Notifiable privacy breaches
The main thing to consider is that the legal requirements of responding to a privacy breach are changing. The new Act will make it a requirement for your organisation to tell the Office of the Privacy Commissioner (OPC) if there has been a privacy breach that has caused, or is likely to cause, serious harm. Currently, reporting a privacy breach is entirely voluntary.
With this change in place, it will be an offence to fail to inform the Privacy Commissioner when there has been a notifiable privacy breach.
What is serious harm?
It is important to note that not all privacy breaches need to be reported to OPC. The threshold for a notifiable breach is ‘serious harm’. This can be assessed by considering, for example, the sensitivity of the information lost, actions taken to reduce the risk of harm, and the nature of the harm that could arise.
OPC has recently launched NotifyUs—an online tool enabling businesses and organisations to easily assess whether a privacy breach is notifiable.
A new e-learning module dedicated to the Privacy Act 2020 changes is available on the OPC website, which should only take about 30 minutes to complete. OPC’s e-learning modules—which include Privacy ABC for Schools—require a basic registration, but are free for anyone to do. It’s a great way to bring your staff up to speed with the privacy issues affecting them.
Other resources are also available to help you understand the changes to the Act. There’s a podcast series with the Privacy Commissioner and our Legal Counsel, covering all the key changes, as well as the notifiable privacy breach requirement.
Other key changes
The new Act retains the privacy principles of the 1993 legislation, with some changes. Here are the other main changes:
- Compliance notices
The Privacy Commissioner will be able to issue compliance notices to organisations to require them to do something, or stop doing something, in order to comply with the Privacy Act. Compliance notices will describe the steps that the Commissioner considers are required to remedy non-compliance with the Act and will specify a date by which the organisation or business must make the necessary changes.
2. Enforceable access directions
The Privacy Commissioner will be able to direct agencies to provide individuals access to their personal information. This will allow faster resolution of complaints relating to information access. Access directions will be enforceable in the Human Rights Review Tribunal.
3. Disclosing information overseas
A new privacy principle 12 has been added to the Privacy Act to regulate the way personal information can be sent overseas. Under principle 12, an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Privacy Act 2020. If a jurisdiction does not offer similar protections, the individual concerned must be fully informed that their information may not be adequately protected, and they must expressly authorise the disclosure.
4. Extraterritorial effect
The new Privacy Act now clearly states that it has extraterritorial effect. This means that an overseas organisation that is ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations, even if it does not have a physical presence here. This will affect businesses located offshore.
5. New criminal offences
The Privacy Act 2020 introduces new criminal offences. It will now be an offence to mislead an agency to access someone else’s personal information—for example, impersonating someone in order to access information that you are not entitled to see. It will also be an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it. The penalty for these offences is a fine of up to $10,000.