Home > Updates > The new Privacy Act 2020 – what’s changing?
On the 1st of December this year the Privacy Act 2020 will replace the Privacy Act 1993, completing a lengthy overhaul process. The purpose of the act is to strengthen privacy protections, and to promote better risk management and earlier intervention by the organisations and individuals that handle data.
The way we live and work has changed vastly since the Privacy Act was first enacted in 1993. Today we can do almost anything online and our data is collected by organisations in New Zealand and around the world. While the core framework of the Privacy Act 1993 has been retained, the new Act has been modernised to reflect wider societal changes and to ensure it is fit for the technological world in which we live.
One of the most-widely discussed changes for most organisations (referred to as ‘agencies’ in the legislation) will be the requirement to report on serious privacy breaches. Under the new Act, any organisation that suffers a privacy breach will be required to notify the Privacy Commissioner and affected individuals. Failure to report notifiable privacy breaches will carry a fine of up to NZ$10,000.
A privacy breach will be notifiable if it is reasonable to believe that the breach has caused serious harm to affected individuals, or is likely to do so. While the new Act does not explicitly define what ‘serious harm’ is, guidelines are provided to help businesses make this assessment. Initially, this may result in over-notification from some organisations while they develop an understanding of what constitutes ‘serious harm’. Conversely, some organisations may be reluctant to report privacy breaches unless it is very clear that serious harm has occurred.
Other important changes include the introduction of compliance orders, criminal offences and fines for non-compliance, and new controls on disclosing information overseas. Yet the new Act does not go as far as other highly-publicised data protection laws such as the EU’s GDPR. Individuals do not have the same rights as data subjects in other countries, such as the ‘right to be forgotten’ or the right to data portability, and the fines for non-compliance are comparatively low.
We can help you ensure that your systems and processes comply with the new Act. Please contact us to find out more.