Important Changes to the Privacy Act

The Privacy Act was first put in place in New Zealand in 1993 and has not been updated until now. In the meantime, technology has developed beyond anything we could have imagined, and personal data is now collected, stored and shared around the world. Many businesses will already be acting responsibly in the way they manage personal data. However, there are some changes to the Act that you need to be aware of and now would be a good time to review how your business collects, manages and stores personal data.

There are currently 12 principles to the Privacy Act. If you are not aware of these here is where you can find out more.   Below we will discuss the key changes that come into force on 1st December 2020 and how they may affect your business.

Requests for Personal Information

If a person requests to see the information you store about them, you must provide this within 20 days. This means that you need to know where the data is, be able to extract it and provide it promptly. Failure to do this will result in a compliance notice from the Privacy Commissioner. Because the Act now incorporates criminal offences the business will have time to respond but could be fined up to $10,000 for non-compliance.

New Offences

There are also some new offences that the Privacy Commissioner can issue compliance notices for. These include:

·    Misleading an agency to get someone else’s personal information

·    Destroying someone’s personal information when they ask for it.

Security Breaches

Not informing the Privacy Commissioner if there has been a breach in security is also an offence. Many organisations have experienced hacking attempts or cyber-attacks. Businesses must now inform the Privacy Commissioner if there is a breach that has caused, or could cause, serious harm. In order to help reporting of breaches and identification of how serious a breach is, the Office of the Privacy Commissioner have developed a tool on their website called NotifyUs.

Sharing Information Overseas

Sharing data with other companies is now commonplace, particularly with the use of outsourcing for core business activities. If you share information overseas there is a now a new principle that sets out what you need to be aware of. Overall, the overseas organisation must comply with New Zealand privacy standards.

Only collect information you need

Three of the current 12 principles have also been updated. The most important one is that a business must only collect identifying information about people, that they need for their lawful purpose.

What you need to do now

Decide who in your business will take the lead on privacy matters. This could be you, a manager or a trusted employee. They will be your privacy officer. Their duties include:

·    a general understanding of how the Privacy Act relates to your business

·    checking personal information is collected responsibly and stored safely

·    making sure requests for personal information are handled promptly

·    develop a privacy breach response plan and report any breaches of security.

Find out more

The following pages can provide you with more information about the changes:

The Office of the Privacy Commissioner

Business.govt.nz

At Marketelements

At Marketelements we take the collection, management and storage of personal information for marketing purposes very seriously. To find out more click here to send us a message.