Since the Privacy Act became law in 1993, New Zealand’s privacy laws are about to undergo their biggest transformation. The new Act offers further protection for individuals and spells out new obligations that must be met by businesses and organizations doing business in New Zealand. The changes, and the new Privacy Act 2020, come into force on 1 December 2020. So, concerning businesses and organizations need to make sure all of their ducks secret squirrels are in a row.
The new Act also implements a new privacy principle which is generally known as IPP12. As per IPP12, unless you have very clear consent from affected individuals, you can only disclose personal information overseas if comparable privacy safeguards are in place. These safeguards could be under contract or via similar privacy laws to the Act.
There are two exceptions available that will assist a lot of businesses. IPP12 isn’t applied to cloud providers who simply store or handle information on your behalf, for example if they don’t use it for their own business purposes or if the disclosure is to a foreign business operating in New Zealand on the basis that this business already has to comply with the law.
Notifications of privacy breaches
When other people’s personal information that you hold is lost, stolen or accessed without permission this is a privacy breach. If the breach has caused, or may cause serious harm, you’ll be required to notify the Privacy Commissioner and affected individuals if you have a privacy breach that causes, or is likely to cause serious harm, under the new law.
As well as the new Act also deals with overseas businesses or organizations carrying out business in NZ even if they do not have a physical presence in NZ, like Facebook or Google. If they hold information about New Zealand individuals, they will be subject to the privacy obligations imposed by the privacy Act.
If IPP12 applies to you or you think it might, the Office of the Privacy Commissioner has released model terms that you can include in your contract with the overseas person receiving the transferred information to ensure there are comparable privacy safeguards in place. This is a fill in the blanks document. It is important that you think carefully about what should be included in the sections to complete and that you include as much detail as possible.