The Privacy Act 2020
New Zealand’s revised legislation
In December 2020, NZ’s new Privacy Act will come into force, introducing mandatory data breach reporting, extraterritoriality, restrictions on offshore personal information, and increased compliance and broader enforcement powers for NZ’s Privacy Commissioner, Mr John Edwards.
When: The Privacy Bill is making its way through Parliament and will become law in December 2020 the Privacy Act 2020.
What: Privacy changes include the following:
- Businesses will need to report serious privacy breaches. For example, if you experience a data breach that poses a risk of harm (e.g. leaked personal information is used in identity theft or published online), you must notify the people affected. You must also notify the Office of the Privacy Commissioner either by email, phone or using their online enquiry form.
- If someone requests personal information held by a business, the business cannot destroy the information in order to avoid providing it.
- New Zealand businesses using service providers based overseas, like cloud software, will need to make sure their providers are meeting New Zealand privacy laws.
Who: All businesses that collect, store and use personal information about their employees and/or customers.
Why: The Government is updating New Zealand’s Privacy Act 1993 to make sure personal information is kept safe and secure in line with new technology and ways of doing business.
What agencies will need to do to prepare:
- Talk to your staff about what to do in the event of a serious data breach. Work through various scenarios together so everyone is aware of the steps they should take.
- 60 per cent of complaints to the Office of the PC are from people denied access to their information. If a customer or employee requests their information, you are required to respond to that request within 20 working days. Make sure you have a process in place to handle customer requests for information held about them if, and when, they are made.
- Make sure you hold and use personal information in a safe and secure way and dispose of it securely when you have finished with it.
- If you use an overseas-based service provider, like cloud software, ask the provider how they’re meeting New Zealand privacy laws.
- Appoint a privacy officer. Every business should have a privacy officer, according to the Privacy Act. This is someone who has a general understanding of the Act and can deal with privacy issues when they arise.
- Review your privacy statement and make sure it’s up to date. If you don’t have one, the Office of the PC has a free tool to help you create a privacy statement that tells people how you will be collecting, using and disclosing their information.