New Zealand’s highly anticipated Privacy Act will commence on 1 December 2020, replacing the Privacy Act 1993.
The new Act aims to modernise New Zealand’s privacy law framework, in accordance with international laws such as the European General Data Protection Regulation 2018. While much of the content of the current Act will remain, there are some significant changes that you and your organisation should be aware of.
A key change is the mandatory requirement to notify the New Zealand Privacy Commissioner and the individual affected where a privacy breach poses a risk of serious harm to that individual. A privacy breach is:
- Any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, personal information; or
- An action that prevents the agency from accessing the information on either a temporary or permanent basis.
When assessing whether a privacy breach is likely to cause serious harm and therefore required to be notified, the organisation must consider the following, inter alia
- Any action taken to reduce the risk of harm following the breach;
- Whether the personal information is sensitive in nature;
- The nature of the harm that may be caused to affected individuals;
- The person or body that has obtained or may obtain personal information as a result of the breach (if known); and
- Whether the personal information is protected by a security measure.
Failure to notify without reasonable excuse is an offence and could result in a fine of up to $10,000. Importantly, it is not a defence that steps have been taken to address the privacy breach, or that the organisation did not consider the privacy breach to be a notifiable privacy breach.
Other notable changes under the Act include:
- The scope of the Act. The Act will apply to both New Zealand and overseas organisations. However, this is only in respect of information collected in the course of carrying on business in New Zealand.
- Restrictions on disclosure overseas. Before disclosing New Zealanders’ personal information overseas, New Zealand organisations will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.
- Introduction of new criminal offences. It will be an offence to mislead an organisation in a way that affects someone’s personal information or to destroy personal information if a request has been made for it (the maximum fine for these offences is $10,000).
- Compliance orders. The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result in a fine of up to $10,000.