The new Privacy Act 2020 – what’s changing?

On the 1st of December this year the Privacy Act 2020 will replace the Privacy Act 1993, completing a lengthy overhaul process. The purpose of the act is to strengthen privacy protections, and to promote better risk management and earlier intervention by the organisations and individuals that handle data.

The way we live and work has changed vastly since the Privacy Act was first enacted in 1993. Today we can do almost anything online and our data is collected by organisations in New Zealand and around the world. While the core framework of the Privacy Act 1993 has been retained, the new Act has been modernised to reflect wider societal changes and to ensure it is fit for the technological world in which we live.

One of the most-widely discussed changes for most organisations (referred to as ‘agencies’ in the legislation) will be the requirement to report on serious privacy breaches. Under the new Act, any organisation that suffers a privacy breach will be required to notify the Privacy Commissioner and affected individuals.  Failure to report notifiable privacy breaches will carry a fine of up to NZ$10,000.

A privacy breach will be notifiable if it is reasonable to believe that the breach has caused serious harm to affected individuals, or is likely to do so.  While the new Act does not explicitly define what ‘serious harm’ is, guidelines are provided to help businesses make this assessment. Initially, this may result in over-notification from some organisations while they develop an understanding of what constitutes ‘serious harm’. Conversely, some organisations may be reluctant to report privacy breaches unless it is very clear that serious harm has occurred.

Other important changes include the introduction of compliance orders, criminal offences and fines for non-compliance, and new controls on disclosing information overseas. Yet the new Act does not go as far as other highly-publicised data protection laws such as the EU’s GDPR. Individuals do not have the same rights as data subjects in other countries, such as the ‘right to be forgotten’ or the right to data portability, and the fines for non-compliance are comparatively low.

Key changes in the Privacy Act 2020:

• Mandatory notification of privacy breaches: Agencies will be required to notify the Privacy Commissioner and affected individuals of any privacy breach that it is reasonable to believe has caused serious harm as soon as possible. Under the Act, it is an offence to fail to inform the Privacy Commissioner when there has been a notifiable privacy breach.
• Compliance notices: The Privacy Commissioner will be able to issue agencies with compliance notices requiring them to do something in order to comply with the Privacy Act. The Human Rights Review Tribunal will be to enforce these notices and also hear appeals.
• Enforceable access directions: The Privacy Commissioner will be able to direct agencies to provide individuals with access to their personal information. Access directions will be enforceable in the Human Rights Review Tribunal.
• Disclosing information overseas: Agencies will be required to take reasonable steps to ensure that personal information disclosed overseas to a receiving agency will be subject to similar safeguards to those in the Privacy Act. If a jurisdiction does not offer similar protections, the individual concerned must be fully informed that their information may not be adequately protected and they must expressly authorise the disclosure.
• Extraterritorial effect: The new Privacy Act now clearly states that it has extraterritorial effect, meaning that an overseas business or organisation that is carrying on business in New Zealand will be subject to the Act’s privacy obligations, even if it does not have a physical presence here. This will affect businesses located offshore, such as Google and Facebook.
• Criminal offences: There are new offences for misleading an agency in a way to obtain access to someone else’s information. It will also be an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it.

We can help you ensure that your systems and processes comply with the new Act. Please contact us to find out more.