What you need to know about the new Privacy Act 2020
This article is based on the NZ Privacy Law Changes 2020 & Security Protections Webinar by Connon Daly (General Manager, The I.T. Team) and Graeme Crombie (Partner, Lane Neave). For full information and resources on the Privacy Act 2020, please visit the Privacy Commissioner website.
The new Privacy Act 2020 (Act) comes into force on 1 December 2020 and we want to help you understand what you need to know and what you need to do. The new Act replaces the Privacy Act 1993 and includes changes to information privacy principles, notification of privacy breaches, and new powers for the Privacy Commissioner. The new Act also brings New Zealand in line with Europe’s privacy legislation though our penalties aren’t as severe.
Read on to learn more about these changes and your options for protecting information and data to comply with the new Act.
Who the Act applies to and the scope
Before we start discussing the specific changes, there are two important things to keep in mind. Firstly, the Act applies to all types of entities – both public and private – and it refers to them as ‘agencies’. Secondly, the scope of the Act relates to personal information, as opposed to corporate data. Personal information is information about an identifiable individual.
Let’s break that down:
- Information: this covers anything from a name to an IP address.
- About: there needs to be a link between the information and the individual. For example, a weight measurement of “80kg” is not personal, but if the information says “Joe Bloggs’ weight is 80kg” then it is about an identifiable individual.
- Identifiable individual: a natural person, other than someone who is deceased.
Five of the Information Privacy Principles have changed
Currently there are 12 Information Privacy Principles (IPPs) within the Act and they cover collection, use, disclosure and storage of information. Under the new Act there will be one new IPP (IPP12) and five existing IPPs will change.
The five IPPs that will change under the new Act are:
- IPP1, which is about needing a lawful purpose to collect information, will change to restrict the ability to collect identifying information. You should not collect an individual’s identifying information, if there is no need to identify that individual.
- IPP2, which is about who you collect the information from, will change largely for consistency with some of the other IPPs. It will be possible to collect information from people other than the individual concerned if there is a serious threat to life or health.
- IPP4, which is about the manner in which information is collected, will require you to think carefully about why and how you would collect information from children and young people.
- IPP8, which is about the requirement to check the accuracy of information before it’s used, will change to require accuracy to be checked before disclosing that information.
- IPP13, which is about requirements to minimise the risk of misuse with a unique identifier, will change to strengthen existing practices. For example, you already see bank statements that only display part of the account number.
KEY ACTION: Check your privacy practices and update policies and make sure they align with these tweaks.
The new addition is IPP12 and it has been introduced to add more to IPP11, which is about disclosure of information. If you are going to disclose information outside of New Zealand you may have to meet particular criteria – but using a non-New Zealand service provider does not necessarily mean information has been disclosed.
If that service provider is merely holding the information, or processing it on your behalf, then that is not disclosure of information. However, if the service provider or another entity is going to use the information for their own purposes, then that will be a disclosure and IPP12 will come into play.
That type of disclosure to an entity outside of New Zealand is only permitted if one of five criteria are met:
- The individual has authorised the disclosure; you get their consent to disclose outside New Zealand.
- The recipient is subject to the new privacy act because they do business in New Zealand as well, or they are subject to privacy laws that provide comparable safeguards (such as Europe’s GDPR).
- The recipient is part of a prescribed binding scheme. Note that there are no such schemes at this time, but regulations may put one in place.
- The recipient is subject to privacy laws of a prescribed country, in which case you don’t need to make an assessment as to whether or not their privacy laws provide comparable safeguards.
- Arrangements are in place to ensure the information is properly protected, such as a data protection agreement, which is commonplace under Europe’s GDPR. The Privacy Commissioner is currently working on a set of standard clauses that will be available to everyone with a view to helping create a data protection agreement.
KEY ACTION: Think about your data sources and where you send the information you collect. If you are sending it outside of New Zealand, make sure you know if any of the recipients are a service provider and they only process the information for you – in which case IPP12 doesn’t apply. If the recipients are going to use the information for their own purposes, you’ll need to update your contract with them.
You must give notification about privacy breaches
A very important change for New Zealand businesses to be aware of is giving notification of privacy breaches. But just because you have suffered a breach, doesn’t mean it’s notifiable.
Step 1: Assess if there has been a notifiable breach
- Determine if there has been a breach of privacy. Privacy is defined quite widely; it covers accidental or unauthorised access or loss, or situations when information becomes unavailable (for example it’s been locked up by a hacker).
- Determine if the breach has caused, or is likely to cause, serious harm to the individual to whom the information is related. Serious harm isn’t defined in the legislation but there are a number of factors set out that need to be considered. For example, what was done to reduce the likelihood of harm following the breach, who got hold of the information, whether the information was sensitive or not, what protections existed to stop the information being used (was it encrypted?), and what the nature of the harm might be that’s caused by the breach.
