The Privacy Act 2020 came into force on 1 December 2020. This marks the first significant review in 27 years. The Act includes new reporting obligations and notification requirements for privacy breaches. An organisation must ensure the data life cycle of information it holds is compliant with the new regime.
The main changes include:
1. Mandatory reporting of serious data breaches
A privacy breach by an agency (business) that poses a risk of serious harm to an affected individual must be notified to the Privacy Commissioner and the affected individual.
Guidance from the similar Australia regime indicates that an assessment of whether a privacy breach is serious enough to be notifiable is:
- An objective assessment; and
- Determined from the viewpoint of a reasonable person in the agency’s position (rather than the viewpoint of an individual whose personal information was breached) who is properly informed.
If the Commissioner is not notified of this sort of privacy breach, there are fines of up to $10,000. This is unless it was reasonable in the circumstances to consider the breach non-notifiable.
The policy should also include steps to contain the breach, a framework to assist in determining notification, and steps to capture learnings to mitigate future breaches.
2. Notification obligations
Businesses are required to report to the Privacy Commissioner and the affected individual(s) as soon as practicable after becoming aware of a notifiable privacy breach.
A notifiable privacy breach means a breach that has caused serious harm to an affected individual or is likely to do so.
Serious harm can include emotional distress, demonstrated by a recent case heard before the Privacy Commissioner. A man resigned from his job and attended a job interview during his notice period. He specifically told the interview panel that he did not want them to contact his current employer. He subsequently learned that a member of the panel then approached his current manager for a discussion about him shortly after the interview.
The man said he felt extremely worried, upset and anxious. The Commissioner agreed this met the threshold of serious harm, and the prospective employer and the man reached a confidential settlement.
3. Cross-border disclosures
The information privacy principles under the new regime mean that personal information being sent offshore will be subject to comparable privacy safeguards. Any organisation which discloses information to a foreign person or entity must either:
- Be reasonably satisfied that the foreign person or entity is subject to laws which provide comparable safeguards as the Act, or agrees to be bound by comparable safeguards as those found in the Act (for example, in a contract with the business or organisation); or
- Have expressly informed the individual whose information it concerns that the foreign entity or person may not be required to protect the information in a way that provides comparable safeguards and must obtain the individual’s authorisation to the disclosure on that basis.
Compliance with the new Privacy Act
Compliance could include:
- Implementing or improving a process for how the organisation will collect, store, use, and disclose personal information.
- Ensuring greater controls on sharing personal information overseas.
- Appointing a privacy officer who is responsible for upholding privacy within the organisation.
- Updating agreements so that any overseas contractor, agent, or commercial partner that is engaged or has access to information in the business is required to comply with New Zealand privacy standards (or similar).
- Staff training - key people in your organisation should be well versed in the new approach.
Please contact our privacy experts for advice about compliance, or if you are concerned a breach has occurred.