Traditionally, laws have been relatively slow to keep up with modern advances in technology and data information privacy. Data privacy is a topical issue and discussions about it are likely to continue into the foreseeable future, for the better. The upcoming Privacy Act 2020 (the Act), which comes into force on 1 December 2020, is a timely update to the Privacy Act 1993.
Although the laws will largely remain the same, there are some key changes that practitioners and organisations should note.
Reporting
Currently, the Office of the Privacy Commissioner encourages agencies to advise them of privacy breaches.
Under the upcoming update, there will be mandatory reporting requirements. A privacy breach that results in, or could result in, serious harm to the affected individual will need to be reported both to the Office of the Privacy Commissioner and that individual.[1]
Broadly, a privacy breach is:[2]
(i) unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
(ii) an action that prevents the agency from accessing the information on either a temporary or permanent basis.
Enforcement
The upcoming update is set to have a stronger enforcement regime.
Failure to notify the Office of the Privacy Commissioner, without reasonable excuse, will be an offence attracting a liability on conviction to a fine not exceeding $10,000.[3]
As to defences, it will not be a defence for an agency to say that it or they have taken steps to address the privacy breach or breaches.[4] It, however, can be a defence for the agency to say that it or they did not consider the privacy breach to be a notifiable privacy breach.[5] The agency would only be able to say this if not considering the privacy breach to be a notifiable privacy breach would have been reasonable to do so in the circumstances.[6]
The Privacy Commissioner will also have powers to issue compliance notices to organisations.[7] These notices will require organisations to do something, or stop doing something, to comply with the Act.
Territorial scope
The new rules will be applicable to New Zealand and overseas organisations in the context of the collection of information while conducting business in New Zealand. The rules apply to events prior to the personal information of New Zealander’s being disclosed to an overseas entity or entities.[8] The rule will be that the New Zealand organisation must ensure that the overseas entity or entities have a similar level of privacy protection compared to the New Zealand organisation.[9]
Concluding Remarks
For agencies and those affected by the Act, it would be highly beneficial to update policies and reporting processes before the new rules come into effect.
Copyright Steve Keall, all rights reserved, 2020
[1] Privacy Act 2020, sections 114 and 115.
[2] Section 112.
[3] Section 118(1).
[4] Section 118(2).
[5] Section 118(3).
[6] Section 118(3).
[7] Section 123 and 124.
[8] Section 22, Information privacy principle 12.
[9] Section 22, Information privacy principle 12.