The new Privacy Act 2020
What you need to know:
- Effective 1 December 2020
- Strengthens protection of personal information
- Introduces reporting obligations if privacy breaches occur – reporting both to affected individuals as well as to the Privacy Commissioner. A new tool, NotifyUs, has been developed to assess whether breaches are notifiable or not and to report breaches if required.
- Applies to organisations operating offshore as well – including Facebook and Google and any cloud-based organisations you deal with. Also applies when you disclose information overseas.
- Introduces criminal offences for:
- Misleading a business or organisation by impersonating someone, or pretending to act with that person’s authority, to gain access to their personal information or to have it altered or destroyed.
- Destroying a document containing personal information, knowing that a request has been made for that information.
The penalty for these offences is a fine of up to $10,000.
12 Key Information Privacy Principles
The Act also introduces the following 12 information privacy principles:
- Purpose of collection of personal information – there must be one
- Source of personal information – should be direct
- Collection of information from subject – should make individual aware you are collecting the information
- Manner of collection of personal information – should be lawful, fair and not unreasonably intrusive
- Storage and security of personal information – should be secure and prevent unauthorised use or disclosure
- Access to personal information – needs to be made available upon request
- Correction of personal information – should be corrected upon request or the request attached to the information itself
- Accuracy of personal information to be checked before use – this should include checking that the information is accurate, up to date, complete, relevant and not misleading
- Agency not to keep personal information for longer than necessary
- Limits on use of personal information – should only be used if one of the criteria set by the Act is met (such as the information being publicly available, authorised by the individual or used in a form in which the individual concerned is not identified)
- Limits on disclosure of personal information – should only be disclosed if one of the criteria set by the Act is met (such as where the disclosure is authorised, to maintain public health or safety, to prevent a serious threat to someone’s life or death, or for the maintenance of the law).
- Unique identifiers – can only be assigned if necessary and only to those whose identity is clearly established
Additional Powers to Privacy Commissioner
The Privacy Commissioner is given additional powers, including:
- The ability to issue compliance notices to compel organisations to do something – or stop doing something
- The power to direct organisations to give individuals access to their personal information
What do you need to do:
- Review the personal information you hold and consider whether you could provide someone with their personal information in a timely manner if requested. This includes personal information you hold for your staff
- Develop a privacy breach response plan, including who needs to be made aware and involved in the reporting process
- Consider whether any changes need to be made to your information management practices to enable you to meet your obligations, including the mandatory breach notifications.
- Train your staff on their obligations under the Act.
- Assign someone in your business the role of privacy officer.
Where to find out more
There are lots of resources, including videos, blogs and information sheets and a 30 minute online training module, on the www.privacy.org.nz/2020 website.