BLOG
share:
The long-awaited overhaul of New Zealand’s privacy law is almost here – the new Privacy Act 2020 (the Act) comes into force on 1 December 2020.
The Act is a much-needed update to ensure New Zealand’s laws keep up with the privacy issues faced by us all in 2020 and beyond – a privacy landscape that has little in common with the issues faced in 1993, when the current Privacy Act came into force.
As well as strengthening existing privacy protections, the Act includes new requirements for New Zealand businesses, such as new reporting and notification obligations.
This blog post is the first in a series of blogs on recent and upcoming privacy law changes. Subscribe to our newsletter or keep an eye out for our privacy blogs on changes to the EU-US Privacy Shield, disclosures of personal information to offshore companies, and our new template privacy policy.
One of the biggest changes is the introduction of a mandatory privacy breach notification, bringing New Zealand into line with international best practice. You must notify the Privacy Commissioner and affected individuals of notifiable privacy breaches as soon as practicable after becoming aware of it.
A privacy breach includes unauthorised or accidental access to personal information, or disclosure, alteration, loss or destruction of personal information. That breach will become notifiable if it is reasonable to believe the breach has caused serious harm to an affected individual, or is likely to do so.
Things to consider when deciding if there is serious harm include:
If you have committed a notifiable breach, subject to some limited exceptions (discussed below), you must use a prescribed form to notify the Privacy Commissioner and affected individuals. If it isn’t reasonably practicable to notify affected individuals, you must give public notice of the breach.
This notice must be given as soon as reasonably practicable after becoming aware of the breach. In practice, this means you must quickly assess whether the breach is notifiable, and if it is, you must provide the notice as soon as possible.
There are carve-outs to the notification requirement for affected individuals, as follows.
Despite these carve-outs related to affected individuals, you must always notify the Privacy Commissioner of the notifiable breach as soon as practicable.
Failing to give the notice without a reasonable excuse may result in a fine of up to $10,000 or the issue of a public compliance notice. Given this, we suggest you err on the side of caution when assessing whether to notify a breach.
Now is a great time to check your privacy policy to ensure it will comply with the Act. It’s also a good chance to:
If you’d like us to review your privacy policy in light of these recent developments, get in touch.
If so then you may prefer kindrik.sg