New Privacy Act Passed
Topics covered in this article: Business Owners, Employment, Farming & Horticulture, Other
Earlier this year Parliament unanimously passed a new Privacy Act. It has been on the books for many years, but comes into force on 1 December 2020. There will be several new changes which businesses will need to be aware of and prepared for.
We have all read of inadvertent emailing out of clients’ private details – bank accounts, medical details, financial information. Overseas, very large fines have been imposed on entities such as Facebook, British Airways and hotel chains for such mistaken breaches of personal information. Changes in the new Act are designed to raise consciousness of these hazards and encourage transparency when dealing with personal information.
Obligation to notify breaches
There will be a new obligation to notify the Privacy Commissioner and the affected individuals if there are any privacy breaches from your organisation which may cause serious harm. A breach which may cause “serious harm” will be assessed by considering the sensitivity of the information, who received the information, the nature of the harm which might be caused, steps taken to reduce the risk of harm, and if there was any security measure protecting the information (e.g. a password or encryption).
A notice to the affected people must tell them the details of the breach (but not who received the information), what you are doing about it, what (if anything) they might be able to do, and that they have a right to complain about you. If there could be a serious threat to the life or health of the person affected arising from the breach, you may then have to tell them who got the information. Examples will include disclosures where there is a risk of personal violence from the recipient of the information or their associates.
If you cannot identify the individuals affected, or there are too many to notify individually, you may have to give a public notice – but it must not identify individuals affected.
The obligation to keep information secure and notify of any breaches will be on the enterprise which holds the information, not individual employees. So your business or organisation will need systems in place in to make sure people tell you of any mistakes – not being told is not an excuse. If you do not notify a breach when you should have, the fine may be up to $10,000.
A new online notification tool and guidance is now available on the Privacy Commission’s website. Overseas experience suggests there will be a large increase in breach notifications when this is in force and the tool is designed to help organisations determine whether they should be notifying the Privacy Commission or not. And we can expect some high profile prosecutions early in the regime to show that the Commissioner means business.
The Privacy Commissioner is also given new enforcement powers by way of “compliance notices”. The Notice will require a business or organisation to do something, or to stop doing something, to comply with the Privacy Act. The notice will set out the steps the Commissioner requires to be taken and a date for compliance. Failure to comply will again carry a fine of up to $10,000.
Requests for personal information
Under the current Act, a person is able to request from an organisation access to all personal information it holds about them and to require corrections. Under the new Act this will remain but it will become an offence to destroy that information when a request has been made, to avoid having to provide it. The penalty is again $10,000. And if the information isn’t supplied, the Privacy Commissioner can direct compliance, enforceable through the Human Rights Review Tribunal. There are exemptions where there are issues of privacy of other people, security, law enforcement, fair trial rights and the like.
There is a new “Privacy Principle 12” which provides that if an overseas person or agency requests personal information you hold about someone, it can only be disclosed if that overseas agency is subject to NZ’s Privacy Act or to similar safeguards. To assist with this, the Privacy Commission is working on “model clauses” organisations can use in contracts with overseas providers. These are expected to be available by 1 December.
Otherwise, you can only supply that personal information if the person involved is fully informed that their information may not be adequately protected and they nevertheless expressly authorise the disclosure.
There is a new criminal offence where you mislead an agency holding someone’s personal information in order to obtain personal information about them which you are not entitled to. This could include impersonating them or claiming authority to request it that you have not been given. The penalty here is again $10,000.
What to do
The purpose of these changes is to raise the temperature on privacy protection, to make everyone more careful. It will require some new processes to ensure that if there is some mistaken release of personal information, it becomes known to the business owners and is addressed immediately. This will include:
- identifying what information has gone to whom;
- assessment of likely harm;
- prompt action to reduce or mitigate the harm, such as by recalling it if possible; or getting undertakings from recipients to return or destroy it and not to pass it on; and
- to notify both the affected person and the Commissioner promptly, not just of the disclosure, but also of the steps to minimise or rectify.
Quite apart from the penalties or damages which might be imposed under the Act, wrongful disclosure of clients’ personal information will lead to severe reputational damage to your organisation. Good systems and reporting will be in everyone’s interests.
Latest Update: 28 October 2020