By John Edwards, Privacy Commissioner
Anti-money laundering businesses have an intuitive grasp of how to manage customer data. Each of you deals with people’s personal information daily and understand the importance of handling it with care. The commencement date for the new Privacy Act is 1 December 2020. While changes to our privacy law may at first seem remote from the perspective of running small to medium-sized consultancy, taking note of some of the features of the coming Privacy Act is important because it is relevant to every organisation in New Zealand.
Mandatory privacy breach notification
Until now, there’s been no obligation to report a serious privacy breach to the Office of the Privacy Commissioner (OPC). That is about to change. If your business has a privacy breach that you believe has caused (or is likely to cause) serious harm, you will need to notify the Privacy Commissioner and affected individuals as soon as possible. It will be an offence to fail to inform the Commissioner.
It is important to note that not all privacy breaches will need to be reported. The threshold for a notifiable breach is whether it has caused or is likely to cause ‘serious harm’. This can be assessed by considering, for example, the sensitivity of the information lost, actions taken to reduce the risk of harm, the nature of the harm that could arise, and other factors. OPC will be launching an online privacy breach notification tool and updated guidance ahead of the new Act to help your business with this new requirement.
The Privacy Commissioner will be able to issue compliance notices to businesses to require them to do something, or stop doing something, in order to comply with the Privacy Act. Compliance notices will describe the steps that the Commissioner considers are required to remedy a situation and will specify a date by which the organisation must make the necessary changes.
Enforceable access directions
Information privacy principle 6 of the Privacy Act gives individuals the right to ask for information that is about them. Under the new law, the Commissioner will be able to direct organisations to provide individuals access to their information. This will allow faster resolution of complaints to the Commissioner relating to requests for personal information. These access directions will be enforceable in the Human Rights Review Tribunal.
If you have a situation for which you may need advice, the Privacy Commissioner encourages you to make an enquiry, either by emailing firstname.lastname@example.org or by calling 0800 803 909.
Want more like this?
See more articles like this in your inbox every month when you subscribe to the ATTIC Online Magazine.