3 things you need to know about the Privacy Bill before it becomes law
The Privacy Bill, which will replace the Privacy Act 1993, commenced its second reading on 18 June. Here are the three things you need to know about it before it comes into force in 2020 (probably).
- Mostly, it’s steady as she goes.
The Government has shied away from major renovations and the Privacy Bill looks largely like the principles-based Privacy Act you’re familiar with. You are unlikely to need to make wholesale changes to your privacy practices.
- You need a privacy breach procedure
The Bill requires notification of affected individuals and the Privacy Commissioner as soon as practicable after a notifiable breach happens. Increased penalties apply for failure to notify.
A privacy breach is any unauthorised or accidental access to, disclosure, alteration, loss, or destruction of personal information, or an action that prevents the holder from accessing the information.
A notifiable privacy breach is a privacy breach that it is reasonable to believe has caused or is likely to cause serious harm to an affected individual.
In considering the serious harm question, the agency must consider the actions taken to reduce the risk of harm, whether the information disclosed is sensitive, the nature of harm that might flow, the person or body who has received the information, whether the information is protected by a security measure and “any other relevant matters.”
Which means agencies will need to have a process which:
- Functions to raise an internal notification where a breach has occurred.
- Enables an assessment against the serious harm standard.
- Causes notification in the right circumstances.
You’ll need to train relevant staff to interpret the standard in light of the relevant facts.
- Where are you sending that information?
Prudent organisations will consider their information transfer practices and which third parties they’re using to process information before the Bill comes into force.
New in the Bill is a requirement that an agency only disclose personal information to a foreign person or entity (think: Salesforce/MYOB) where the individual concerned authorises the disclosure after being expressly informed that the recipient may not be required to protect the information in an equivalent way.
There will be carve outs to the “expressly informed” requirement, notably for “prescribed countries” approved by (yet to be drafted) regulations, where the recipient is carrying on business in New Zealand (think: Microsoft/Google), or where the discloser reasonably thinks that the recipient is subject to privacy laws that, overall, provide comparable safeguards.
But every business which collects information here and then stores, processes or otherwise transfers it overseas will need to turn their mind to this issue. New Zealand outposts of multinational group companies are likely to be particularly affected.
Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.