You may not know that there is an updated Privacy Act 2020 that has been released and it comes into effect on 1 Dec 2020 unless you closely follow changes to the legislation and Government updates.
The amendments to to the existing Privacy Act 1993 strengthens the existing privacy principles and adds some new requirements. Most of the changes only affect how the laws are enforced. The changes which potentially affect businesses focus on risk management and early intervention and affect businesses in respect to the information they hold on their employees and customers.
A summary of the main changes include:
- You will have to report serious harm privacy breaches to the Privacy Commissioner.
- Destroying documents that contain personal information if a request has been made for that information, will now be considered a criminal offence.
- You need to ensure that any overseas provider that holds personal information for you or your customers, meet New Zealand privacy laws.
Serious harm privacy breaches are determined by considering the facts of the case. Consideration would be given to the sensitivity of the information lost, what has been done to reduce the risk of harm, the nature of the harm that could be caused and any other relevant information. The Office of the Privacy Commissioner will have an online privacy breach notification tool to assist with reporting.
The amendment gives more power to the Privacy Commissioner to issue compliance notices to do, or not do, something to comply with the Act and, to issue enforceable access directions to direct agencies to provide access to personal information requested by individuals.
For businesses which store customer information electronically it is recommended to create a compliant data breach plan and check with your IT providers what their protections and guarantees are, including overseas companies, particularly if you store your data with a cloud service.
To meet the requirements for information sent or held overseas you must either;
- be reasonably satisfied that the foreign person or entity is subject to laws which provide comparable safeguards as the Act, or has agreed to be bound by comparable safeguards as those found in the Act; or
- have expressly informed the individual that the foreign entity or person may not be required to protect the information in a way that provides comparable safeguards, and you must obtain the individual’s authorisation to the disclosure on that basis.
At this stage, all businesses should examine their risk and prepare to be compliant when the changes come into effect in December.
They have made it easy to see the changes and you can download a comparison chart comparing the 1993 and 2020 Privacy Act on the Privacy Commissioners Website here