In a number of weeks on December 1, 2020 amendments to New Zealand’s privacy laws come into effect. On June 30, 2020 the Privacy Bill, which amends the Privacy Act 1993, received Royal Assent.
The Privacy Bill and Act applies to anyone doing business in New Zealand regardless of where you live. The changes are significant and include:
- Making it mandatory to report data breaches.
- Restrictions to cross border transfers of personal information.
- Clarifying extraterritorial scope.
Mandatory reporting of data breaches
Under the new mandatory reporting, organisations must report data breaches to the Privacy Commissioner and to the individuals affected where they cause or could cause serious harm. The Privacy Act offers guidelines for assessing serious harm such as:
- What harm affected individuals could suffer.
- The action taken to minimise the risk following a data breach.
- How sensitive the personal information is.
- If known, who accessed, or could access, the personal information after the data breach.
- What measures were in place to protect personal information.
While you can delay notifying individuals of a data breach in some circumstances, protecting your reputation is not an acceptable reason for a delay.
Cross-border data transfer restrictions
The Privacy Bill includes restrictions on cross border data transfers. You must have permission from individuals to transfer personal data outside of New Zealand. Before transferring any data, you must also check the receiver has similar privacy standards as New Zealand.
One important exception is when transferring data to a cloud provider. Transferring data to the cloud does not usually mean you are disclosing personal information overseas. This is particularly important as there are currently no cloud data-centres in New Zealand.
Clarifying extraterritorial scope
The Privacy Act will apply to anything an overseas organisation does as part of doing business in New Zealand. It does not matter from where you collected the information or where the individual resides.
The Privacy Act considers you as carrying out business
- Whether you have a physical presence in the country or not.
- Charge for goods and services.
- Profit from doing business in the country.
The amended Act gives the Privacy Commissioner enhanced powers including:
- Shortening the amount of time you have to comply with an investigation.
- Penalties for noncompliance increasing from $2000 to $10,000.
The new amendments also introduce the potential for criminal penalties and class actions in some circumstances.
Are you ready?
December 1 is only a few short weeks away. Are you ready for the Privacy Bill amendments to come into force? You may need to update your information security systems and processes in order to comply.
Contact us now to find out more about the changes and to check whether your organisation will be ready to comply. You need to prepare for the new privacy laws now before it is too late.