Many firms and organisations may unwittingly be breaching the new provisions of the Privacy Act which take effect today, a business compliance expert says.

Stephen Conti, operations director at New Zealand Business Tools, said all NZ organisations holding personal information are affected by the changes, not just traditional businesses.

“I fear that most smaller businesses, or even bigger organisations, don’t have a privacy policy or a privacy officer, which the new legislation now makes compulsory,” Conti said. 

“Whether we are talking about shared emails from a sports club or a loyalty scheme at your local café. The moment your organisation holds personal information, you run the risk of massive fines if you treat that information incorrectly.”

The Privacy Act 2020 comes into force today, replacing the 1993 legislation. It contains thirteen information privacy principles decreeing how organisations must treat customer data.

It does not drastically change what information Kiwi organisations can collect and store from individuals, but instead gives the Office of the Privacy Commissioner power to demand those organisations disclose instances of privacy breaches where customer data is compromised.

As well as prosecute non-disclosure of breaches, the Office can help people demand to see what personal data companies hold on them.

“I will be able to require companies to disclose information where previously the burden was on individuals to enforce that right through the Human Rights Review Tribunal,” Privacy Commissioner John Edwards told BusinessDesk.

Debate

There is still debate as to whether the new legislation adequately addresses data privacy issues, or a missed opportunity to modernise NZ’s legal attitude to cybersecurity by matching  Europe’s General Data Protection Regulation more stringent policy.

Gehan Gunasekara, associate professor in commercial law at the University of Auckland and chair of the Privacy Foundation NZ, said the body “lobbied very strongly for our laws to be more aligned with GDPR than it currently is, but even GDPR is now arguably out of date.”

The changes effective today are the first major revision to the Privacy Act in almost three decades, but IBM’s chief technology officer for Australia and NZ Chris Hockings said this doesn’t imply NZ is too far behind other countries’ practices.

“We probably shouldn’t read too much into the 27 years,” he said, and suggested the government is likely to change and adapt the legislation in the near future.

“Governments have recognised their role is to protect citizens and one of these areas is privacy, where customers’ expectations are higher than what the motivations are for organisations to do something about it.”

Hacking 

The main change is in Kiwi organisations’ obligation to disclose privacy breaches where customer data is stolen through hacking.

“If there are organisations that aren’t aware of their obligations, they may succumb to the understandable desire to keep a lid on any mistakes they have made. They’re going to have to overcome that,” said Edwards.

Despite his office running its largest-ever public awareness campaign around the new law, he said it is likely many NZ businesses remain unaware of the changes.

Non-compliance can result in a fine of up to $10,000, and it is up to every organisation to ensure they are abiding by the rules.

“We’re going to try and help and raise awareness by education and try and help people do the right thing, but if I see deceptive practices and acts of concealment we may move straight to those prosecutions.”

Gunasekara said the Privacy Commissioner’s new powers “go wide enough to demand policies to be improved.” But said action would come down to the prioritisation of resources, suggesting organisations are more likely to be penalised for non-compliance than they are encouraged to comply.

Edwards was keen to remind Kiwi organisations that getting an individual’s consent to collect their data does not equate to collecting extensive personal information from them. 

“Regardless of the individual’s consent or purported consent, the business still has to have a legitimate reason for collecting a given item of information.”

The greater good

IBM’s Hockings said the changes are positive for businesses who may have previously had no idea what to do if they lost customer data to a hacker.

“If an organisation doesn’t really know what to do in the case of a breach then at least with some compliance regulation they have a process that is repeatable, and they can be sure they’re doing what’s expected.”

He hopes once the law is enforced and known, NZ organisations will have a better appreciation and understanding of their internal cybersecurity practices. At scale, he thinks this could positively affect national attitudes.

The legislation is also part of the government’s wider attempt to get a handle on national cybersecurity.

“One of the consequences of a law like this is that the government starts to understand what the impact of threats are on its organisations and citizens.”

It is the government, not the Privacy Commissioner, who will determine how the law evolves from there.

“I have to deliver on what  Parliament believes is the appropriate level of regulation for New Zealand,” said Edwards.

“It’s a constantly evolving area so we just need to be responsive to that, and hopefully ministers and parliamentarians will realise the importance of remaining vigilant as the regulatory tide rises all around the world.”

Hockings believes the changes are progress, but insists they must be part of a first step, not a conclusion.

“There will be more expectations around what information is being collected and for what purpose, and then to make that level of audit available to end-users on a self-service basis. 

“Notification is one thing, but a detailed actionable set of policies around what information is collected and used for is the next level in data privacy.”