Privacy Act grows teeth and comes of age

New Zealand Security Magazine - August 2020

New Privacy Act
New Zealand's new Privacy Act will come into effect in December 2020.

NZSM journalist Joanna Mathers unpacks the new Privacy Act, a much-needed update that brings New Zealand’s privacy legislation into the digital age – and businesses will need to get on board.

Data is currency in our digital age. The fortunes of giants like Facebook, Google et al are founded on the analysis of personal data, and you’d be hard-pressed to find any business (large or small) that doesn’t collect and store data digitally. 

The sharing of personal information online brings with it a raft of privacy issues. Shared information can end up being used for purposes other than the users intended; data breaches can result in theft of information and dissemination to cyber criminals with malicious intent. 

It’s these sorts of issues that New Zealand’s new Privacy Act 2020 seeks to address. Coming into force on December 1, 2020, the impetus for new change is based on the increasingly digital and global nature of our economy. 

Privacy Commissioner John Edwards says that there have been many calls to modernise the Privacy Act.

“Since it was passed in 1993, there have been multiple reviews of the act, each suggesting different tweaks and adjustments. This culminated in a Law Commission report in 2011, which recommended a raft of amendments to modernise the law.”

Under the existing Privacy Act, the onus of responsibility is on the individual. If there was a breach, the person affected would have to contact the Privacy Commission, who would determine then determine the course of action. 

The new act will shift the responsibility from the individual to the businesses that hold their data. Every business that collects and stores customer information will be subject to the new act, and those not adhering may be breaching newly established privacy laws. 

From 01 December, all entities that experience a privacy breach likely to cause “serious harm” to those whose data has been accessed must report the breach to the Office of the Privacy Commissioner. 

If a ‘serious’ breach is not reported, this will be considered a criminal offence.

Establishing whether a breach is serious (or otherwise) may prove initially problematic, and Edwards acknowledges that there may be initial over-reporting of breaches. However, the Office of the Privacy Commission will be providing online tools that will help businesses to establish what constitutes a “serious” breach ahead of the changes in December.

Edwards explains that the change of reporting requirements has been necessitated by “significant failures” of organisations around the reporting of privacy breaches. 

He points to the high-profile Yahoo case, in which the internet company lost a billion private user accounts in 2013 and 2014, which weren’t reported until 2017. The breaches led to large class action lawsuits against the firm, and the reputational damage has been insurmountable.   

Another key change found in the Privacy Act 2020 will be the Privacy Commissioner’s ability to issue compliance notices to businesses, asking them to refrain from using private information, or to take other action to ensure they are complying with the act. 

The existing act is a complaints-based process, with little in the way of proactive enforcement. When the new act comes into force, there will be a change to the regularity model, that allow the Office of the Privacy Commissioner to issue compliance notices to agencies or businesses who are seen to be breaching the act. 

The notice will surmise details of the breach and include details on how the organisation can remedy this. If upon follow up it’s found that the organisation hasn’t taken the appropriate action, the Privacy Commissioner will be able to seek enforcement of the notice through the Human Rights Review Tribunal. 

“It’s really quite significant, that we now have access to a judicial body to enforce compliance with the privacy act,” says Edwards. 

Data in the digital age is free flowing, with international borders no boundary to dissemination. As such, personal details can be shared internationally without the consent (or even knowledge) of the provider. 

Given the fluid nature of information sharing, the Privacy Act 2020 will see certain restrictions put in place around how the data collected from New Zealand citizens is used, which will relate to both New Zealand and international companies. 

Privacy Principle 12 will put in place rules that mean organisations need to be confident the country they are sharing data with has similar privacy safeguards in place. If the company isn’t sure that these safeguards exist in a particular jurisdiction, they will need to let customers know and gain their consent to share the data. 

This may sound complex, but the Office of the Privacy Commissioner will be streamlining the process, helping industry to correctly word clauses in contracts, and providing advice around which countries are “safe”. 

The intention here is to protect personal data as it moves around the globe, essentially providing a shield of protection that prevents data being misused, wherever it travels. 

Edwards wants to reassure businesses that this will not detract from businesses’ ability to use services such as cloud-based servers. 

“If you want to store your data in a centre outside New Zealand, that won’t be considered a ‘disclosure’ [of personal information]. So as long as the server doesn’t have a purpose of their own for using the information, you won’t be obliged to go through those steps of satisfying yourself about the legal system of the country,” says Edwards. 

In addition to these changes, the Privacy Act 2020 will also introduce criminal offences designed to give the law teeth. There will be new penalties for impersonating an individual to access information; if businesses destroy information that they have been asked for access to, there will be a significant fine. 

There are still four months for organisations to come to terms with the new provisions of the Privacy Act, 2020. There is advice available at the Office of the Privacy Commissioner, including an e-learning module, found at https://elearning.privacy.org.nz/

For more information on the changes that will come into force in December, see the website, www.privacy.org.nz   

Comment below to have your say on this article.

If you have a news story or would like to pitch an article, get in touch at editor@defsec.net.nz

Sign up to DEFSEC e-Newsletters.