BLOG
share:
In an increasingly global world, businesses need to disclose personal information to companies outside of NZ for many reasons, including for data hosting and storage. The new Privacy Act 2020 (the Act) comes into effect from 1 December 2020, bringing with it a new privacy principle requiring NZ businesses to ensure privacy protections apply to personal information sent overseas.
This blog is our second in a series on upcoming law changes. To learn more, check out our first blog on mandatory breach notifications or subscribe to our newsletter. And keep an eye out for our new template privacy policy that we’ll release shortly.
IPP12 enables NZ businesses to disclose personal information to a foreign person or entity who is subject to comparable privacy safeguards. This seems broad, but there are two key exceptions:
Before disclosing personal information overseas, you must be satisfied that you have reasonable grounds to believe that the disclosure is permitted under IPP12. To be permitted, you must either be satisfied that comparable safeguards are in place or have the relevant individual’s authorisation to disclose their personal information to the recipient.
So how do you know if comparable safeguards are in place?. You can do this two ways:
In regulations, the Government may prescribe that a country has comparable privacy safeguards, meaning no additional steps would be needed before you disclose personal information to a business in that country. No regulations will be in place when the new Act becomes law.
If you aren’t satisfied that there are comparable safeguards, you can still send personal information overseas if disclosure is authorised by the individual to whom the information relates. But, authorisation is not as simple as a short note at the bottom of your privacy policy. You will need to ensure affected individuals are expressly informed that the business you are disclosing their information to may not protect their information in the same manner as in NZ. And you must inform them clearly and upfront, about the way their information will be used, for what purpose, and by whom.
You’ve got 3 weeks to make sure your overseas disclosures of personal information meet the requirements of the new Act. We suggest you review your relevant contracts now to ensure that you are ready to comply when the changes happen on 1 December 2020.
If so then you may prefer kindrik.sg