After a lengthy parliamentary process, the Privacy Bill received Royal Assent on 30 June 2020 to become the Privacy Act 2020 (the Act). This completes the long-anticipated overhaul of New Zealand’s privacy law. The Act repeals and replaces the Privacy Act 1993 to more closely align the law with our evolving conceptions of privacy in the digital age. The Act comes into force on 1 December 2020.
In addition to new reporting obligations and notification requirements for privacy breaches, the Act contains several significant changes to New Zealand’s privacy law. So, businesses and organisations should now be preparing for these changes.
Many businesses and organisations rely on cloud-based data storage and offshore service providers which handle individuals’ private data on their behalf. The Act introduces a new information privacy principle (IPP) containing a series of controls on the disclosure of personal information to foreign agencies.
The new IPP, IPP#12 (called “Disclosure of personal information outside New Zealand”), reflects similar provisions in the European General Data Protection Regulation (GDPR) and Australia’s Privacy Act. The existing IPP#11 (called “Limits on disclosure of personal information”) is subject to the new controls introduced by IPP#12.
These new controls are intended to ensure that personal information being sent offshore will be subject to comparable privacy safeguards as those that apply in New Zealand. Any agency which discloses information to a foreign person or entity must either:
- be reasonably satisfied that the foreign person or entity is subject to laws which provide comparable safeguards as the Act, or agrees to be bound by comparable safeguards as those found in the Act (for example in a contract with the New Zealand agency); or
- have expressly informed the individual that the foreign entity or person may not be required to protect the information in a way that provides comparable safeguards, and must obtain the individual’s authorisation to the disclosure on that basis.
There is an important exception in IPP#12: sending information offshore to be stored or processed by an agent (for example, a cloud storage provider) will not be treated as a “disclosure” if the agent does not use the information for its own purposes. However, in this situation, the agency who sent the information offshore will be responsible for ensuring their agent adheres to New Zealand’s privacy safeguards as found in the Act.
Complaints on behalf of other persons and groups
Any person (not just an aggrieved individual) may make a complaint, and a compliant can be made on behalf of one or more aggrieved individuals. In addition, representatives of a group of aggrieved individuals to commence proceedings in the Human Rights Review Tribunal on their behalf.
These provisions open avenues for groups of individuals who have been affected by privacy breaches to bring class actions against the agency that committed the breach once the Act comes into force.
Notifiable privacy breaches
Under the Act, agencies are required to notify the Privacy Commissioner (the Commissioner) and the affected individual(s) as soon as practicable after becoming aware of a notifiable privacy breach. A notifiable privacy breach means a breach that has caused serious harm to an affected individual or is likely to do so. This notification requirement brings New Zealand’s privacy law in line with similar obligations in other jurisdictions, such as Australia and European countries under the GDPR.
The Act sets out a non-exhaustive list of factors to consider when deciding if a privacy breach is likely to cause serious harm, but stops short of actually defining “serious harm”. Agencies should err on the side of caution as to what entails “serious harm” until the courts inevitably provide clearer guidance once the Act comes into force.
When a notifiable breach occurs, under certain circumstances the agency may also provide an affected individual with details of any person or body in possession of their information. The agency may pass on these details if the agency has reasonable grounds to believe that identification was necessary prevent or lessen a serious threat to an individual’s life or health.
Employees and members of agencies are not personally liable for delays in notifying an affected person of a notifiable privacy breach. However, their employer or the agency remains liable.
Exceptions to notification requirements
The Act requires agencies who become aware of a privacy breach to notify the Commissioner and any affected individual as soon as is practicable, or give public notice if it is unable to notify the affected individual(s). However, in limited circumstances, agencies are permitted to delay notifying individuals or the public if the notification itself would risk further breaches – for example, if this would make others aware of the method used to access the information. The agency would still be required to notify the Commissioner as soon as practicable.
An agency may also decide not to inform an individual of a breach if informing them would be likely to prejudice the individual’s health, or the individual is under 16 years of age and the agency believes notification is not in their best interests.
The Act widens the scope of the Commissioner’s powers to publish compliance notices for privacy breaches. The Commissioner will have the power to publish compliance notices for breaches of a code of conduct under any Act, in addition to breaches of the new Privacy Act.
The Commissioner will also be able to delay publication of any compliance notice if they believe it to be in the public interest to do so.
Preparing for the new Privacy Act
Businesses and organisations now have until 1 December 2020 to ensure they are ready for these changes and the new reporting obligations. Among other things, this preparation could include:
- Review your third party contractual arrangements, where any other party stores or processes personal information provided by your organisation.
- Implementing staff training: key people in your organisation should be well versed in the new approach.
- Updating your organisation’s privacy policies to ensure alignment with the new law, and to ensure that your customers and clients understand how you will use their information.
- Developing effective procedures to detect, report and investigate a personal data breach: it is important to make sure you have a plan in place so that you can meet your reporting obligations without undue delay if a notifiable breach occurs.
- Ensuring you have clear internal lines of communication and let your staff know who they can approach within the organisation to discuss privacy issues.
Get in touch
Duncan Cotterill’s privacy experts are here to help, if you have any queries or need advice or training to ensure continued privacy compliance under the new regime. Please feel free to get in touch with our data protection and privacy team if you require further assistance.
Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.