Changes to the Privacy Act

By John Edwards, Privacy Commissioner

John Edwards logo

Anti-money laundering businesses have an intuitive grasp of how to manage customer data. Each of you deals with people’s personal information daily and understand the importance of handling it with care. The commencement date for the new Privacy Act is 1 December 2020. While changes to our privacy law may at first seem remote from the perspective of running small to medium-sized consultancy, taking note of some of the features of the coming Privacy Act is important because it is relevant to every organisation in New Zealand.

Mandatory privacy breach notification

Until now, there’s been no obligation to report a serious privacy breach to the Office of the Privacy Commissioner (OPC). That is about to change. If your business has a privacy breach that you believe has caused (or is likely to cause) serious harm, you will need to notify the Privacy Commissioner and affected individuals as soon as possible. It will be an offence to fail to inform the Commissioner.

It is important to note that not all privacy breaches will need to be reported. The threshold for a notifiable breach is whether it has caused or is likely to cause ‘serious harm’. This can be assessed by considering, for example, the sensitivity of the information lost, actions taken to reduce the risk of harm, the nature of the harm that could arise, and other factors. OPC will be launching an online privacy breach notification tool and updated guidance ahead of the new Act to help your business with this new requirement.

Compliance notices

The Privacy Commissioner will be able to issue compliance notices to businesses to require them to do something, or stop doing something, in order to comply with the Privacy Act. Compliance notices will describe the steps that the Commissioner considers are required to remedy a situation and will specify a date by which the organisation must make the necessary changes.

Enforceable access directions

Information privacy principle 6 of the Privacy Act gives individuals the right to ask for information that is about them. Under the new law, the Commissioner will be able to direct organisations to provide individuals access to their information. This will allow faster resolution of complaints to the Commissioner relating to requests for personal information. These access directions will be enforceable in the Human Rights Review Tribunal.

Be prepared

As we move towards the new Privacy Act, there are good practice requirements that your business should already have. Did you know that it is a legal requirement for every organisation in New Zealand to have a Privacy Officer? Now is a good time to check who your privacy officer is and to make sure they understand their responsibilities. You can use the OPC’s free e-learning modules. They are designed to help all employees understand good privacy practice. Other tips include reviewing and updating your business’ privacy policy and, if there’s a privacy breach, that you have a privacy breach plan. Find out more by looking up OPC’s privacy breach resources. As well as the e-learning modules and privacy breach guidance, OPC has plenty of other resources on its website.

If you have a situation for which you may need advice, the Privacy Commissioner encourages you to make an enquiry, either by emailing or by calling 0800 803 909.

Want more like this?

See more articles like this in your inbox every month when you subscribe to the ATTIC Online Magazine.