The Privacy Act 2020: what you need to know

CHANGES TO THE PRIVACY ACT NOW IN FORCE

The Privacy Act 2020 came into force in December last  year. The new act strengthens privacy protections by promoting early intervention and risk management by agencies, and enhances the role of the Privacy Commissioner.

The Privacy Act 2020 replaces the Privacy Act 1993. Key changes include:

  • Agencies must report privacy breaches. There is a two tier regime requiring:
    • material breaches – notification to the Commissioner and
    • serious breaches – notification both to the Commissioner and the affected individuals when there is a real risk of harm.
  • Protection for data crossing borders:
    • New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by comparable privacy standards.
    • When a New Zealand agency engages an overseas service provider, it will have to comply with New Zealand privacy laws.
  • The Commissioner will have more powers, including:
    • being able to issue compliance notices to require an agency to do something or stop doing something, and
    • making binding decisions on complaints about access to information (rather than the Human Rights Review Tribunal). 
  • Class actions permitted in the Human Rights Review Tribunal by persons other than the Director of Human Rights Proceedings.
  • There is a new criminal offence to mislead an agency in a way that affects someone else’s information, and to destroy documents containing personal information if a request has been made for it. The penalty will be a fine of up to $10,000.

What do businesses need to do?

Taking care of your data is now more important than ever. If your business gathers customers’ details for any reason (e.g. newsletter database, payment purposes, repeat bookings, loyalty programmes), or holds information about an individual (e.g. employers and employees), it is affected by this law change.

New Zealand business need to consider what personal information they collect and hold, why it is held, how long to retain it for and how individuals may require access to that information.

If you’d like to talk about how these changes affect your business, please contact our Business law team.

Our thanks to Andrew Easterbrook for writing this article.