Privacy Law Reform.
New Zealand’s privacy laws are about to change. Our current law has struggled to keep up with the rise of extensive technological advances, which have transformed the way in which we collect and use personal information. Any organisation that gathers customers' details for any reason (e.g., newsletter database, payment purposes, repeat bookings, loyalty programmes), or holds information about an individual (e.g., employers and employees), is affected by this long overdue law change.
This update comes in the form of the Privacy Act 2020, which strengthens privacy protections and require ‘agencies’ (which includes any business or organisation) to actively manage their privacy obligations. It will also provide the Privacy Commissioner with increased powers to address privacy law breaches and to direct an agency (e.g. an employer) to provide an individual (e.g. an employee or customer) with access to their personal information.
Some of the changes include:
1. Mandatory notification of a privacy breach
Probably the most significant change is that agencies will be required to notify the Privacy Commissioner, and any affected individuals, of any ‘notifiable privacy breach’ as soon as practicable after becoming aware of the breach. A notifiable privacy breach will occur where it is reasonable to believe that the breach has caused, or is likely to cause, an affected individual serious harm.
When determining whether a breach has or may cause serious harm, agencies must consider the following factors:
- What action has been taken by the agency to reduce the risk of harm following the privacy breach.
- Whether the personal information subject to the breach is of a sensitive nature.
- The nature of the harm that may be caused to the affected individuals.
- If known, who has obtained, or may obtain, the personal information subject to the breach.
- Whether the personal information is protected by any security measures.
- Any other relevant matters.
Failure to notify the Privacy Commissioner of a notifiable breach under the act may result in a fine of up to $10,000. The Privacy Commissioner will also have the power to publish the identity of the agency subject to the breach where the Privacy Commissioner believes it is in the public interest to do so – which could have far-reaching implications for an agency's credibility and reputation.
2. Privacy commissioner can issue and publish compliance notices
The Privacy Commissioner will have the ability to issue a compliance notice to an agency requiring them take action, or stop taking a particular action in order to comply with privacy laws.
If the Privacy Commissioner issues a compliance notice to an agency, the act requires the Privacy Commissioner to publish the following information in relation to the compliance notice:
- The identity of the agency.
- Other details about the compliance notice or the breach that the Privacy Commissioner considers should be published.
- A statement or comment about the breach that the Privacy Commissioner considers is appropriate in the circumstances.
The publication of such notice may only be avoided if an agency can satisfy the Privacy Commissioner that it would suffer undue hardship as a result, and the Privacy Commissioner believes that such hardship outweighs the public interest in the publication.
3. Disclosure of personal information outside New Zealand
Additionally, a new principle will be introduced concerning the disclosure of personal information outside of New Zealand. This will put more limits on foreign disclosure by requiring an agency to satisfy one of six requirements before disclosing an individual’s personal information overseas.
For example, an agency may disclose personal information to an overseas person or entity only if that person or entity is subject to privacy laws that provide comparable safeguards to those contained in the New Zealand Privacy Act.
4. Identifying information cannot be collected unless required
The new act will also prohibit an agency from obtaining more identifying information from an individual than is necessary for the purpose for which it is being collected. This addition is likely to have a significant impact on agencies, as it will require agencies to carefully consider what identifying information they are collecting from an individual and ensure that they can justify why that identifying information is required or necessary for their particular purpose.
5. New parameters to Privacy Act requests by employees
The most notable change to the act, which will impact employers, is an individual’s right to access their personal information held by an employer. With changes to the evaluative material ground for refusing access to one’s personal information, there can be serious consequences when actioning performance, disciplinary or redundancy processes.
It is now clear that performance reviews cannot be withheld. What this means is that an employee is entitled to be provided with all personal review information held about them by their employer. Employers should have a good understanding of how the act works, to ensure they understand that emails / documents that they may think of as ‘company property’, but which contain personal information about an employee, may be required to be provided to an employee in a Privacy Act request situation.
The Privacy Commissioner can also direct an agency (e.g. an employer) to provide an individual (e.g. an employee) with access to their personal information. This is intended to stop employers from ignoring Privacy Act requests and to also speed up Privacy Act requests in an effort to reach resolution of the issues at hand. Employers should have robust processes in place for dealing with requests by employees for personal information, to ensure they are compliant with the new legislation.
Undoubtedly, the Privacy Act 2020 will place an additional compliance burden on all manner of Kiwi businesses. Kiwi businesses will need to consider what personal information they collect and hold, why it is held, how long to retain it for and how individuals may require access to that information.
Organisations of all sizes (including sole traders) should seek advice about how to comply and have their privacy policies (including how to manage Privacy Act requests) and information collecting processes reviewed to ensure that they are appropriate.
If you feel you could use some specialist advice, don’t hesitate to contact the Commercial Team.