The countdown is on. Are you ready?
On 1 December 2020 the Privacy Act 2020 (the Act) comes into force. For the first time in New Zealand, businesses and organisations who are found to be non-compliant with their obligations around collecting, storing, using and disclosing personal information risk committing an offence and a fine of up to $10,000.
Along with the potential sanctions, the practical effect of the changes in the Act means businesses and organisations need to be engaged with their data practices. Are you compliant?
In our previous article we discuss the requirements around cross-border disclosures and what is a notifiable privacy breach.
Here we will look at the lessons learned from overseas and identify what changes you need to make now.
Lessons from overseas
Last month the Information Commissioner’s Office (ICO) fined British Airways £20m for failing to process personal data in a manner that ensured appropriate security of that data after attackers gained access to customer’s personal and financial data in 2018 (the ICO’s largest ever fine, though not quite the £183.39m the ICO had in mind when it announced its intention to fine British Airways in 2019). The ICO's decision provides practical insights and may be an indication of how our own Commissioner will assess whether the technical and organisational security measures used are reasonable given the circumstances:
- Use what you have: the ICO noted that British Airways had available security measures within its operating system that could have been utilised without great additional cost and that the vulnerability was a well-documented known risk (with freely available mitigation strategies also well-documented online).
- Understand your processes: The ICO decision gave little consideration to the sophistication of the attack, instead focussing on the failures of British Airways to implement appropriate technical and organisational security measures that allowed the attackers to gain access to the data. Compliance, legal, technical and operational teams need to have a coordinated and robust approach to handling personal information. Data security should be embedded into processes, and technical and organisational measures should be continuously reviewed to ensure they remain appropriate for your business or organisation’s changing needs. The ICO noted that there were multiple steps where British Airways could have mitigated or avoided the breach but had failed to do so.
- Respond fast and cooperate: If a breach does occur regulators (and your customers) will look to see how you respond. The ICO acknowledged and took into account that British Airways had acted promptly to address the vulnerability once made aware of the security breach, promptly notified the Commissioner and affected individuals of the breach, and had cooperated fully in the ICO’s investigation. Understanding your obligations ahead of time and having the right staff ready to respond is not just good governance but may help your business or organisation reduce its potential liability.
Changes you can make now
While we are yet to see the eye-watering fines that businesses and organisations may be exposed to under the GDPR, the New Zealand position reflects a global trend from regulators that recognises individuals care about their data - and how it is collected, kept and used. Businesses and organisations who want to use personal information are expected to be able to show that they can do so responsibly. Regulators want to see that businesses and organisations are engaged and proactive, and that they have robust, adequate, and current technical and organisational security measures in place.
Our own Commissioner has recently released an online tool to help businesses and organisations decide whether a breach is a notifiable breach under the Act and a model agreement to help businesses and organisations assure themselves that personal information they send offshore (other than merely to an agent for storage or processing, e.g. to a cloud storage provider) is subject to “comparable safeguards” as those provided under the Act.
The practical, user friendly guidance notes and worked examples the Commissioner has provided along with the model agreement will help businesses and organisations tease out what questions they should have front of mind when considering offshore disclosures of personal information under IPP 12 of the Act. We encourage all businesses and organisations to familiarise themselves with the model agreement and guidance.
The model agreement is undoubtedly a valuable tool, but neither a sure bet nor the only way businesses and organisations may evidence compliance with IPP 12 of the Act. The scope of consents sought from individuals concerned will always remain a vital compliance tool. Additionally, the model agreement is just one of the ways a business or organisation may form the view that the offshore recipient of personal information is required to protect the information in a way that provides comparable safeguards to those under the Act.
Get in touch
Duncan Cotterill’s privacy experts are here to help, if you have any queries or need advice on best practice for managing your customers’ private information. Please feel free to get in touch with our data protection and privacy team if you require further assistance.
Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.