Privacy laws apply to every organisation and governs how individuals and businesses collect, use, disclose, store and give access to personal information.
From 1 December 2020 the regime for personal information in New Zealand will change in a new Privacy Act 2020 and there will be a number of new changes that may affect your business.
Some of the key changes include:
- Disclosing information overseas
- Notifiable privacy breaches
- New criminal offences
- Compliance notes
Disclosing information overseas – Principle 12
The general purpose of this Principle is to ensure that personal information being sent out of New Zealand will be subject to privacy safeguards that are comparable to those here. This is in line with international movements and with other jurisdictions enacting similar provisions.
Principle 12 only applies if you are disclosing information from your organisation to a ‘foreign person’ or ‘foreign entity’ as defined in the Act. It enables an organization to disclose such personal information only where the:
1. recipient of the information is subject to a comparable privacy regime; or
2. disclosure is expressly authorised by the person to whom the information relates.
Important exemptions to the requirements of Principle 12 are when:
1. information is being sent to a cloud provider or other agent;
2. disclosure is authorised by another statute you may not have to comply with Principle 12;
3. the disclosure is necessary to avoid prejudice to the maintenance of the law or to prevent or lessen a serious threat, and it is not reasonably practicable in the circumstances to comply with Principle 12 requirements.
As recommended by the Office of the Privacy Commissioner, the best and most practical way to ensure compliance with Principle 12 when you disclose information overseas, is through an agreement with the person or entity that you are making the disclosure to. We recommend that you consider when your organisation may be in a situation to disclose personal information to an overseas entity, and to have some pre-prepared template agreements (which can be modified) in place for when this occurs.
Notifiable privacy breaches
The changes will put in place a privacy breach notification regime. Where a business or organisation has a privacy breach that it believes has caused (or is likely to cause) serious harm, it will be required to the Office of the Privacy Commissioner and affected individuals as soon as possible. The failure to do this will be an offence.
To help logistically with this change the Office of the Privacy Commissioner will be launching an online breach notification tool.
New criminal offences
It will now be an offence to:
1. mislead an agency to access another person’s personal information; and
2. to destroy personal information, knowing that a request has been made to access it.
The penalty for these offences is a fine of up to $10,000.
The Privacy Commissioner will now be able to issue compliance notices to businesses or organisations to require them to do something, or stop doing something, in order to comply with the Privacy Act. Compliance notices will describe the steps that the Commissioner considers are required to remedy non-compliance with the Act and will specify a date by which the organisation or business must make the necessary changes.
With the changes under the new Act fast approaching now is the time to review your businesses information management processes. The experienced business team at TODD & WALKER Law can assist with helping you understand these changes and how it may impact your organisation. Contact us on 03 441 2743 or email [email protected].