What you need to know for your business
An update to the Privacy Act 2019 comes into effect on the 1st December 2020. The Privacy Commissioner, John Edwards is encouraging organisations to prepare for tighter rules asap. The most significant change to organisations will be the mandatory data breach disclosure: any organisation that suffers a data breach that could cause serious harm is required to report it to the Privacy Commissioners office or face a fine of up to $10,000.
How do you know if something constitutes “serious harm”? There’s a new online tool called NotifyUs, which guides you through a self-assessment, then if necessary the online process to report a breach.
You should also be aware of Principle 12:
Principle 12 (Disclosing personal information outside New Zealand): Principle 12 of the new Privacy Act says New Zealanders should expect comparable privacy protections to those they enjoy under New Zealand’s Privacy Act when their information is disclosed and used in a foreign jurisdiction (offshore cloud computing services are not counted as a foreign jurisdiction). If you regularly disclose personal information overseas, you need to ensure this is permitted under Principle 12.
A step-by-step guide to Principle 12 can be found here, as well as the Commissioner’s guide to the Act here.
Principle 12 only applies if you are disclosing information from your business to a foreign person or entity.
The recommendation from the Privacy Commissioner is to use the model contract clauses developed by their office which should protect SME’s and ensure they are compliant.
The model contract is available for download online and can be modified to suit, or you can use your own form of contract clauses as long as the key privacy protections are included. In particular, Principle 12.
The key reforms are outlined below:
Mandatory notification of harmful privacy breaches. If organisations or businesses have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties. This change brings New Zealand in line with international best practice.
Introduction of compliance orders. The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result in a fine of up to $10,000.
Binding access determinations. If an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.
Controls on the disclosure of information overseas. Before disclosing New Zealanders’ personal information overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.
New criminal offences. It will be an offence to mislead an organisation or business in a way that affects someone’s personal information or to destroy personal information if a request has been made for it. The maximum fine for these offences is $10,000.
Explicit application to businesses whether they have a legal or physical presence in New Zealand. If an international digital platform is carrying on business in New Zealand, with the New Zealanders’ personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they or their servers are based.
The act comes into effect on December 1.