects data from children, it is wise to have parental permission whenever communicating with young adults under 14 yrs,” Keith says.

From an Inbound Marketing perspective, is it necessary to include a privacy statement on all forms and points of data collection?

“That’s a great question. While it’s not necessary to repeat a request for consent at every point of collection following the first point of collection, there is always the risk of system or management failure. So a short statement with a link to your full privacy statement at all points of collection is advisable.”

And, with the myriad of digital channels marketers use to engage and capture people’s data today, it’s important to be vigilant. “If you’re collecting an email address via a chatbot conversation, for example, you must explain privacy consent and provide a link to your privacy policy.”

So 27 years on, the world has changed dramatically. Yet, the Privacy Act holds fast and stronger than ever to ensure the transparency of data collection for the people of New Zealand. On behalf of the New Zealand Marketing community, we’d like to express our gratitude to Keith Norris for his time during this interview, for sharing his wealth of knowledge on this topic, and for his ongoing commitment to best practices in our industry.