Posted by Dew James on November 2 2020 in News

The Privacy Act 2020 (the Act) implements long-awaited changes to New Zealand’s privacy laws. Parts of the Act came into force in mid-2020, with the rest due to come into force on 1 December 2020. The Act overhauls the previous outmoded regime of the Privacy Act 1993 to better protect the privacy of people’s information in the digital age. The Act achieves this in several ways:

Increasing Obligations

  1. Introducing new reporting requirements if there has been a privacy breach that has caused serious harm or is likely to do so (sections 112 – 114 of the Act);
  2. Limiting the disclosure of personal information to overseas agencies by requiring New Zealand businesses and organisations to ensure that the overseas agency has a similar level of protection to New Zealand, or to obtain the informed consent of the individual (IPP 12 at section 22 of the Act); and
  3. Widening the net of privacy obligations to include overseas businesses and organisations that operate in New Zealand, but which do not have a physical address in the country – think, GoogleTM and FacebookTM (section 4 of the Act).

Enhancing Powers

  1. The Office of the Privacy Commissioner (OPC) will be able to compel a business to provide an individual with access to their personal information if the request is initially denied or not responded to (section 92 of the Act).
  2. The OPC will also be able to issue compliance notices to businesses and organisations that are not meeting their obligations under the Act (section 123 of the Act).

Harsher Consequences

  1. Imposing harsher consequences for existing offences by increasing the penalty from a maximum of $2,000 to $10,000, and introducing new criminal offences including for (section 212 of the Act):
  2. Engaging in deceptive behaviour to induce a business or organisation to disclose personal information belonging to someone else; and
  3. Knowingly destroying personal information which is the subject of an information request under the Act.

The new offences will also carry a maximum fine of up to $10,000.

New and Updated Principles

Updating existing Information Privacy Principles (IPP) and introducing a new IPP (section 22 of the Act):

  1. Principle 1 (updated) – Clarifying that personal information can only be collected if necessary and only to the extent that it is for a lawful purpose connected with a function or activity of a business or organisation.
  2. Principle 4 (updated) – Requiring businesses and organisations to treat the collection of personal information from children fairly and in ways which do not unreasonably intrude on their personal affairs.
  3. Principle 12 (new) – Regulating cross-border disclosure of personal information including limiting such activity only in so far as the overseas agency has a similar level of protection to New Zealand, or with the express, informed consent of the individual concerned.
  4. Principle 13 (updated) – Requiring businesses and organisations to undertake reasonable steps to protect unique identifiers from being misused.

If you haven’t yet implemented mechanisms in your business to ensure it will be compliant with the new and stricter obligations under the Act, here are a few suggestions to help you get started:

Privacy Policy – Check your Privacy Policy and update it to ensure that it reflects the requirements of the new Act. Disseminate the updated Privacy Policy document within your organisation.

Employment Agreements – Check and update employment agreements within your business to ensure these are also compliant when the Act comes into force.

Privacy Statements – You should inform your clients of the type of information you are collecting from them and how you intend to use it. Creating a privacy statement is a sensible way to achieve this.

Cloud Storage – Consider how you are currently storing clients’ and / or staff members’ personal information, and check if this will be compliant under the new regime. The new IPP 12 captures the transfer of personal information to offshore, cloud-based storage. You must carefully investigate your cloud provider’s privacy policy to ensure that the protections are comparable to the Act.

The website of the Office of the Privacy Commissioner is a good place to start to learn more about your general obligations and rights under the Act. For tailored advice, contact our team of experts.

Kalev Crossland | Partner |

Dew James | Solicitor |

Tony Sung | Solicitor |

This paper gives a general overview of the topics covered and is not intended to be relied upon as legal advice.