Enter your details below to stay up-to-date with the latest IT solutions and security measures.
On the 3rd June, 2020 the Privacy Bill passed the ‘committee of the whole house’ in Parliament. A Supplementary Order Paper (SOP) successfully introduced the following amendments.
1) Once passed by Parliament, the new Privacy Act will come into effect roughly six months from now on 1 December 2020
2) Liability for privacy breach notifications sits with a business or organisation and not individual employees.
3) The act will allow the Human Rights Review Tribunal to award up to $350,000 to each member of a class action.
4) Privacy principle 4 has been clarified, requiring agencies to ensure the way they collect information from children and young people is fair.
KEY CHANGES TO THE ACT
Notifiable privacy breaches
The Privacy Act 2020 will introduce a privacy breach notification regime. If a business or organisation has a privacy breach that it believes has caused (or is likely to cause) serious harm, it will need to notify the Office of the Privacy Commissioner and affected individuals as soon as possible. Under the Act, it is an offence to fail to inform the Privacy Commissioner when there has been a notifiable privacy breach. As noted above, the Act clarifies that liability for breach notifications sits with the business or organisation, and not the individual employees.
It is important to note that not all privacy breaches need to be reported to the Office of the Privacy Commissioner. The threshold for a notifiable breach is ‘serious harm’. This can be assessed by considering, for example, the sensitivity of the information lost, actions taken to reduce the risk of harm, the nature of the harm that could arise, and any other relevant matters.
The Office of the Privacy Commissioner will be launching an online privacy breach notification tool and updated guidance ahead of the new Act to help businesses and organisations with this new requirement. Current guidance on handling privacy breaches can be found here.
The Privacy Commissioner will be able to issue compliance notices to businesses or organisations to require them to do something, or stop doing something, in order to comply with the Privacy Act. Compliance notices will describe the steps that the Commissioner considers are required to remedy non-compliance with the Act and will specify a date by which the organisation or business must make the necessary changes.
Enforceable access directions
The Privacy Commissioner will be able to direct agencies to provide individuals access to their personal information. This will allow faster resolution of complaints relating to information access under principle 6. Access directions will be enforceable in the Human Rights Review Tribunal.
Disclosing information overseas
A new privacy principle 12 has been added to the Privacy Act to regulate the way personal information can be sent overseas. Under principle 12, an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Privacy Act.
If a jurisdiction does not offer similar protections, the individual concerned must be fully informed that their information may not be adequately protected and they must expressly authorise the disclosure.
The new Privacy Act now clearly states that it has extraterritorial effect. This means that an overseas business or organisation that is ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations, even if it does not have a physical presence here. This will affect businesses located offshore, such as Google and Facebook.
New criminal offences
The Privacy Act 2020 introduces new criminal offences. It will now be an offence to mislead an agency to access someone else’s personal information – for example, impersonating someone in order to access information that you are not entitled to see. It will also be an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it. The penalty for these offences is a fine of up to $10,000.
The new Act retains the privacy principles of the current legislation, with some changes. Principle 1 has been clarified to ensure that businesses and organisations do not collect identifying information from people if it is not necessary. There are new withholding grounds for access requests under principle 6 and the Codes of Practice, such as the Health Information Privacy Code, will be updated in accordance with the provisions in the new Act.