Long-needed changes to New Zealand’s Privacy Act are not far off. If your business collects, stores or uses personal customer and/or employee information (you’d be hard-pressed to find a business that doesn’t!), then it’s important you know what the changes are, how they impact your business and what your response should be.
Some background about the impending changes
New Zealand’s current Privacy Act celebrated its 25thbirthday last year. Given the state of rapid technological change during this period, it makes sense that amendments are urgently needed. In response to this, the Justice Select Committee drafted a raft of suggested changes and they are currently being reviewed in parliament. If all goes to plan, the Bill amendments are slated to come into effect in early 2020.
But just what are the proposed changes? And more importantly, what do they mean for your business?
Here is a brief rundown of the major likely amendments, along with some suggested action points to help ensure your company is compliant.
A few key changes and what they mean for your business
The vast majority of proposed Bill amendments are based on the central tenet of increasing the rights of individuals to protect their privacy. People will now have greater powers to request access to their personal information that businesses hold, as well as being notified if there has been a breach of their data. This is a major change as in the past, New Zealand companies weren’t obliged to provide such a notification by law.
In addition, the Privacy Commissioner will have a greater say in enforcing companies to be compliant, and have the power to issue bigger fines if they aren’t. Furthermore, businesses who deal with overseas entities will have to ensure the privacy laws of those countries are as stringent as those of New Zealand’s.
Let’s delve a little deeper into each change and what you can do about it.
1. New consumer access request rights
When the Bill amendments become law, New Zealanders will have the legal right to ask any business to provide them with any personal information they hold about them. Companies must respond within a strict timeframe. If they don’t, the individual can take it up with the privacy commissioner who will have the power to issue a compliance notice. Non-compliance risks a fine and criminal liability.
It will also be a criminal offence for a business to destroy requested personal data and documents with a penalty of up to $10,000.
- Review your current processes around personal data access requests
- Familiarise yourself with the proposed compliance timeframes
- Draft a procedure to ensure you can meet those standards
Extra tip: Involve frontline staff in the process, especially during the drafting stage. Their on-the-job experience is invaluable in helping you formulate and institute a workable data access procedure.
2. Mandatory reporting of privacy breaches
Gone are the days of sweeping a privacy compromise under the rug. Once the changes go through, all New Zealand agencies will have to report any privacy breach that poses a risk of ‘serious harm’. The breach needs to be reported to both the person/s affected and the privacy commissioner as soon as possible. If an agency fails on this front, they can be fined up to $10,000.
According to the current Act, a privacy breach is considered:
- Any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
- An action that prevents the agency from accessing the information on either a temporary or permanent basis
To work out if ‘serious harm’ has occurred, you need to consider:
- What actions were taken to reduce the risk of harm
- The type of information disclosed (is it sensitive?)
- The nature of harm it may cause
- Who it was disclosed to
- What type of security measures were in place to protect the data
The proposed Bill amendments will make explicit the steps you need to follow to notify the individuals involved and the commissioner about a privacy breach. We’ll have to wait and see what they will be once the law comes in effect.
Another change to be aware of concerns outsourcing your data storage or processing, for example via a cloud service provider. If your outsourced agency experiences a data breach, you will still be responsible for notifying your customers, not them. It doesn’t matter whose fault it was.
- Understand your reporting responsibilities under the new Act
- Develop a clear data breach plan
- Put tools in place to detect a breach
- Educate all employees about it should a breach occur
Formulating a data breach plan involves a number of steps. It should include tools to assess the level of harm, as well as to advise when a breach has occurred. In addition, it must have a staff training component to help your employees understand how to apply the plan effectively. If you outsource storing customer or employee information – think something as simple as Xero or Zoho – you’ll want to be sure they notify you as soon as possible should a breach occur too.
This is likely the most arduous task you will need to undertake in response to the Privacy Act changes. A good starting point is the privacy commissioner’s data breaches website page. Or you can contact us for further help.
3. Commissioner can issue compliance notices
As briefly touched upon above, the NZ privacy commissioner will now have the power to issue compliance notices to instruct a business to either do something, or stop doing it. Once again, a failure to comply could see you slapped with a fine of up to $10,000.
4. ‘Cross-border data flow protections’
This change involves the personal customer and/or employee data you transmit to an overseas entity. The new law requires you to take steps to make sure the overseas provider you use has privacy protections in place that are as strong as New Zealand’s.
Overseas businesses will also have to comply with our privacy laws. This is a major change for the way companies from other countries transact with New Zealand.
An interesting example involves tech giant Google. In May 2018, the NZ courts issued them with a suppression order but they refused to cooperate, stating their parent company was based in the US so NZ laws did not apply. But with the proposed changes on the cards, they will have to agree to abide by NZ privacy laws. The risk is ceasing operations here altogether, which seems highly unlikely.
- Either review the privacy policies of your overseas-based service providers (for eg, Dropbox, MYOB, Salesforce etc.), or contact them, to determine if they have strong enough privacy protections in place to meet the new standards.
Those are the major amendments to the Privacy Act that are currently being reviewed and are likely to be accepted. In preparation for the changes, here a few more things you can do:
a) Appoint a Privacy Officer or a Virtual Privacy Officer (VPO)
It’s a good idea to have a go-to person who understands the Act, the upcoming changes and how to apply them to your business. According to the current Act, every business should, by law, have a Privacy Officer.
b) Review how you store data and your systems as a whole
Storing information securely is one thing, but what about how you transmit or dispose of it? Cyber experts say many businesses fail to identify the weak links in their system which leaves them open to attacks. An example are your printers. Apart from scanning and printing confidential material, they are also connected to your network. If they aren’t properly secured, a hacker maybe able to infiltrate them and obtain access to employee and customer details.
c) Review your privacy statement and update it
Should you need a little more assistance detailing with the Privacy Act amendments, or would like to request a security audit, please get in touch.
Disclaimer: This article is of a general nature and is not intended to be a substitute for legal advice. We recommend you seek professional counsel on such matters.