What you need to know about Privacy Act 2020

Written By Rachael Harwood

On December 1, 2020 the new Privacy Act 2020 comes into effect. This affects businesses and organisations that collect personal information about employees or customers. It’s the biggest change to privacy laws in Aotearoa since the Privacy Act became law in 1993.

Make sure your contracts, procedures, privacy policies, and training are up to scratch. It’s also a timely reminder that you must store and dispose of personal information safely and securely. Find advice for safe data disposal on the Privacy Commissioner website.

This blog is intended as general information about Privacy Act 2020, not legal advice. Please make sure you consult with a lawyer.

Key changes in Privacy Act 2020

Breach notifications

You must notify the Office of the Privacy Commissioner as soon as possible if your business or organisation has experienced a privacy breach – specifically if it has, or is likely to, cause serious harm to someone. You must also notify the affected people as soon as possible. There are some exceptions to the timing, such as when notifying customers of a breach could expose a security vulnerability before it’s fixed.

Compliance notices

The Privacy Commissioner can make a business or organisation comply with the Privacy Act if it’s failing to do so.

Access requests

The Privacy Commissioner can resolve complaints about access to information faster. If a customer or employee requests access to their information, you have 20 working days to respond.

Disclosing information overseas

New Zealand businesses or organisations can share personal information to overseas agencies only if they have similar privacy protections to New Zealand (or agree to protect the information with a model clause added to their contracts). Alternatively, the individual must give fully informed consent to the disclosure of their information.

There are two exceptions: cloud providers who don’t use the personal information for business purposes (the New Zealand organisation must still ensure they handle the information in accordance with the Privacy Act 2020) and foreign businesses operating in NZ (as they will also have to comply with the Privacy Act).

Extraterritorial effect

This means the Privacy Act applies to overseas businesses or organisations operating in Aotearoa (for example, Facebook and Google) and requires they meet the new privacy obligations, even if they don't have a physical presence here.

New criminal offences

Under the new Privacy Act 2020, it is a crime to:

  • impersonate someone or pretend to act with their authority to access their personal information or have it altered or destroyed.

  • destroy someone’s personal information to avoid providing it when access is requested.

The penalty is a fine up to $10,000.

How to prepare for the new Privacy Act

  • Review your contracts with other businesses or organisations if they store or process personal information that you provide.

  • Make sure your privacy policies meet the requirements of the new law and let your customers and clients know how you will use their information.

  • Create or review procedures to detect privacy breaches and communicate them as soon as possible.

  • Train staff on privacy obligations and what to do if a breach occurs. Appoint a privacy officer if one doesn’t already exist, and make sure that person is familiar with the new law.

Helpful Privacy Act 2020 resources

Preparing for the new Privacy Act is a great opportunity to review your cyber security as well, for example your Security Policy and Acceptable Use Policy should incorporate your privacy-related policies and procedures. Read the Brightly Privacy Statement, see more on our services page, or get in touch.

Rachael Harwood
Previous

Changes to e-waste recycling in Aotearoa
Next

Brightly is 4!