This week we had the pleasure of attending an Institute of Directors event where Privacy Commissioner, John Edwards, spoke about key changes to the Privacy Act which come into effect on the 1st of December. Below we have summarised the key points John discussed that we feel you should be aware of.

John began by summarising the applications for the Privacy Act, noting that it applies to all agencies. ‘Any person or body of persons, whether corporate or unincorporate, and whether in the public sector or the private sector’. In other words, from the play centre down the road, your local community group, through to New Zealand’s largest enterprises… this Act applies!

He noted that the act primarily protects ‘Personal Information’, which is defined as ‘any information about an identifiable individual’. Taking this into account, John emphasised that “There are an infinite variety of situations this law has to cope with…”

In preparation for the upcoming changes, John then explained that the act is principal based. Given their relevance through time, these underlying principles remain largely unchanged from when the act was first passed in 1993.

The Principals of the Privacy Act:

John’s Summary of the key changes to the Act:

  • Mandatory privacy breach notification for breaches that cause ‘serious harm’
    • When asked to define the threshold for serious harm John admitted that there was certainly a “level of subjectivity” but factors such as “the sensitivity of the breached information, if actions were taken to secure the data following the breach, how successful the mitigation actions were, and the likelihood of it causing serious harm” will all be taken into account.
    • He noted that they are in the process of developing a tool, ‘Notify Us’, that will help businesses determine if serious harm has been caused in the event of a breach.
  • Compliance notices
    • Notices can be issued to businesses to require them to do something or stop doing something.
  • New criminal offences
    • It will be an offence to mislead an agency to access someone’s personal information.
    • It will be an offence to destroy personal information, knowing that a request has been made to access it.
  • Binding decisions on access requests
  • Extraterritoriality and strengthening cross-border protections
  • New refusal grounds
  • Cyber Security is Critical:

    John reiterated on multiple occasions that these changes are primarily being enforced to protect data being collected, held, and used/disclosed in the digital environment – One that looks vastly different to that in 1993.

    Examples of breaches include:

    • Hacking
    • Website error
    • Email error
    • Employee browsing
    • Loss/theft of digital device
    • Loss/theft of physical document
    • Physical mail error

    Given that most privacy breaches seen today involve technology, John strongly emphasised that “When you’re trying to save money, don’t skimp or save on cybersecurity.”

    Other useful information:

    • The Privacy Commission has developed a range of online privacy courses which you can access here
    • They also release useful information on their blog which you can access here

    It is important that businesses respond proactively in preparation for these changes to avoid reputational loss, criminal liability, and class action.

    Reviewing and continuously improving your cybersecurity measures will be key. The team at IT Partners is here to help with this, get in touch via email or call 07 957 2650.