- There are some exceptions to whether or not a breach is notifiable, such as if the health of the individual could be prejudiced by telling them about the breach.
- There are also some defences that can apply, for example if you reasonably believe that there is no requirement to notify, but if it turned out there was a requirement, you wouldn’t get fined.
Step 2: Notify the Privacy Commissioner about the breach (if required)
- Who: the individual and the Privacy Commissioner.
- When: as soon as practicable after becoming aware of the breach. There is a right to delay notification if notifying would increase the risk of further security issues then you can delay notification to the affected individual, but not the Privacy Commissioner until the security risk has been dealt with.
- What: there are a number of requirements in the Act, but the two key points are based around what happened and what actions are you taking.
KEY ACTION: Figure out what data you hold and put an assessment process in place in relation to that data. This should be part of your breach response plan so that you are ready to deal with a breach if it happens, rather than having to scramble at the last minute.
Two examples of a privacy breach
Example 1: Payroll information was accidentally emailed to someone else in the same company.
- Is there a breach? Yes, because personal information has been disclosed without authorisation.
- Is there a risk of serious harm? No, because the recipient works for the same company so there’s an element of trust between the sender and the recipient. Action was taken to contact the recipient and ask them to delete the file, so you can be confident that there’s no harm from the breach and, therefore, no requirement to notify.
Example 2: An online store’s mailing list was downloaded by an external party.
- Is there a breach? Yes, because personal information has been accessed without authorisation.
- Is there a risk of serious harm? Yes, because the mailing list contains personal information that could be used for credit card fraud, identification fraud, etc. In this case you would notify customers and the Commissioner as soon as practicable.
Other key changes in the new Act
The Privacy Commissioner (Commissioner) has a series of new powers under the new Act:
- If they don’t think that your privacy practices are up to scratch and wants improvement, they may issue a compliance notice. They will engage in a discussion process first and work with you to come to a solution. But if that process isn’t successful, the compliance notice will be issued and will set out which steps have to be taken and the timeframe to take them. The Commissioner will be able to enforce the notice in the Human Rights Review Tribunal, but you can appeal if you disagree with the requirements. There’s also a power for them to publish names of people to whom compliance notices are issued.
- Direct access to personal information, if an agency is not providing information on request by an individual. This is also enforceable, and appealable.
- Tools for investigations, which are largely around the fringes but they include the ability to shorten timeframes for requesting documents; the standard under the 1993 act is 20 working days.
- Sharing and receiving information, which includes overseas agencies as a way to deal with global breaches.
- New fines/offences: Maximum $10,000 fine for failing to notify a breach to the Commissioner. It’s not a fine for having a breach, it’s a fine for not notifying when you should have. Maximum $10,000 fine for failing to comply with a compliance notice, misleading an agency, or knowingly destroying a requested document.
KEY ACTION: Make sure your privacy practices are compliant. Check existing policies against the current rules and minor updates, and make sure you comply. Bear in mind that marketing is an area where the activities can get out of step with the policy on your website.
Options for protecting information and data
When it comes to implementing protective measures, start by scaling the set of functions/features/technology that you could implement in order of priority and impact.
Key protection measures are your domain, a robust password policy, anti-virus software and patch management. These measures allow you to have a good foundation and prevent some (but not all) breaches from occurring.
The most common threat to organisations is phishing attacks. If you suffered a phishing attack you may not realise that all of the data had been breached and uplifted. It would be incredibly hard to go through your data and figure out what’s been breached and who to notify.
There are other options to stop or prevent people from accessing, transmitting or emailing data outside of your organisation, or preventing access to certain people outside of your organisation. These are best discussed with your IT providers, but please feel free to contact us if you would like some assistance with starting that conversation.
An important reminder: if you have too much security you won’t be able to work, so you need to find what works for you depending on how critical your data is.
So, what do you need to do?
Start with this question: where do you want to be and what technical steps do you need to take to get there?
Update your privacy breach response plan to incorporate the assessment process around a potential breach and whether it would be serious harm and need to notification. Check your processes to collect, store, use and disclose personal information. Make sure that what you do complies with original 1993 Act and the changes to the Privacy Principles under the 2020 Act. Deploy the right technical protection measures and ensure that you train staff – they’re a key line of defence.
Update contracts with suppliers and third parties to whom you provide personal information. Remember that the customer (you) is responsible for breaches, so the contract should require the service provider to notify you of a breach so that you can decide if you need to notify the Privacy Commissioner. If you’re providing information offshore, make sure you’ve got the right level of contract in place.
A final note about the Health Information Codes
You should expect the Health Information Codes to largely to be the same because the new Act doesn’t import the Codes. What’s being worked on is replacement Codes that will line up with the new Act. All the Codes continue and will be updated and released prior to 1 December so that they work under the new Act.
Disclaimer: The content of this article is general in nature and is not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose. We expressly disclaim any liability to you or your business in relation to the information contained in this article, and you rely on any information solely at your own risk.