The new Privacy Act 2020
What you need to know:
- Effective 1 December 2020
- Strengthens protection of personal information
- Introduces reporting obligations if privacy breaches occur reporting both to affected individuals as well as to the Privacy Commissioner. A new tool, NotifyUs, has been developed to assess whether breaches are notifiable or not and to report breaches if required.
- Applies to organisations operating offshore as well including Facebook and Google and any cloud-based organisations you deal with. Also applies when you disclose information overseas.
- Introduces criminal offences for:
- Misleading a business or organisation by impersonating someone, or pretending to act with that person’s authority, to gain access to their personal information or to have it altered or destroyed.
- Destroying a document containing personal information, knowing that a request has been made for that information.
The penalty for these offences is a fine of up to $10,000.
12 Key Information Privacy Principles
The Act also introduces the following 12 information privacy principles:
- Purpose of collection of personal information there must be one
- Source of personal information should be direct
- Collection of information from subject should make individual aware you are collecting the information
- Manner of collection of personal information should be lawful, fair and not unreasonably intrusive
- Storage and security of personal information should be secure and prevent unauthorised use or disclosure
- Access to personal information needs to be made available upon request
- Correction of personal information should be corrected upon request or the request attached to the information itself
- Accuracy of personal information to be checked before use this should include checking that the information is accurate, up to date, complete, relevant and not misleading
- Agency not to keep personal information for longer than necessary
- Limits on use of personal information should only be used if one of the criteria set by the Act is met (such as the information being publicly available, authorised by the individual or used in a form in which the individual concerned is not identified)
- Limits on disclosure of personal information should only be disclosed if one of the criteria set by the Act is met (such as where the disclosure is authorised, to maintain public health or safety, to prevent a serious threat to someone’s life or death, or for the maintenance of the law).
- Unique identifiers can only be assigned if necessary and only to those whose identity is clearly established
Additional Powers to Privacy Commissioner
The Privacy Commissioner is given additional powers, including:
- The ability to issue compliance notices to compel organisations to do something or stop doing something
- The power to direct organisations to give individuals access to their personal information
What do you need to do:
- Review the personal information you hold and consider whether you could provide someone with their personal information in a timely manner if requested. This includes personal information you hold for your staff
- Develop a privacy breach response plan, including who needs to be made aware and involved in the reporting process
- Consider whether any changes need to be made to your information management practices to enable you to meet your obligations, including the mandatory breach notifications.
- Train your staff on their obligations under the Act.
- Assign someone in your business the role of privacy officer.
Where to find out more
There are lots of resources, including videos, blogs and information sheets and a 30 minute online training module, on the www.privacy.org.nz/2020 website.