Privacy Act 2020 – comes into force on 1 December
New Privacy Act
Earlier this year, a new Privacy Act was finally passed (the Privacy Act 2020), completing an overhaul of New Zealand’s privacy laws. Generally, the new Privacy Act is designed to better reflect privacy issues in the digital age.
Issues of cybersecurity and data protection are now hot button issues for individuals and businesses. For example:
- the rising tide of cyber threats (and the reporting of an increase in the incidence of cybercrime this year during the COVID-19 pandemic);
- media attention given to data breaches and the increased risk of reputational harm; and
- (as a response) international regulators imposing eye-watering fines for breaches,
mean that privacy / data protection should be firmly on the radar for most businesses.
The comments that follow provide a high-level summary of the key changes – for businesses which must be prepared when the new Privacy Act comes into force on 1 December.
Notifiable privacy breaches
Possibly the most significant change for many businesses (an ‘agency’ in terms of the new Privacy Act) is the requirement to notify the Privacy Commissioner and the affected individual/s as soon as practicable after becoming aware of a notifiable privacy breach.
A notifiable privacy breach means a breach that has caused serious harm to an affected individual (or is likely to do so). The addition of a notification requirement brings New Zealand’s privacy law into line with comparable jurisdictions – most notably Australia.
The new Privacy Act sets out a (non-exhaustive) list of factors to consider when deciding if a privacy breach is likely to cause serious harm – but it does not actually define ‘serious harm’. Those guidelines include:
- any action taken to reduce the risk of harm following the breach;
- whether the personal information is sensitive in nature;
- the nature of the harm that may be caused to affected individuals;
- who obtained (or could obtain) the personal information as a result of the breach (if known); and
- whether the personal information is protected by a security measure.
Failing to give the notice without a reasonable excuse may result in a fine of up to $10,000 or the issue of a public compliance notice. As a result, it is suggested that businesses should take a conservative approach – until a greater body of experience has been developed, by the Privacy Commissioner (and possibly the Courts) as the likely tipping points for ‘serious harm’.
Note that protecting the businesses’ reputation is unlikely to be an adequate reason to delay notification.
When a notifiable breach occurs, under certain circumstances the business may also provide an affected individual with details of any third party in possession of their information. The business may do so if it has reasonable grounds to believe that identification was necessary prevent or lessen a serious threat to an individual’s life or health.
Employees are not personally liable for delays in notifying an affected person of a notifiable privacy breach. However, their employer remains liable.
Exceptions to notification requirements
The new Privacy Act requires businesses that become aware of a privacy breach to notify the Privacy Commissioner (and any affected individual/s) as soon as is practicable, or give public notice if it is unable to notify the affected individual/s.
However, in limited circumstances, a business is permitted to delay notifying individual/s or the public – if the notification itself would risk further breaches (e.g. if it would make others aware of the method used to access the information). Note that the business is still required to notify the Privacy Commissioner as soon as practicable.
A business may also decide not to inform an individual of a breach – if informing them would be likely to prejudice the individual’s health, or they are aged under 16 and the business believes notification is not in their best interests.
Cross-border disclosures
Many businesses and organisations rely on offshore service providers (and cloud-based data storage) for handling of individuals’ private data. As well as effectively endorsing the existing privacy principles, the new Privacy Act introduces a new information privacy principle (IPP #12) containing a series of controls on the disclosure of personal information to foreign agencies.
IPP#12 (‘Disclosure of personal information outside New Zealand’), reflects similar provisions in Australian and Europe – and is intended to ensure that personal information being sent offshore will be subject to comparable privacy safeguards to those which apply in New Zealand. Any business which discloses information to a foreign person or entity must either:
- be reasonably satisfied that the foreign person or entity is subject to laws which provide comparable safeguards as the new Privacy Act, or agrees to be bound by comparable safeguards as those found in the new Privacy Act (e.g. in a contract with the New Zealand business); or
- have expressly informed the individual that the foreign entity or person may not be required to protect the information in a way that provides comparable safeguards, and must obtain the individual’s authorisation to the disclosure on that basis.
Importantly, IPP#12 provides an exception in terms of which sending information offshore to be stored or processed by an agent (e.g. a cloud storage provider) will not be treated as a “disclosure” if the (overseas) agent does not use the information for its own purposes. However, the (New Zealand) business which sent the information offshore will be responsible for ensuring that its (overseas) agent complies with the privacy safeguards provided by the new Privacy Act. (Note also that there is an exception if the disclosure is made to a foreign business operating in New Zealand – on the basis that such a business already has to comply with the new Privacy Act).
If IPP12 does (or might) apply to your business, the Privacy Commissioner has released model terms that can be included in a contract with the overseas person receiving the transferred information to ensure there are comparable privacy safeguards in place.
Compliance notices
The new Privacy Act widens the scope for the Privacy Commissioner to publish compliance notices for privacy breaches. In particular, the Privacy Commissioner will have the power to publish compliance notices for breaches of a code of conduct under any legislation, in addition to breaches of the new Privacy Act.
Importantly, if a business receives a compliance notice and disagrees with it, it must appeal to the Human Rights Review Tribunal within a 15 working day window. Until the appeal is heard, or unless the Tribunal makes an interim order to suspend the notice, the business must comply with the directions specified in the notice. This process gives the Privacy Commissioner a broad power to issue compliance notices based on their interpretation of the new Privacy Act – and for the business lodge an appeal if it disagrees. This process could be costly and time consuming come at a significant cost to the agency even if the appeal is eventually successful.
The Privacy Commissioner will also be able to delay publication of any compliance notice if they believe it to be in the public interest to do so.
Complaints on behalf of other persons and groups
Anyone (and not just an aggrieved individual) may make a complaint, and a compliant can be made on behalf of one or more aggrieved individuals. In addition, representatives of a group of aggrieved individuals to commence proceedings in the Human Rights Review Tribunal on their behalf.
This will provide scope for groups of individuals who have been affected by a privacy breach to bring class actions against the business that committed the relevant breach.
Get ready for the new Privacy Act
The process of getting ready for the new Privacy Act coming into force on 1 December 2020 could include:
- Review contractual arrangements with third parties – where a third party stores or processes personal information provided by your business.
- Undertake staff training – so that key people in the business are up to speed with the changes under the new Privacy Act.
- Updating your businesses’ privacy policies to ensure compliance with the new Privacy Act – and to ensure that your customers and clients understand how your business will use their information. In particular – businesses should look at their privacy policy and website terms of use (in most cases IPP#12 is unlikely to apply – but extra protections will be needed if it does).
- Development of effective procedures to detect, report and investigate a personal data breach – to make sure that your business has a plan in place so that you can meet your reporting obligations without undue delay if a notifiable breach occurs.
- Ensuring that the business has (clear) internal lines of communication – and so that your staff know who they can approach within the business to discuss privacy issues.
Further information
If you would like more information about any of the matters discussed in this note, please contact me.
Comments are closed.