Overhaul of the Privacy Act — New changes coming into force 1 December 2020

30 November 2020

The Privacy framework in New Zealand is due for its first major overhaul since the commencement of the Privacy Act 1993. 

On 1 December 2020, the Privacy Act 2020 (new Act) will come into force. The aim is to update the framework so it’s more suited to the digital landscape in which we operate in New Zealand, including information shared on platforms such as social media and cloud based services.

The main changes in the new Act are:

  1. New grounds for withholding personal information;
  2. New privacy breach notification obligations;
  3. Additional powers of the Privacy Commissioner;
  4. New criminal offences; and
  5. New Information Privacy Principle regarding cross-border disclosures.

Any request which has not been dealt with before 1 December 2020, will be subject to the conditions and obligations of the new Act, even if the request was made before that date.

Refusal grounds

There are now three additional refusal grounds available to agencies under the new Act when assessing access requests under Information Privacy Principle 6.

An agency may refuse to disclose information where the release of personal information:

  1. Would be likely to pose a serious threat to the life, health, or safety of any individual; or
  2. Would create a significant likelihood of serious harassment of an individual; or
  3. Is about the victim of an offence and would cause significant distress, loss of dignity, or injury to their feelings.

Privacy breach notifications

Under the Privacy Act 1993, the Privacy Commissioner received voluntary notifications regarding privacy breaches.

The new Act requires mandatory notifications of privacy breaches that are likely to cause serious harm to individuals. The new Act sets out factors that an agency must consider when determining whether there is a likelihood of serious harm arising from the breach.

NotifyUs is an online tool created by the Office of the Privacy Commissioner, which includes a self-assessment to help organisations that have experienced a data breach to establish if the breach has or is likely to cause serious harm. Factors taken into consideration when assessing whether serious harm is likely or has been caused include:

  1. The sensitivity of the information in question
  2. Actions taken by the agency to reduce the risk of harm
  3. The nature of the harm that may arise
  4. The recipient that has or may obtain the personal information as a result of the breach
  5. What security measures have been placed on the information (i.e. encryption or password protections)

We have written a separate article on the new obligation of mandatory breach notifications that you can read here.

Additional powers of the Privacy Commissioner

The Privacy Commissioner now has additional powers under the new Act. These include:

  1. The ability to issue compliance notices to organisations who it considers to be in breach of the new Act. The notice will specify the breach and require an agency to take steps to remedy the breach within a specified timeframe; and
  2. The ability to issue access directions, where an individual has made a complaint regarding their request of their personal information. The direction can require an agency to provide specific information to the individual. An agency is able to appeal this direction to the Human Rights Review Tribunal. If the direction is not appealed, the Tribunal will issue an access order.

Criminal offences;

Under the new Act, it will become a criminal offence (among other things) to mislead a business or organisation by impersonating someone, or pretending to act with that person’s authority, to gain access to their personal information. It will also become a criminal offence to alter or destroy a document containing personal information, knowing that a request has been made for that information.

Prosecution of these new criminal offences hold fines of up to $10,000 each.

Cross-border disclosures

The new Information Privacy Principle 12 deals with cross-border disclosures of information. An agency must now ensure they complete due diligence before sending information overseas and ensure the information will be adequately safeguarded by the destination’s data protection laws.

An agency should only disclose information to an overseas organisation if:

  1. The overseas organisation is covered by privacy laws that provide comparable safeguards to the new Act; or
  2. The disclosure is accompanied by contract clauses between the parties to ensure that privacy principles are applied; or
  3. The overseas organisation is “carrying on business in New Zealand” and is therefore covered by the new Act; or
  4. The individual authorised the disclosure after being made fully aware of the potential lack of privacy protections.

There are some exceptions to the application of this new rule. If the overseas organisation is only storing the information, it will not be classed as a disclosure, and the principal agency will be deemed to still hold the information in question.

Privacy Officer

The new Act brings with it the requirement of appointing a Privacy Officer. The new Act now allows an agency’s Privacy Officer to be either an internal or external appointment (e.g. an external appointment could be a lawyer). The responsibilities of a Privacy Officer include encouraging an agency to comply with the Information Privacy Principles, dealing with requests made under the new Act, working with the Privacy Commissioner in relation to investigations and ensuring an agency is complying with the provisions of the new Act.

Our Commercial Disputes and Employment Team is here to assist with any privacy queries, or to assist as your organisation’s Privacy Officer.

Sam Hood is part of our Commercial Disputes & Employment team at Norris Ward McKinnon.

Commercial Disputes & Employment Team