Hit enter to search or ESC to close
1 July 2020
What the Privacy Act changes mean for SMEs in New Zealand
A major overhaul to New Zealand’s privacy legislation passed its third reading in Parliament last week, and will come into effect on 1 December 2020. The new Privacy Act delivers an updated legal framework for the protection of information, which includes mandatory reporting for data breaches. Crombie Lockwood’s partner in cyber related claims Wotton + Kearney helps make sense of the changes in New Zealand's privacy legislation and what they mean for businesses.
The new framework contains a comprehensive suite of reforms, based on the same Organisation for Economic Co-operation and Development (OECD) principles that underpin the likes of the EU’s General Data Protection Regulation (GDPR) and 2019 amendments to Australia’s Privacy Act 1988.
The biggest change to the Act is the requirement for businesses to notify the Privacy Commissioner of a privacy breach.
The Act reaffirms the 12 existing privacy principles, which include requirements that personal information is only collected for lawful purposes, is stored securely, and is not held for longer than required.
The existing principles also include rights to access and correct personal data, as well as the right to receive information about processing of personal data.
The new privacy principle puts restrictions on the circumstances where personal information may be disclosed to individuals or entities outside of New Zealand.
The revised Act states that businesses will need to notify regulators of privacy breaches that cause, or are likely to cause, “serious harm” to affected individuals. Under the Act failure to notify the Privacy Commissioner of a notifiable privacy breach (without reasonable excuse) is an offence with a fine of up to $10,000.
“The notification requirement will be completely agnostic. This means that the notification requirements will apply to any agency who holds personal information,” says Wotton + Kearney Senior Associate, Joseph Fitzgerald.
“The important thing to remember for SMEs, is that it doesn’t matter whether you have a customer database, an employee register with health and salary information on it, or even whether you’re a school with student and parent information on file; breach notification obligations will apply to you.”
In this regard, the Act will not differentiate between a national company with multiple regional offices and several hundred staff, or a local lawn mowing contractor who holds the email addresses of a handful of clients.
Breach notification obligations will apply under the revised Privacy Act, whatever the size of your business.
What businesses can do to prepare for changes to the Privacy Act
Joseph says that the best way businesses can prepare themselves ahead of the Act coming into effect is to ask themselves, ‘what information do we have?’ ‘what do we have it for?’ and ‘how long have we had it?’.
“The Privacy Act reform certainly places a substantial compliance burden on companies that may not have considered this before, so it will pay to take stock; review privacy policies, think about a cyber-attack response plan and look at cyber insurance if they don’t already have it as part of their business insurance policy.
“Above all, I’d recommend any company that is unsure of where they stand or what their obligations are to seek advice before the law change comes into effect in December.”
Joseph says the ramifications for all New Zealand businesses remain far-reaching.
“In effect, it's very much like the health and safety movement, in that businesses will be forced to get their ship in order,” he says.
“There is no corner of New Zealand commerce that gets to sit back and avoid the outcomes of the Privacy Act changes.”