Changes to the NZ Privacy Act – the things you need to know

By Ahmed ElAshmawy, on Filed in Blog / NewsTagged

As I’m sure many of you are aware, the New Zealand Privacy Act 2020 came into effect on the first of December last year.

In this blog, we’re going to give you a quick rundown of the changes that have been made to the Privacy Act, and how they might affect you. While this isn’t an exhaustive list, it should hopefully cover the most substantial changes.

NZ Privacy Act Changes Overview

Update 1: Criminal Offences and Fines

I once heard somebody say that the previous Privacy Act was “about as threatening as a cumulus cloud”, which I thought was pretty funny. This joke highlighted a problem with the previous Privacy Act… It didn’t really have much power behind it. Sure, a breach could land you in the public arena and affect your reputation, but in the grand scheme of things (especially if you are a government organisation) it didn’t cost you much.

Under the new act, some new criminal offences have been defined, and in some situations the Privacy Commissioner is able to issue fines.

Under the new act it is now considered an offence to (excuse the legalese):

  • Obstruct, hinder or resist the Commissioner or any other person in the exercising of the Privacy Act’s power.
  • Refuse or fail to comply with any lawful requirement of the Commissioner or any other person under the act.
  • Make any statement or give any information to the Commissioner that is false or misleading.
  • Represent directly or indirectly that you hold any authority under the act when you do not hold that authority.
  • Mislead an agency by impersonating an individual, or falsely pretending to be an individual, or to be acting under the authority of an individual, for the purpose of obtaining access to that individual’s personal information, or having that information used, altered or destroyed.
  • Destroy personal information if it is known that a request has been made to access it.

And the penalty for these offences?

A $10,000 maximum fine.

Okay, it isn’t quite a GDPR level fine (maximum fines of €20 million or 4% of annual global turnover), but at least it’s a start.

Maybe the act is now about as threatening as a dense fog.

Update 2: Principle 12 Disclosure of personal information outside of New Zealand

So, let’s get this out of the way. The old Principle 12 is now Principle 13, and Principle 12 now relates to the disclosure of personal information outside of New Zealand.

No, I have no idea why they didn’t just make the new principle number 13, and keep 12 the way it was… I guess we just have to deal with it.

Effectively, the new Principle 12 states that:

  • You are only allowed to disclose personal information to an overseas entity if the entity is subject to similar privacy safeguards as those within the New Zealand Privacy Act.
  • If they are NOT subject to similar privacy safeguards, then data subjects (the people whose personal data you handle) must be fully informed that their data may not be adequately protected, and must expressly authorise the disclosure.

How do you decide if a country’s privacy law is good enough to provide ‘similar privacy safeguards as those within the New Zealand Privacy Act? Well, that isn’t your job to figure out, it’s the responsibility of the Privacy Commissioner. If in doubt, get in touch with them and they will provide some guidance.

Update 3: Notifiable privacy breaches

If your organisation suffers a privacy breach, you now must assess the impact of that breach to determine if it has caused (or is likely to cause) serious harm. If it has, then that makes the breach a notifiable breach. If you deem the breach to be notifiable, then you MUST notify the Office of the Privacy Commissioner (or else suffer a fine of $10,000).

How do you know what qualifies as ‘serious’ harm? Well, the legislation provides a little bit of guidance, and states that: When an agency is assessing whether a privacy breach is likely to cause serious harm in order to decide whether the breach is a notifiable privacy breach, the agency must consider the following:

  1. Any action taken by the agency to reduce the risk of harm following the breach:
  2. Whether the personal information is sensitive in nature:
  3. The nature of the harm that may be caused to affected individuals:
  4. The person or body that has obtained or may obtain personal information as a result of the breach (if known):
  5. Whether the personal information is protected by a security measure:
  6. Any other relevant matters.

On the flip side, if you determine that the breach hasn’t caused (or is not likely to cause) serious harm, then you don’t need to do anything new. Just follow your regular privacy incident handling process. I hope you’ve got one (if not, then give us a call).

Update 4 and 5: Compliance notices and access directions

Under the previous act, the Privacy Commissioner didn’t really have any teeth. This change gives the Commissioner a bit more power to ensure that the Privacy Act is being followed.

The Privacy Commissioner is now able to issue compliance notices to organisations telling them to do something (or stop doing something) in order to comply with the Privacy Act. The compliance notices issued by the Commissioner should describe the steps that need to be taken by the agency, and should also identify a deadline date for the changes to be made. If you don’t do what you’re told, then you can be fined up to $10,000.

The Commissioner is also able to issue access directions to help individuals gain access to their information under Principle 6. This means that if an organisation is not giving personal information back to an individual (as is their Principle 6 right), the Commissioner can add some extra clout to that request through an access direction.

Final updates and wrap-ups

As mentioned in the introduction to this article, we haven’t covered all of the changes to the act, but I’ll rattle off a few other changes here, just in case you want to research them a bit further.

  • The privacy act now has an extraterritorial effect, meaning that a business based overseas that ‘carries on business’ in New Zealand is still subject to the Privacy Act.
  • Some clarifications have been made to Principle 1, making sure that information is not being collected if it is not necessary.
  • New withholding grounds for access requests under Principle 6 have been added.

The Office of the Privacy Commissioner has released great guidance about these changes and what they mean to you; so go and check out their resources page here if you want some additional reading. And as always, feel free to get in touch with the team at Axenic if you would like to chat about your Privacy and indeed your information security considerations.