Privacy is difficult to define, it can mean different things to different people – a right to control information about yourself, a right to make decisions without intervention, or perhaps a right to not be observed or disturbed by others.
Even though privacy is the foundation for many of the rights in our Bill of Rights Act, there is no general privacy right or law. We do have a statute called the Privacy Act that aims to promote and protect individual privacy, but it only covers information privacy – that is, the rights and obligations that attach to ‘personal information’, such as a person’s name, address, gender, date of birth, employee record, photograph, credit information, etc. It also protects more sensitive information regarding health and genetic information, criminal record, sexual orientation, racial or ethnic origin, political opinions or associations, religious or philosophical beliefs, association memberships and some aspects of biometric information. Created to combat concerns about technological advances and their potential to access private information, it has performed admirably… to a point.
In recent years, nations as near as Australia and as distant as the European Union (EU) have sought to update their information privacy laws to recover some of the ground lost to data-hungry technology behemoths - think large social media platforms and the myriad of other businesses that collect data to better target consumers.
The ‘high water mark’ for privacy law was set by the EU a few years ago with its General Data Protection Regulation (GDPR), an amalgam of all the best bits of privacy laws from EU member states. Other countries followed suit, introducing elements of the GDPR, and New Zealand is no exception.
Our new Privacy Act 2020 came into force on 1 December last year, updating our previous 1993 Privacy Act and moving us closer to the updated privacy laws and practices of countries such as Australia and those in the EU. The new Act contains several significant changes impacting almost every person, business and organisation in New Zealand.
Are you compliant?
- Notifiable privacy breaches
Arguably the most significant change under the new Act is that agencies (essentially any business or organisation dealing with personal information) are required to notify the privacy commissioner and affected individuals as soon as practicable after becoming aware of a notifiable breach. A breach is defined as something which has or is likely to cause serious harm to an affected individual.
The Act sets out a non-exhaustive list of factors to consider when deciding if a privacy breach is likely to cause serious harm but stops short of actually defining ‘serious harm’. This leaves agencies to make a judgement call, so it’s likely most will err on the side of caution until the courts or the commissioner provide clearer guidance.
In some limited circumstances, agencies are permitted to delay notifying individuals or the public if the notification itself would risk further breaches. For example, if this would make others aware of the method used to access the information. But the agency is still required to notify the commissioner as soon as practicable.
An agency may also decide not to inform an individual of a breach if informing them would be likely to prejudice the individual’s health, or the individual is under 16-years-old and the agency believes notification is not in their best interests.
- Compliance notices
For the first time, the commissioner has the power to issue a compliance notice to businesses to require them to do something, or to stop doing something, to comply with the Act. The Act also widens the scope of the commissioner’s powers to publish compliance notices for privacy breaches, so businesses and other organisations now face a greater risk of reputational harm.
- Cross-border disclosures
Many businesses and organisations rely on cloud-based data storage and offshore service providers which handle individuals’ private data on their behalf. The Act introduces a new information privacy principle (IPP) containing a series of controls on the disclosure of personal information to recipients overseas. These new controls are intended to ensure that personal information sent offshore remains subject to comparable privacy safeguards as those that apply in New Zealand. Any agency disclosing information to a foreign recipient must either:
- Be reasonably satisfied that the foreign recipient is subject to laws which provide comparable safeguards as the Act, or agrees to be bound by comparable safeguards as those found in the Act (for example, in a contract between the New Zealand agency and overseas recipient); or
- Have expressly informed the individual that the foreign recipient may not be required to protect the information in a way that provides comparable safeguards and obtain the individual’s authorisation to the disclosure on that basis.
There is an important exception: sending information offshore to be stored or processed by an agent (for example, a cloud storage provider) will not be treated as a “disclosure” if the agent does not use the information for its own purposes. However, in this situation, the agency who sent the information offshore will be responsible for ensuring their agent adheres to New Zealand’s privacy safeguards found in the Act.
Businesses and organisations found to be non-compliant with their obligations around collecting, storing, using and disclosing personal information risk committing an offence and a fine of up to $10,000.
Any person (not just an aggrieved individual) may make a complaint, and a complaint can be made on behalf of one or more aggrieved individuals. These provisions open avenues for class actions against the agency that committed the breach.
Preparing for the new Privacy Act
To ensure your business or organisation complies with the new Privacy Act, we recommend a few essential steps:
- Review your third-party contractual arrangements, where any other party stores or processes personal information provided by your organisation
- Implement staff training, so key people in your organisation are well versed in the new approach
- Update your organisation’s privacy policies to ensure alignment with the new law and that your clients understand how you will use their information
- Develop effective procedures to detect, report and investigate a personal data breach - it is important to make sure you have a plan in place so that you can meet your reporting obligations without undue delay if a notifiable breach occurs
- Ensure you have clear internal lines of communication and let your staff know who they can approach within the organisation to discuss privacy issues
Michael Moyes, partner at national law firm Duncan Cotterill, is a leading technology and privacy law expert with extensive experience advising on privacy rights and obligations under New Zealand, Australian and EU privacy laws. If you require further assistance with your privacy rights or obligations, please contact Michael Moyes on 021 997 289 or at Michael.firstname.lastname@example.org.