New Zealand’s new Privacy Act came into effect on 1 December 2020. In this article, I outline:
- who the Act applies to and why it’s important
- some of the key obligations under the new Act
- a few practical tips for managing compliance under the new Act
Who the Privacy Act applies to and why it’s important
The Act applies to personal information, which is any information about an identifiable individual. This is a broad definition and accordingly the Act will apply (to varying degrees) to all businesses across all sectors.
Businesses will also deal with personal information in different contexts or situations – for example, information collected from their customers or from their employees.
From a business perspective, the Act is important on a number of levels:
- As with any law, a failure to comply can have consequences. While the potential fines under the new Act are not significant – the Privacy Commissioner can only issue fines for up to $10,000 in certain circumstances – it is important to remember that responding to complaints or investigations will in itself represent a cost to a business. The new Act has also introduced the ability for groups of affected individuals to bring a class action for an interference of privacy before the Human Rights Tribunal. The maximum amount of damages the Tribunal can award is $350,000.
- These days information is more and more becoming a valuable asset and source of competitive advantage. If a business is not able to lawfully utilise and leverage its information, the value of the asset diminishes.
- Braches of the Act (particularly highly publicised breaches) can tarnish a business’s brand or reputation.
Key obligations under the Privacy Act
A number of the core obligations under the Privacy Act are substantially the same as those which applied under the previous law, the Privacy Act 1993.
The new Act sill centres around a set of 13 information privacy principles which businesses need to comply with. Some key information privacy principles to be aware of are:
Collection of personal information
When personal information is being collected, there is an obligation to take steps to ensure the individual is aware of certain things, such as the purposes for which the information will be used and who it will be shared with.
There is an obligation to ensure reasonable security safeguards are in place to protect loss of personal information or unauthorised access to or disclosure of personal information. This applies to information stored electronically and to information in a physical form.
The new Act has also brought in a new obligation to notify the Privacy Commissioner and affected individuals if there is a privacy breach that would be likely to cause serious harm to the individuals.
Use and disclosure of personal information
There are limitations on how information may be used and disclosed, including a new limitation on disclosing information overseas.
Generally use and disclosure of personal information is permitted where:
- it is in connection with the purpose for which the information was first obtained; or
- the individual consents to the use or disclosure.
However, for a disclosure of information overseas, the new Act sets a higher threshold for “consent” – it must be an express and informed consent that the information may not be protected overseas in a way that provides safeguards comparable to the Privacy Act.
If obtaining such an express and informed consent is not practicable in the circumstances, there may be other permitted grounds on which the information can be offshored. These include where:
- the overseas country has privacy laws that provide comparable safeguards to the New Zealand Privacy Act; or
- the business has entered into a contract with the overseas recipient of the information that requires the recipient to protect the information in a manner that provides comparable safeguards to the New Zealand Privacy Act.
There is also an important exception for businesses who use cloud service providers to host their information. Under the Act, the provision of information to an agent for the purposes of safe custody or processing is not treated as a “disclosure” of the information (and therefore the restriction on transferring the information overseas would not apply). Instead, a principal and agent relationship will apply, meaning that the provider of the information could be held liable for any misuse of the information by the agent.
Practical tips for managing compliance
Understand the circumstances in which your business collects personal information
Keep on top of IT security
Have experts conduct regular reviews or audits of your systems. Educate your staff on cyber security – e.g. have cyber security awareness weeks, send out phishing emails to test your staff’s awareness. It is often said that when it comes to security people are the weakest link.
Privacy by design
Where possible, imbed privacy protection into your systems and business processes. For example, adopt company-wide policies of cleansing data sets (by removing individuals’ names) before putting them into use. This protects the individuals’ privacy and can provide greater scope to use and disclose the data. There are also exceptions under the Act, which allow information to be used and disclosed when the information is used in a form where individuals are not identified.
Contract terms for cross-border transactions For cross-border business transactions there will almost inevitably be some flow of personal information overseas. To address the new information offshoring requirements under the Act, ensure that your contract terms include appropriate clauses, which require the overseas party to protect any personal information you provide in a manner consistent with the Privacy Act.
Matt Smith, Senior Commercial Lawyer at Anthony Harper