BLOG
share:
Unless you’ve been living under a rock, you’ll know that NZ’s privacy laws are about to undergo their biggest transformation since the Privacy Act became law in 1993. The changes, and the new Privacy Act 2020 (the Act), come into force on 1 December 2020. So, you’ve still got a few weeks to make sure all of your ducks secret squirrels are in a row.
Under the new law, you’ll be required to notify the Privacy Commissioner and affected individuals if you have a privacy breach that causes, or is likely to cause, serious harm. In her blog on mandatory notifications, Georgina Leslie discusses when you need to notify a breach, what counts as serious harm, and what exceptions apply (hint: not many).
The new law also implements a new privacy principle (commonly known as IPP12). Under IPP12, unless you have very clear consent from affected individuals, you can only disclose personal information overseas if comparable privacy safeguards are in place. These safeguards could be under contract or via similar privacy laws to the Act.
There are 2 exceptions that will help a lot of kiwi businesses. IPP12 won’t apply to cloud providers who simply store or handle information on your behalf (i.e. they don’t use it for their own business purposes) or if the disclosure is to a foreign business operating in NZ (on the basis that this business already has to comply with the Act).
Georgina also discusses this in more detail in her blog on IPP12.
If IPP12 applies to you (or you think it might), the Office of the Privacy Commissioner has released model terms that you can include in your contract with the overseas person receiving the transferred information to ensure there are comparable privacy safeguards in place. This is a fill in the blanks document. It is important that you think carefully about what should be included in the sections to complete and that you include as much detail as possible.
We’ve updated two of our templates to reflect the new Act. Check out our updated privacy policy and website terms of use. As a heads up, these changes are pretty minor and assume that IPP12 doesn’t apply to the person using the documents. If it does, you may need some extra protections – this is discussed in the covering notes.
We plan to update you over the next few months on how the new law is bedding in and to give some tips and tricks on how to make sure your business is complying with the Act. Stay tuned.
If so then you may prefer kindrik.sg