If you’re in business the Privacy Act 2020 affects you
Shortly the 2020 version of the Privacy Act comes into effect (1 December). Its purpose is to catch-up a lot of the ground between its initial 1993 deployment and the current way of the world and bring New Zealand closer to the European standard General Data Protection Regulation (GDPR).
What do you need to do? Mainly it’s just updates to your current documentation which are covered in three parts (or documents):
- Internal policy – how privacy is handled internally, including the assigning and naming of a Privacy Officer, monitoring for and notifying of breaches,
- External policy – how you handle privacy information between your business and customers/clients,
- Privacy Policy – the document available from your website that outlines how you collect information from your customers/clients, its purpose and compliance with the new Act.
What’s new in the Act?
- Appointing a Privacy Officer (who understands and upholds the Act for your business),
- Notification of breaches,
- Penalties for breaches/non-compliance,
- Orders for compliance,
- Off-shore companies doing business in New Zealand.
In addition, the 12 Information Privacy Principles (IPP) has grown to 13 and are now:
Principle 1 – Purpose for collection of personal information
Agencies can only collect personal information if it is lawfully required for their business. Your privacy policy should explain why you collect the information and who has access to it (including how they can access it).
Principle 2 – Source of personal information
Personal information should come directly from that person (rather than on behalf of).
Principle 3 – Collection of information from subject
If you collect personal information you must disclose that –
- information is being collected; and
- the purpose for which the information is being collected; and
- the intended recipients of the information; and
- the name and address of —
- the agency that is collecting the information; and
- the agency that will hold the information; and
- if the collection of the information is authorised or required by or under law, —
- the particular law by or under which the collection of the information is authorised or required; and
- whether the supply of the information by that individual is voluntary or mandatory; and
- the consequences (if any) for that individual if all or any part of the requested information is not provided; and
- the rights of access to, and correction of, information provided by the IPPs.
Principle 4 – Manner of collection of personal information
Personal information must be collected lawfully in a way that is fair and without coercion or deceit (trick questions).
Principle 5 – Storage and security of personal information
Agencies/individuals must look after the data to prevent unauthorised access, loss or misuse.
Principle 6 – Access to personal information
Those whose details you hold have a right to access their own personal information.
On request an individual is entitled to receive from an agency:
- confirmation of whether the agency holds any personal information about them; and
- access to their personal information.
Principle 7 – Correction of personal information
A person has a right to ask an organisation or business to correct information about them if they think it is wrong.
Principle 8 – Accuracy of personal information
An agency must check before using personal information that it is accurate, complete, relevant, up to date and not misleading.
Principle 9 – Retention of personal information
An agency that holds personal information must not keep that information for longer than is required for the purposes for which the information may lawfully be used.
Principle 10 – Use of personal information
Agencies can only use personal information for the purpose it was collected.
The Privacy Policy must state how that personal information is to be used and be bound by those limits (including use for statistical purposes).
Principle 11 – Disclosure of personal information
An agency may only disclose personal information in limited circumstances.
Principle 12 – Disclosure of personal information outside New Zealand
There exists the ability to share information outside of New Zealand under special circumstances (including their meeting of New Zealand’s privacy requirements), related to the business operation, disclosed in the Privacy Policy. This excludes overseas cloud-based services.
Principle 13 – Unique identifiers
An agency may use unique identifiers to identify personal information when it is necessary for the purpose of efficiency.
Full Act details can be found here http://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html
What else falls under the Privacy Act 2020? A lot more than you’d first consider. An example is surveillance cameras – we’ll cover that later.
While the Act has more enforcement and penalties prescribed, a big factor is the incentive to avoid media attention given to data breaches. It’s a great time to evaluate how your business handles data, where its stored and who has and can get access – including monitoring for unauthorised access.
If it sounds all too heavy it’s probably a great time to make a start with a Privacy Policy and let that lead you to the next step. For some insight take a look at our version https://comtechnology.co.nz/privacy-policy/
Used in conjunction with the Privacy Commissioner website their Q&A tool can help you quickly get what you need with their Privacy Policy tool: https://www.privacy.org.nz/privomatic/index.html
For a helping hand, reach-out for a no-obligation discussion around what you need that is best suited to your business. If we can’t help we sure know those who can.
Was this of value to you? If so and you feel the desire: Buy Me A Coffee