The Privacy Act 2020 has finally made its way through parliament, and will come into effect on December 1st. The previous act was created in 1993, and since then the web has developed at a rapid pace, with more business being conducted online, and many companies that are solely digital.
We have put together a summary of the key changes and actions for your business.
If there has been a breach within your company that has caused or is likely to cause serious harm, it will be mandatory that the breach is reported to the Office of the Privacy Commissioner. The key word here is serious harm, which can be assessed by looking at the sensitivity of the information lost and the nature of the harm that could arise. The Office of the Privacy Commissioner will launch an online notification tool for reporting these breaches.
There are two new criminal offences which carry a fine of up to $10,000. The first is misleading an agency to gain access to personal information (impersonating someone) and the second destroying information if a request has been made for that information.
New Zealand businesses can only disclose personal information to an organisation or business overseas if that business has similar safeguards in place as per the NZ Privacy act. If your company uses overseas service providers, a cloud software for example, they will also need to meet the NZ privacy law standards. Lastly, if you are an overseas company and carry out business in NZ, you will need to comply to our standards.
There has also been a strengthening of the Privacy Commissioner’s power to issue compliance notices and carry out investigations into breaches of privacy complaints.
We recommend that you review your company’s privacy policy, and make sure you are aware of the data you hold on your clients, suppliers and staff, where it is stored, and how easy it is to access. We further recommend that you work through an action plan in case you uncover a breach of data.
