What you need to know!
For the first time in 27 years, there will be a new Privacy Act 2020 coming into force on 1 December 2020. Here is what you need to know.
Technology has rapidly increased in the last 27 years, and with that means privacy has also changed. We now live a large part of our lives online making our personal and business information a lot more vulnerable. Whether you are an Employer or an Employee, we all have a responsibility to take good care of the personal information we hold about people.
Main Changes to the Acts Principles
- Change to principle 1: Purpose of Collection - The new Act has clarified that you should only collect identifying information if it is necessary. If you don’t need it, you shouldn’t collect it.
- Change to principle 4: Manner of Collection- When collecting information from children and young people, organisations must do this in fair and reasonable circumstances.
- Change to principle 13: Unique Identifiers – Organisations now need to take reasonable steps to protect unique identifiers from being misused.
- New principle 12: Overseas disclosure - There is one new principle to the Act and that sets out what organisations should check and be sure of before sharing information overseas.
Changes to overseas organisations operating in New Zealand
The Privacy Act 2020 applies to all organisations conducting business in New Zealand, even if they don’t have a physical presence here i.e Facebook.
If an organisation has a privacy breach, for example; lose someone’s personal information, attempted hack, or something else that could cause serious harm to an individual – then that organisation needs to report the breach to the Privacy Commissioner.
It is important to report any incidences as people cannot protect themselves against the impact of a privacy breach if they do not know that a breach has occurred. Also, due to the speed of technology information can be copied quickly and transferred to other platforms, so the potential for harm to high. By sharing examples of past breaches, it means that we may be able to prevent similar ones from happening in the future.
Access of personal information
Individuals are entitled to access personal information held about them. Failure to do so means they can complain to the commission who can direct you to share that information.
There are grounds in which an organisation can refuse to release personal information if releasing information would create;
- A serious threat to health and safety or life of an individual
- A risk of serious harassment or significant distress to the victim of an offense.
The commissioner now has the power to issue compliance notices to compel organisations to do something or stop doing something.
Your organisation will receive a draft compliance notice and have the opportunity to comment before it is finalised. The compliance notice will set out what you need to do and by when. You can either comply or appeal the notice to the Human Rights Tribunal.
- Refusing to comply with compliance notice – up to $10,000 fine
- Misleading an agency to get someone else’s information - up to $10,000 fine
- Destroying information rather than providing it - up to $10,000 fine
- Failing to alert the Privacy Commissioner about a privacy breach - up to $10,000 fine
What can you do?
With the introduction of the Privacy Act 2020, this is a good time to do a health check on your existing privacy practices and check that you are effectively protecting the personal information that you hold. You may need to check your current policies and procedures and written statements on data collecting forms. If you don’t have a policy then this is a good time to introduce one.
This is also a great opportunity to upskill your staff on their obligations. There is a great e-learning module at https://elearning.privacy.org.nz/
If you find yourself needing more information on the Privacy Act 2020, give us a call on 0800 HR LIVE.