New Zealand’s revised Privacy Act has now passed through parliament and will come in to effect on 1 December 2020.

This will see the introduction of a new legal framework and regime for the protection of information, including the introduction of a mandatory data breach notification scheme.

Key changes to be aware of:

  • Liability: The amendments make clear that liability for privacy breach notifications sit with businesses, not individual employees.
  • Requirement to report privacy breaches: Businesses that suffer a data breach which has caused, or has the potential to cause, serious harm will be required to notify the Privacy Commissioner and affected parties and may be subject to criminal penalties for failing to notify the Commissioner without reasonable excuse.
  • Class Action: The Act permits class actions in the Human Rights Review Tribunal by persons other than the Director of Human Rights Proceedings. Up to $350,000 can be awarded to each member of a class action.
  • Compliance notices: The Privacy Commissioner will be able to issue compliance notices to businesses or to require them to do something, or stop doing something, to comply with the Privacy Act.
  • Disclosing information overseas: A business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Privacy Act.
  • New criminal offences: It will be an offence to mislead an agency to access someone’s personal information; for example, impersonating someone to access information. It will also be an offence for a business to destroy personal information, knowing that a request has been made to access it. The penalty for these offences is a fine of up to $10,000.

What to consider in relation to these changes?

  • Privacy breach handling process: Having a process in place will enable the timely management of a privacy breach, including steps to contain the breach, a framework to assist in determining whether the breach must be notified to the Privacy Commissioner.
  • Updating your privacy policy: If you have a full privacy policy, it will be important to conduct a review and include clauses relating to the change. If your business collects minimal amounts of personal information, including privacy provisions on your website may be sufficient. AdviSME Legal have a templated example that may be of use!  
  • Cyber security precautions: To minimise the risk of a privacy breach it is critical to have robust cyber security measures in place to prevent modern threat actors.

If you are concerned about your current security posture, IT Partners and our team of experts are here to help. If you would like to learn more about our layered approach to security email or phone 07 957 2650.

The Privacy Act changes bring New Zealand in line with international best practice. It is important that businesses respond proactively in preparation for these changes to avoid reputational loss, criminal liability, and class action. Reviewing your cyber security measures is a great place to start and something we are here to help with!