Changes to existing privacy law are due in 2020. Full details can be found here. Key highlights for all businesses to be aware of include:
- Requirements to report privacy breaches: If organisations have a privacy breach that poses a risk of serious harm, it must notify the Commissioner and the people affected (unless an exception applies).
- Compliance notices: The Commissioner will be able to issue compliance notices to require an organisation to do something, or stop doing something, to comply with the Privacy Act.
- Decisions on access requests: The Commissioner will make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions can be appealed to the Tribunal.
- Strengthening cross-border protections: New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by acceptable privacy standards.
- New criminal offences: It will be an offence to mislead an organisation in a way that affects someone else’s personal information, and to destroy documents containing personal information if a request has been made for it. The proposed penalty is a fine of up to $10,000. It will be an offence to fail to notify the Commissioner of a serious privacy breach, or to fail to comply with an enforceable compliance notice.
- Extraterritoriality: An overseas agency is to be treated as “carrying on business in New Zealand” even if it does not have a physical place of business here – if it charges any monetary payment for goods or services or makes a profit from its business here.
The new bill passed its second reading in 2019, and March 2020 was proposed as a start date for these changes however it may be closer to July 2020 before the bill is passed. You can see the timeline and progress here.
Preparing for these changes
When the new privacy bill passes, there will be a six-month implementation period to prepare. There are steps you can take in advance of these changes to ensure your business is ready.
- Ensure you are aware of and understand all changes proposed and which may impact your business. The Ministry of Justice website currently has detailed information about all changes proposed.
- Review your current privacy policies for compatibility with all changes.
- Develop compliant policies that are ready for use by mid-2020. This should include a mandatory breach reporting policy that can be used from March 2020.
- Ensure your Incident Response Team are fully aware of new data breach requirements and have processes in place for identifying, protecting, defending, responding and recovering from a breach.
Points to consider: How will we determine serious harm? Who will manage notification and communication requirements? Do we have protocols in place for containment?
- Review all data storage and handling policies and service provider agreements for compliance with the new cross-border protections.
Points to consider: Do we store, process or send any data overseas? Do we have processes in place to adequately protect this data and its end use?
- Have your privacy officer develop training and communication materials to communicate all changes to all employees. If you don’t have a privacy officer, now would be a good time to think about delegating that responsibility to someone in your organisation or consider engaging an external privacy expert to fulfil that function.