What you need to know about Privacy Act 2020
On December 1, 2020 the new Privacy Act 2020 comes into effect. This affects businesses and organisations that collect personal information about employees or customers. It’s the biggest change to privacy laws in Aotearoa since the Privacy Act became law in 1993.
Make sure your contracts, procedures, privacy policies, and training are up to scratch. It’s also a timely reminder that you must store and dispose of personal information safely and securely. Find advice for safe data disposal on the Privacy Commissioner website.
This blog is intended as general information about Privacy Act 2020, not legal advice. Please make sure you consult with a lawyer.
Key changes in Privacy Act 2020
Breach notifications
You must notify the Office of the Privacy Commissioner as soon as possible if your business or organisation has experienced a privacy breach – specifically if it has, or is likely to, cause serious harm to someone. You must also notify the affected people as soon as possible. There are some exceptions to the timing, such as when notifying customers of a breach could expose a security vulnerability before it’s fixed.
Compliance notices
The Privacy Commissioner can make a business or organisation comply with the Privacy Act if it’s failing to do so.
Access requests
The Privacy Commissioner can resolve complaints about access to information faster. If a customer or employee requests access to their information, you have 20 working days to respond.
Disclosing information overseas
New Zealand businesses or organisations can share personal information to overseas agencies only if they have similar privacy protections to New Zealand (or agree to protect the information with a model clause added to their contracts). Alternatively, the individual must give fully informed consent to the disclosure of their information.
There are two exceptions: cloud providers who don’t use the personal information for business purposes (the New Zealand organisation must still ensure they handle the information in accordance with the Privacy Act 2020) and foreign businesses operating in NZ (as they will also have to comply with the Privacy Act).
Extraterritorial effect
This means the Privacy Act applies to overseas businesses or organisations operating in Aotearoa (for example, Facebook and Google) and requires they meet the new privacy obligations, even if they don't have a physical presence here.
New criminal offences
Under the new Privacy Act 2020, it is a crime to:
impersonate someone or pretend to act with their authority to access their personal information or have it altered or destroyed.
destroy someone’s personal information to avoid providing it when access is requested.
The penalty is a fine up to $10,000.
How to prepare for the new Privacy Act
Review your contracts with other businesses or organisations if they store or process personal information that you provide.
Make sure your privacy policies meet the requirements of the new law and let your customers and clients know how you will use their information.
Create or review procedures to detect privacy breaches and communicate them as soon as possible.
Train staff on privacy obligations and what to do if a breach occurs. Appoint a privacy officer if one doesn’t already exist, and make sure that person is familiar with the new law.
Helpful Privacy Act 2020 resources
You can find Privacy Act information sheets about the changes on the Privacy Commissioner website.
There are also quick e-learning modules to help you learn more about key changes in the Privacy Act and reporting privacy breaches.
Use online tool NotifyUs to notify the Privacy Commissioner of a breach.
If you don’t have a privacy statement, there’s a Privacy Statement Generator called the Priv-o-matic on the Privacy Commissioner website that you can use for free.
Preparing for the new Privacy Act is a great opportunity to review your cyber security as well, for example your Security Policy and Acceptable Use Policy should incorporate your privacy-related policies and procedures. Read the Brightly Privacy Statement, see more on our services page, or get in touch.