Changes to privacy law, coming soon…
The Privacy Act 2020 (Act) will take effect on 1 December 2020, repealing the Privacy Act 1993 and revoking the Privacy Regulations 1993.
The purpose of the Act is to promote and protect individual privacy by:
providing a framework for protecting an individual’s right to privacy of personal information, while recognising that other rights and interests may at times also need to be taken into account; and
giving effect to internationally recognised privacy obligations and standards in relation to the privacy of personal information.
In general terms, an agency is any organisation or person that collects and/or holds personal information (i.e. information about an identifiable individual).
Key changes
The Act will make several changes to privacy law in New Zealand, including those set out below.
Notifiable breaches: The Act will introduce a breach notification regime. If it is reasonable to believe that a privacy breach has caused serious harm (or is likely to do so), the agency must notify the Privacy Commissioner and affected individuals as soon as possible.
Compliance notices: The Privacy Commissioner will be able to issue compliance notices to agencies to require them to do something (or stop doing something) in order to comply with the Act.
Access directions: The Privacy Commissioner will be able to direct agencies to provide individuals access to their personal information.
Cross-border disclosures: Before disclosing personal information to an agency outside of New Zealand, a New Zealand agency will be required to take reasonable steps to ensure that the receiving agency is subject to safeguards which are similar to those in the Act.
Worldwide effect: The Act makes it clear that an overseas business or organisation that is ‘carrying on business’ in New Zealand is captured by the Act, regardless of its geographic location.
New criminal offences: It will be an offence to mislead an agency in a way that affects someone else’s personal information. It will also be an offence for an agency to destroy personal information, knowing that a request has been made to access it. The penalty for these offences is a fine of up to $10,000.
Information privacy principles
The Act contains thirteen ‘information privacy principles’ (known as the IPPs). The IPPs are set out here. We recommend that you become familiar with the IPPs so you are mindful of privacy law requirements in all activities of your business.
Get prepared
To prepare for the Act, businesses and organisations will need to review their privacy policies, systems and procedures (including any third party or cross-border arrangements).
Please get in contact with us if you have any questions or would like to discuss the implications of the Act on your business.
Disclaimer: This publication should not be construed or acted on as legal advice. It is brief and general in nature. Specific advice should be sought.