The long awaited Privacy Act 2020 will come into effect on 1 December 2020, replacing legislation on the books since 1993. This has long been considered outdated, because it never contemplated the explosion of technology since the 90s, nor the almost limitless ability of agencies to collect information.
While the Act is intended to make privacy laws “fit for purpose”, much of the Act retains a similar structure to existing legislation. However, aspects of it draw on overseas developments, particularly 2018 European Union data privacy laws.
The Information Privacy Principles (IPP’s) which underpin the Act are broadly the same as at present. Agencies collecting and storing personal information will face similar obligations. Requests for access to personal information still have to be addressed as soon as reasonably practicable but by no later than 20 working days after receipt of a request.
Of note is the following:
An agency must notify the Privacy Commissioner and affected individual(s) of a “Notifiable Privacy Breach” as soon as practicable. This is a privacy breach that “is reasonable to believe has caused or is likely to cause serious harm”.
This may well prove to be a fraught issue for an agency caught up in the maelstrom of a privacy breach. Not all privacy breaches have to be reported. Further, “serious harm” is not defined. In assessing the likelihood of serious harm, the Act sets out mandatory factors to consider, including whether the agency has taken any action to reduce the risk of harm following the breach, and whether the information is sensitive (e.g. medical records). This could prove contentious, and of course is untested.
Currently, the Privacy Commissioner has no ability to force an agency to provide access to personal information if it has been refused. The Privacy Commissioner now has such powers, which can be backed up by financial penalties, giving the Privacy Commissioner more teeth to deal with reluctant agencies.
There are now additional grounds for refusing requests for personal information. An agency may refuse if disclosure would be likely to:
- pose a serious threat to the life, health, or safety of any individual, or to public health or public safety;
- create a significant likelihood of serious harassment of an individual;
- or cause significant distress, loss, or injury to feelings for someone who is the victim of an offence or alleged offence.
Agencies will now have additional obligations to ensure personal information sent to an overseas person or entity is either subject to the New Zealand Act (because the entity carries on business in New Zealand), or is subject to comparable overseas privacy standards to those in New Zealand.
While much of the Act is similar to current law, now is a good time to get ready for the new Act by reviewing and updating existing privacy policies, and processes for dealing with requests for access to personal information. It is also worth considering how your organisation might respond to a future privacy breach, and who would be responsible for dealing with the fallout.