Important Changes to New Zealand’s Privacy Laws
Privacy laws set out the rules a business must follow when collecting, using, storing and disclosing an individual’s personal information.
These rules are changing on 1 December 2020 when the new Privacy Act 2020 takes effect.
To prepare for 1 December, all businesses should have a privacy policy informing customers how their personal information will be collected, stored, used and disclosed, and internal procedures for handling customer privacy.
What does this mean for your business?
Mandatory reporting of serious data breaches. It is a breach of privacy law if personal information that your business holds is accessed without authorisation, whether through an accidental release or a deliberate hacking. Your business is also responsible for any privacy breach committed by your cloud storage provider, data processor, and any other service provider that you transfer personal information to. You must report a privacy breach that poses a risk of serious harm to an affected individual to the Privacy Commissioner and the affected individual as soon as you become aware of it.
You should put in place a privacy breach reporting process
Your privacy policy should cover what steps to take if there is a breach and how to assess if the breach must be reported to the Privacy Commissioner. Your employees should be aware that they need to report any potential privacy breaches to you.
Don’t have a privacy policy? Create one for free here.
Review your contract with your data storage provider.
If you store your customers’ personal information with a data storage provider, you should make sure that they are required to both protect your customers’ information and immediately tell you if a privacy breach occurs. It is important that you know as soon as possible so you can take steps to contain the breach and assess if it must be reported.
Mandatory compliance with Privacy Commissioner’s directions. For serious or repeated breaches of the Privacy Act 2020, the Privacy Commissioner can force a business to comply with the Act. This can be avoided by managing customer requests to access personal information and privacy complaints appropriately and quickly.
You should appoint a Privacy Officer
Appoint a privacy officer who is responsible for upholding privacy within your business. This can be you or one of your employees. The Privacy Commission offers free online training for businesses on how to comply with their privacy obligations.
You should put privacy management processes in place
You should have an internal privacy policy covering how you will comply with the Privacy Act 2020 throughout the entire lifecycle of collection, storage, use and disclosure of personal information. Your privacy officer should be responsible for implementing the policy and regularly reviewing and updating it.
Greater controls on the sharing of personal information overseas. If you do need to share your customers’ personal information with an overseas company, including a data storage provider, you can only do so if:
your customer consents; and
the overseas company receiving the personal data will protect the data in a way that is consistent with New Zealand privacy laws.
You should obtain customer consent
Review and update your website privacy policy so your customers are clearly informed that their personal information will be shared outside New Zealand and the reasons for the disclosure (e.g., data storage, provision of services, etc).
You should ask the overseas company how your customers’ personal information will be protected.
Conduct due diligence on the overseas company that you wish to share your customers’ personal information with:
Does the overseas company operate in countries like the EU or Australia with similar privacy laws to New Zealand?
Does it have a global reputation for taking privacy seriously?
Has it been in the gun for privacy breaches?
What are the risks if it goes very wrong?
Reputational loss. The Privacy Commissioner may publicly identify a business that breaches the Privacy Act 2020. This could cause your customers to lose confidence in your business.
Criminal liability. There are now a range of consequences for breaching the Privacy Act, including criminal liability for both the company and its directors, with fines of up to $10,000.
Class action. If there is a mass privacy breach affecting a large number of individuals, they can go to Court as a group to claim damages from the business responsible for the privacy breach. If successful, the Court can award each individual up to $350,000, depending on how serious the breach was and what steps were taken to contain the breach and prevent it from occurring again.
If you have any questions around your privacy matters, call us for a free no-obligations chat.