On the 1st of December this year, the Privacy Act 2020 will replace the Privacy Act 1993, completing an overhaul process that can be traced back as far as 1998.
The purpose of the act is to strengthen privacy protections, and to promote better risk management and earlier intervention by the organisations and individuals that handle personal and private data (referred to as ‘agencies’ in the legislation.) The role of the Privacy Commissioner has also been enhanced.
What will change with the Privacy Act 2020?
There are a suite of changes that will be brought in by the new privacy act, which reflect how different today’s world is from the one in which the Privacy Act 1993 was formed. Indeed the transformation of our world has accelerated of late, with data protection and cybersecurity fast becoming some of the most pressing issues facing NZ businesses.
Key changes include:
- If an agency experiences or is likely to experience a serious privacy breach, it must notify both the Privacy Commissioner and the individuals affected.
- The Privacy Commissioner will be given the power to issue compliance notices that require an agency to take action.
- The power to make binding decisions on access to information complaints will be passed from the Human Rights Review Tribunal to the Privacy Commissioner (although the Commissioner’s decisions can be appealed to the Tribunal.)
- Agencies must take steps to ensure that the personal information of NZ citizens is protected by comparable privacy standards when sent overseas. If a New Zealand agency engages an overseas service provider, it must comply with New Zealand privacy laws.
- It will be a criminal offence to mislead an agency in a way that affects someone else’s information, and to destroy documents containing personal information if a request has been made for it.
- The Privacy Commissioner can shorten the timeframe in which an agency must comply with investigations at any time, and fines will apply in cases of non-compliance.
Unlike other privacy laws around the world, Parliament has chosen not to align the new legislation with data subject rights, and has kept the fines for non-compliance relatively low – a maximum of $10,000 applies to most breaches. The Privacy Act 2020 is certainly stricter and farther-reaching than its predecessor, but when compared to the likes of the EU’s GDPR legislation, it isn’t especially venomous.
What do these changes mean for businesses?
If you’re a business that already takes data privacy and security seriously, as all should, the new Privacy Act won’t greatly alter the way you work. You should however take the opportunity to:
- Review your system security and ensure that you hold and use private data in a safe and secure way.
- Review your privacy statement and ensure it is compliant.
- Ensure that any overseas service providers meet or exceed the new Privacy Act.
- Appoint a Privacy Officer, whether internally or on a contract basis, who is familiar with both the Privacy Act 2020 and your business, and who can ensure compliance and deal with issues.
- Talk to your staff about serious data breaches and create a plan to deal with them.
- 60% of complaints to the Privacy Commissioner are from individuals who are denied access to their own information, so ensure that you can handle requests within the required response period of 20 days.
How OneCall can help
Striving for compliance with new legislation can be a confusing and overwhelming process; one that’s made even more so when technology and international law are involved.
If you’re unsure of anything regarding the Privacy Act 2020 – how its changes affect you, what you need to do to achieve compliance, your responsibilities when a breach occurs, or what a ‘serious’ breach that warrants action might look like – the team at OneCall can help.
Whether you’re looking to strengthen your data privacy and security, or need help in dealing with a breach, we’ve got the experience and expertise to help. We’ll get you compliant, ensuring that you stay on the right side of both your customers and the Privacy Commissioner, and guarding you against the threats that originally prompted the Privacy Act changes.
Contact our friendly team today to find out more.