Given the advancements we have made in digital enablement in the past few months alone, it is needless to say that our current Privacy Act 1993 is outdated to cope with the new ways of gathering and storing information.
We spoke with Shima Grice, Partner at Sharp Tudhope Lawyers, to understand the key changes to the Privacy Act and the impact this will have on businesses when it comes into force from December 1 2020.
What are the key changes being implemented in the new Privacy Act?
- The obligation to notify the Office of the Privacy Commissioner and affected individuals of any privacy breach that it believes has caused (or is likely to cause) serious harm.
- The Privacy Commissioner will be able to issue compliance notices to businesses or organisations to require them to do something, or stop doing something, in order to comply with the Privacy Act.
- The Privacy Commissioner will be able to direct agencies to provide individuals access to their personal information.
- A new privacy principle 12 has been added to regulate the way personal information can be sent overseas. Under principle 12, an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Privacy Act. If a jurisdiction does not offer similar protections, the individual concerned must be fully informed that their information may not be adequately protected and they must expressly authorise the disclosure.
- Overseas businesses or organisations that are ‘carrying on business’ in New Zealand will be subject to the Act, even if they do not have a physical presence here. This will affect businesses located offshore, such as Google and Facebook.
- New criminal offences. It will be an offence to mislead a company or organisation in order to access someone else’s personal information – for example, impersonating someone in order to access information. It will also be an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it. The penalty for these offences is a fine of up to $10,000.
Why are these significant and why did these changes need to happen?
Our current Privacy Act was passed in 1993. Since then, information technology has developed enormously. Large amounts of data now can be stored, retrieved and transmitted digitally. That means that privacy breaches can impact many individuals, as has been seen by the significant data breaches which have occurred in recent years.
The existing Act also did not reflect the fact that companies such as Facebook and Google hold large amounts of personal information but are not subject to New Zealand law. The new Privacy Act expressly states that it will apply to any actions taken by an overseas organisation in the course of carrying on business in New Zealand, and is more focused on early identification and prevention of privacy risks.
What impact will this have on local businesses of all sizes, and how might the impact vary between say small businesses and large companies?
The new Act does not differentiate between a national company with regional offices and hundreds of staff, or a self-employed contractor who holds the email addresses of a handful of clients.
Every business, large or small, will hold personal information, and should already have systems in place for ensuring it is (among other things) accurate, secure, and securely disposed of when no longer necessary.
If you don’t, now is a good time to start thinking about what personal information your business collects, and where/how it is stored.
The Act requires every agency (company or organisation) to have a privacy officer. No special training or qualification is needed, but having a go-to person for managing privacy who understands the new law, and who can develop policies and processes, is a great start in complying with your privacy obligations.
What changes to their processes / systems will they need to make to ensure they are compliant?
Common mistakes include:
- Collecting more information than your business needs. If a date of birth, address or mobile number isn’t vital, don’t ask for it. This will help reduce the risk if company information is breached or leaked.
- Storing personal information in different places – whether physical files, on a piece of CRM software or in the cloud, you need to know where information is stored and be able to access it. If you are storing information in the cloud, check that there are proposer security measures in place that will comply with the new Act, particularly if information is being stored on servers located overseas.
- Not regularly checking whether the information held is accurate and up to date, and whether it can be permanently deleted or securely disposed of if it is no longer required. Develop systems that include regular checks to ensure the information you hold is up to date and accurate, or has served its purpose and can be destroyed or deleted.
- Not revoking access for those employees who no longer need it or who have left the company.
Business should review their current information-holding practices to ensure they avoid making these mistakes, and – just in case – make a privacy breach response plan.
What are the consequences for any breaches of the new Act?
- The new Act requires businesses to notify the Privacy Commissioner of privacy breaches that cause, or are likely to cause, serious harm to affected individuals. Failure to notify the Privacy Commissioner of a notifiable privacy breach (without reasonable excuse) is an offence with a fine of up to $10,000.
- It will be an offence to mislead a company or organisation in order to access someone else’s personal information – for example, impersonating someone in order to access information. The penalty is a fine of up to $10,000.
- It will also be an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it. The penalty for this is also a fine of up to $10,000.
- The Privacy Commissioner will be able to issue compliance notices to businesses or organisations to require them to do something, or stop doing something, in order to comply with the Privacy Act. Compliance notices will describe the steps required to remedy non-compliance with the Act and will specify a date by which the organisation or business must make the necessary changes.
- The Commissioner will be able to shorten the timeframe in which an organisation or business must comply with investigations and the penalty for non-compliance will be increased from $2,000 to 10,000.
What rights will people have under the new Act to take action / lodge a complaint?
People will still have the right to request access to and correction of their information. Complaints about privacy breaches will still be made to the Office of the Privacy Commissioner. What is new, is that the Privacy Commissioner will be able to direct agencies to provide individuals access to their personal information. This is to allow faster resolution of complaints relating to access to information. Access directions will be enforceable in the Human Rights Review Tribunal.
Anything else the business community should know / be aware of?
The Act permits class actions in the Human Rights Review Tribunal by persons other than the Director of Human Rights Proceedings. That means in the case of a mass data breach (such as Cambridge Analytica obtaining the information of Facebook users) the updated Act will allow the Human Rights Review Tribunal to award damages of up to $350,000 to each member of a class action.
Other privacy issues that have been discussed overseas, such as a right to be forgotten, have not been incorporated into the new Act. The Minster of Justice has indicated that the Act will be subject to ongoing review to keep up with technological developments. Let’s hope this doesn’t take another 27 years!