Privacy is difficult to define, it can mean different things to different people – a right to control information about yourself, a right to make decisions without intervention, or perhaps a right to not be observed or disturbed by others.
Even though privacy is the foundation for many of the rights in our Bill of Rights Act, there is no general privacy right or law. We do have a statute called the Privacy Act that aims to promote and protect individual privacy, but it only covers information privacy – that is, the rights and obligations that attach to ‘personal information’, such as a person’s name, address, gender, date of birth, employee record, photograph, credit information, etc. It also protects more sensitive information regarding health and genetic information, criminal record, sexual orientation, racial or ethnic origin, political opinions or associations, religious or philosophical beliefs, association memberships and some aspects of biometric information. Created to combat concerns about technological advances and their potential to access private information, it has performed admirably… to a point.
In recent years, nations as near as Australia and as distant as the European Union (EU) have sought to update their information privacy laws to recover some of the ground lost to data-hungry technology behemoths - think large social media platforms and the myriad of other businesses that collect data to better target consumers.
The ‘high water mark’ for privacy law was set by the EU a few years ago with its General Data Protection Regulation (GDPR), an amalgam of all the best bits of privacy laws from EU member states. Other countries followed suit, introducing elements of the GDPR, and New Zealand is no exception.
Our new Privacy Act 2020 came into force on 1 December last year, updating our previous 1993 Privacy Act and moving us closer to the updated privacy laws and practices of countries such as Australia and those in the EU. The new Act contains several significant changes impacting almost every person, business and organisation in New Zealand.
Are you compliant?
Arguably the most significant change under the new Act is that agencies (essentially any business or organisation dealing with personal information) are required to notify the privacy commissioner and affected individuals as soon as practicable after becoming aware of a notifiable breach. A breach is defined as something which has or is likely to cause serious harm to an affected individual.
The Act sets out a non-exhaustive list of factors to consider when deciding if a privacy breach is likely to cause serious harm but stops short of actually defining ‘serious harm’. This leaves agencies to make a judgement call, so it’s likely most will err on the side of caution until the courts or the commissioner provide clearer guidance.
In some limited circumstances, agencies are permitted to delay notifying individuals or the public if the notification itself would risk further breaches. For example, if this would make others aware of the method used to access the information. But the agency is still required to notify the commissioner as soon as practicable.
An agency may also decide not to inform an individual of a breach if informing them would be likely to prejudice the individual’s health, or the individual is under 16-years-old and the agency believes notification is not in their best interests.
For the first time, the commissioner has the power to issue a compliance notice to businesses to require them to do something, or to stop doing something, to comply with the Act. The Act also widens the scope of the commissioner’s powers to publish compliance notices for privacy breaches, so businesses and other organisations now face a greater risk of reputational harm.
Many businesses and organisations rely on cloud-based data storage and offshore service providers which handle individuals’ private data on their behalf. The Act introduces a new information privacy principle (IPP) containing a series of controls on the disclosure of personal information to recipients overseas. These new controls are intended to ensure that personal information sent offshore remains subject to comparable privacy safeguards as those that apply in New Zealand. Any agency disclosing information to a foreign recipient must either:
There is an important exception: sending information offshore to be stored or processed by an agent (for example, a cloud storage provider) will not be treated as a “disclosure” if the agent does not use the information for its own purposes. However, in this situation, the agency who sent the information offshore will be responsible for ensuring their agent adheres to New Zealand’s privacy safeguards found in the Act.
Tougher penalties
Businesses and organisations found to be non-compliant with their obligations around collecting, storing, using and disclosing personal information risk committing an offence and a fine of up to $10,000.
Any person (not just an aggrieved individual) may make a complaint, and a complaint can be made on behalf of one or more aggrieved individuals. These provisions open avenues for class actions against the agency that committed the breach.
Preparing for the new Privacy Act
To ensure your business or organisation complies with the new Privacy Act, we recommend a few essential steps:
Michael Moyes, partner at national law firm Duncan Cotterill, is a leading technology and privacy law expert with extensive experience advising on privacy rights and obligations under New Zealand, Australian and EU privacy laws. If you require further assistance with your privacy rights or obligations, please contact Michael Moyes on 021 997 289 or at Michael.moyes@duncancotterill.com.