If you’re in business the Privacy Act 2020 affects you
Shortly the 2020 version of the Privacy Act comes into effect (1 December). Its purpose is to catch-up a lot of the ground between its initial 1993 deployment and the current way of the world and bring New Zealand closer to the European standard General Data Protection Regulation (GDPR).
What do you need to do? Mainly it’s just updates to your current documentation which are covered in three parts (or documents):
- Internal policy – how privacy is handled internally, including the assigning and naming of a Privacy Officer, monitoring for and notifying of breaches,
- External policy – how you handle privacy information between your business and customers/clients,
What’s new in the Act?
- Appointing a Privacy Officer (who understands and upholds the Act for your business),
- Notification of breaches,
- Penalties for breaches/non-compliance,
- Orders for compliance,
- Off-shore companies doing business in New Zealand.
In addition, the 12 Information Privacy Principles (IPP) has grown to 13 and are now:
Principle 1 – Purpose for collection of personal information
Principle 2 – Source of personal information
Personal information should come directly from that person (rather than on behalf of).
Principle 3 – Collection of information from subject
If you collect personal information you must disclose that –
- information is being collected; and
- the purpose for which the information is being collected; and
- the intended recipients of the information; and
- the name and address of —
- the agency that is collecting the information; and
- the agency that will hold the information; and
- if the collection of the information is authorised or required by or under law, —
- the particular law by or under which the collection of the information is authorised or required; and
- whether the supply of the information by that individual is voluntary or mandatory; and
- the consequences (if any) for that individual if all or any part of the requested information is not provided; and
- the rights of access to, and correction of, information provided by the IPPs.
Principle 4 – Manner of collection of personal information
Personal information must be collected lawfully in a way that is fair and without coercion or deceit (trick questions).
Principle 5 – Storage and security of personal information
Agencies/individuals must look after the data to prevent unauthorised access, loss or misuse.
Principle 6 – Access to personal information
Those whose details you hold have a right to access their own personal information.
On request an individual is entitled to receive from an agency:
- confirmation of whether the agency holds any personal information about them; and
- access to their personal information.
Principle 7 – Correction of personal information
A person has a right to ask an organisation or business to correct information about them if they think it is wrong.
Principle 8 – Accuracy of personal information
An agency must check before using personal information that it is accurate, complete, relevant, up to date and not misleading.
Principle 9 – Retention of personal information
An agency that holds personal information must not keep that information for longer than is required for the purposes for which the information may lawfully be used.
Principle 10 – Use of personal information
Agencies can only use personal information for the purpose it was collected.
Principle 11 – Disclosure of personal information
An agency may only disclose personal information in limited circumstances.
Principle 12 – Disclosure of personal information outside New Zealand
Principle 13 – Unique identifiers
An agency may use unique identifiers to identify personal information when it is necessary for the purpose of efficiency.
Full Act details can be found here http://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html
What else falls under the Privacy Act 2020? A lot more than you’d first consider. An example is surveillance cameras – we’ll cover that later.
While the Act has more enforcement and penalties prescribed, a big factor is the incentive to avoid media attention given to data breaches. It’s a great time to evaluate how your business handles data, where its stored and who has and can get access – including monitoring for unauthorised access.
For a helping hand, reach-out for a no-obligation discussion around what you need that is best suited to your business. If we can’t help we sure know those who can.