Agencies need to turn their attention to reviewing internal practices, processes and policies, to ensure they comply with obligations under the new Act.

What do I need to do now to prepare?

Ensuring your organisation has suitable privacy and data protection processes in place can no longer be seen as a compliance exercise.  Properly managing your privacy and data collection, storage and use risks are governance issues that can go to the core of an organisation’s reputation, culture and values.  Risk management of this nature requires ongoing agency-wide input and attention from HR, IT, Legal, Marketing, Finance and others. The introduction of the new Act provides all organisations with a valuable opportunity to revisit and reassess current privacy practices to ensure they are up-to-date and fit for purpose.

Reassess

• Do you have a clear picture of how your organisation handles personal information? If not, it might be time to undertake a privacy audit.
• Do you have appropriate consents and opt-ins in place to process personal information?
• If you disclose or transfer personal information offshore, what countries does the information go to and what safeguards do you have place to ensure the protection of that information?
• Who is your designated Privacy Officer? All organisations are required to have one.
• Does your business adopt a privacy by design approach to the implementation of new technologies and systems?
• Do you provide regular reporting to your Board on privacy matters?

Prepare

• Do you have a data breach response plan in place? Do you have cyber insurance to cover you for the potential costs involved in managing and responding to a cyber incident affecting personal information?
• Have you updated your contractual templates to reflect the requirements of the new Privacy Act? Consider whether variations to existing contracts may also be required, particularly to ensure you meet the requirements under the new Information Privacy Principle (IPP) 12 relating to offshore transfers.
• Does your organisation need to update privacy training materials?

Key changes under the new Act

Mandatory breach reporting

A new regime has been introduced for the mandatory reporting of a notifiable privacy breach – which is a privacy breach that causes (or is likely to cause) serious harm.

When assessing ‘serious harm’ agencies should consider factors such as:

• actions taken to reduce the risk of harm
• the sensitivity of the affected data
• the nature of harm that may be caused
• whether the information is protected by security measures
• the person or body that has (or may have) obtained the data.

If a notifiable privacy breach occurs, agencies must notify:

• the Office of the Privacy Commissioner; and
• affected individuals.

It will be an offence to fail to inform the Privacy Commissioner where there has been a notifiable privacy breach, unless one of the limited exceptions apply.

Offshore transfers

A new IPP has been introduced to regulate how personal information is disclosed overseas. Under the new IPP 12, an agency may only disclose personal information to a foreign entity if:

• The foreign entity is subject to privacy laws or other prescribed measures that overall provide comparable safeguards to those under NZ’s Privacy Act; or
• The individual concerned authorises the disclosure (after being expressly informed that the information may not be subject to comparable protections).

Important: The offshore transfer requirements do not apply to disclosures or transfers to service providers who may hold or process personal information solely as an agent for another agency, provided the third party does not use the information for its own purposes e.g. cloud storage providers.

Extra-territorial effect

All overseas agencies ‘carrying on business in New Zealand’ will be subject to the Act regardless of:

• whether they have a legal or physical presence here;
• where the personal information is collected and held; and
• where the person to whom the personal information relates is located.

This provision broadens the scope of application of the Privacy Act and will affect foreign businesses, such as Google and Facebook, who have in the past claimed they are not subject to New Zealand law as they have no physical or legal presence here.  However, the enforceability of this provision on overseas agencies without a presence in New Zealand is still unclear.

Compliance notices

The Privacy Commissioner will be empowered to issue compliance notices to agencies to require them to do something, or stop doing something, in order to comply with the Privacy Act.

Importantly, if an agency receives a compliance notice and disagrees with it, the agency must appeal to the Human Rights Review Tribunal within 15 working days.  Until the appeal is heard, or unless the Tribunal makes an interim order to suspend the notice, the agency is required to comply with the directions specified in the notice. This is a relatively broad power for the Privacy Commissioner as it means he or she can issue compliance notices based on their interpretation of the Act and it then falls on the agency to lodge an appeal within the specific timeframe and, in the meantime, may require the agency to comply with the notice until the appeal is heard – which could come at a significant cost to the agency even if the appeal is eventually successful.

Enforceable access directions

The Privacy Commissioner will be empowered to issue binding directions against agencies to allow individuals to access their information. Access directions will be enforceable by the Human Rights Review Tribunal.

Clarification to IPP1

An agency may not require identifying information from an individual unless it is necessary for the lawful purpose for which the information is collected.

Collecting personal information from children

IPP4 now emphasises that the manner of collection must be fair and not intrude to an unreasonable extent upon the personal affairs of the individual concerned, particularly where personal information is collected from children or young persons.

Criminal offences and penalties

The Privacy Act 2020 creates two new criminal offences for:

• Misleading an agency by impersonating an individual for the purpose of obtaining access to, or using, altering or destroying that individual’s personal information; and
• Destroying a document containing personal information with knowledge that a request has been made in respect of that information.

The penalties for a person who commits an offence under the new Act has increased from a fine on conviction of up to $2,000 previously, to a fine up to $10,000 come December. Although these potential fines may not have the same magnitude as other privacy laws around the world such as the GDPR, the real cost to agencies for committing an offence or failing to comply with the Act will ultimately be the reputational damage and effect that a conviction or breach may cause.  We anticipate this will usually be incentive enough for agencies to ensure they have robust processes in place to mitigate the risk of non-compliance and/or a privacy breach.

Class actions

‘Aggrieved individuals’ whose privacy is the subject of a complaint, investigation or proceeding will be able to commence proceedings in the Human Rights Review Tribunal as a class. The Tribunal can award up to $350,000 to each member of a class action.

If you would like any advice on how these changes will affect your organisation, or in getting ready for the new legislation, please contact one of our experts listed below.