What you need to know about Privacy Act 2020?

Rapid changes in the information technology in the last couple of decades have rendered the Privacy Act 1993 outdated and not fit to effectively regulate the current ways in which we gather, store and use information. To address this, NZ has a new Privacy Act on the way. The Privacy Act 2020 comes into force on 1 December 2020.

Key Changes In Privacy Act 2020

Disclosure of personal information outside New Zealand

In effect, a business or organisation may only send or store personal information overseas if the receiving agency is subject to safeguards which are comparable to those in the Privacy Act 2020; or where comparable safeguards may not be in place, the individual concerned gives informed consent to their personal information being sent or stored overseas.

Access directions

The Privacy Commissioner may direct a business or organisation to provide individuals with their personal information. Access directions may be enforced in the Human Rights Review Tribunal.

Notifiable privacy breaches

Businesses and organisations will have an obligation to notify the Privacy Commissioner and any affected individuals of privacy breaches which are likely to cause or have caused serious harm. If it is impractical to notify the affected individuals, the business or organisation will have to issue a public notice.

Compliance notices

The Privacy Commissioner will have the ability to issue compliance notices requiring businesses and organisations to take certain steps to comply with the Privacy Act 2020. Compliance notices may be enforced in the Human Rights Review Tribunal.

New offences

It will be an offence to Mislead a business or organisation by impersonating an individual for the purpose of accessing that individual’s personal information or having it used, altered or destroyed; and/or destroy a document containing personal information knowing that a request has been made in respect of that information (e.g. an access request). The penalty for these offences is a fine up to $10,000.

What you should do

1. Check how your business stores information – Is it secure? Do you use cloud software? If so, is the host an overseas organisation and are they subject to equivalent safeguards required in the Privacy Act 2020?

2. Ensure your business has a Privacy Officer, who knows the new Act and can help in ensuring you are compliant;

3. Check your policies and processes for collecting, handling and storing personal data–

• Do you still need the personal data you are saving? If not, securely dispose of it;
• Inform any individuals concerned that you are collecting their personal information, and the purpose for collection, who the information will be shared with and their right to access their personal information;
• Use personal information for the stated purpose for which you collected it;