Key changes under the new Act
Mandatory breach reporting
A new regime has been introduced for the mandatory reporting of a notifiable privacy breach – which is a privacy breach that causes (or is likely to cause) serious harm.
When assessing ‘serious harm’ agencies should consider factors such as:
- actions taken to reduce the risk of harm
- the sensitivity of the affected data
- the nature of harm that may be caused
- whether the information is protected by security measures
- the person or body that has (or may have) obtained the data.
If a notifiable privacy breach occurs, agencies must notify:
- the Office of the Privacy Commissioner; and
- affected individuals.
It will be an offence to fail to inform the Privacy Commissioner where there has been a notifiable privacy breach, unless one of the limited exceptions apply.
A new IPP has been introduced to regulate how personal information is disclosed overseas. Under the new IPP 12, an agency may only disclose personal information to a foreign entity if:
- The foreign entity is subject to privacy laws or other prescribed measures that overall provide comparable safeguards to those under NZ’s Privacy Act; or
- The individual concerned authorises the disclosure (after being expressly informed that the information may not be subject to comparable protections).
Important: The offshore transfer requirements do not apply to disclosures or transfers to service providers who may hold or process personal information solely as an agent for another agency, provided the third party does not use the information for its own purposes e.g. cloud storage providers.
All overseas agencies ‘carrying on business in New Zealand’ will be subject to the Act regardless of:
- whether they have a legal or physical presence here;
- where the personal information is collected and held; and
- where the person to whom the personal information relates is located.
This provision broadens the scope of application of the Privacy Act and will affect foreign businesses, such as Google and Facebook, who have in the past claimed they are not subject to New Zealand law as they have no physical or legal presence here. However, the enforceability of this provision on overseas agencies without a presence in New Zealand is still unclear.
The Privacy Commissioner will be empowered to issue compliance notices to agencies to require them
to do something, or stop doing something, in order to comply with the Privacy Act.
Importantly, if an agency receives a compliance notice and disagrees with it, the agency must appeal to the Human Rights Review Tribunal within 15 working days. Until the appeal is heard, or unless the Tribunal makes an interim order to suspend the notice, the agency is required to comply with the directions specified in the notice. This is a relatively broad power for the Privacy Commissioner as it means he or she can issue compliance notices based on their interpretation of the Act and it then falls on the agency to lodge an appeal within the specific timeframe and, in the meantime, may require the agency to comply with the notice until the appeal is heard – which could come at a significant cost to the agency even if the appeal is eventually successful.
Enforceable access directions
The Privacy Commissioner will be empowered to issue binding directions against agencies to allow individuals to access their information. Access directions will be enforceable by the Human Rights Review Tribunal.
Clarification to IPP1
An agency may not require identifying information from an individual unless it is necessary for the lawful purpose for which the information is collected.
Collecting personal information from children
IPP4 now emphasises that the manner of collection must be fair and not intrude to an unreasonable extent upon the personal affairs of the individual concerned, particularly where personal information is collected from children or young persons.
Criminal offences and penalties
The Privacy Act 2020 creates two new criminal offences for:
- Misleading an agency by impersonating an individual for the purpose of obtaining access to, or using, altering or destroying that individual’s personal information; and
- Destroying a document containing personal information with knowledge that a request has been made in respect of that information.
The penalties for a person who commits an offence under the new Act has increased from a fine on conviction of up to $2,000 previously, to a fine up to $10,000 come December. Although these potential fines may not have the same magnitude as other privacy laws around the world such as the GDPR, the real cost to agencies for committing an offence or failing to comply with the Act will ultimately be the reputational damage and effect that a conviction or breach may cause. We anticipate this will usually be incentive enough for agencies to ensure they have robust processes in place to mitigate the risk of non-compliance and/or a privacy breach.
‘Aggrieved individuals’ whose privacy is the subject of a complaint, investigation or proceeding will be able to commence proceedings in the Human Rights Review Tribunal as a class. The Tribunal can award up to $350,000 to each member of a class action.