New Zealand’s new Privacy Act – Key changes to protect personal information

Restrictions on disclosing information overseas

Organisations may now only disclose personal information to a third party or other organisations outside of New Zealand, if the third party is subject to similar safeguards as defined in the new Privacy Act.

If the jurisdiction does not offer these protections, impacted individuals must be notified and must consent prior to the disclosure.

New Regulatory Powers and Penalties

The Privacy Commissioner is now able to issue compliance notices to organisations to compel them to take action or refrain them from doing something, in order to comply with the new Act.

If an organisation refuses an individual access to their information, the Commissioner is now able to direct organisations to do so via an enforceable access direction.

Failure to comply with either an enforceable access direction or compliance notice can result in a fine of up to NZ$10,000.

The Act also introduces new criminal offences. Of note, it is now an offence for organisations to destroy personal information, knowing that a request to access it has been made. Similarly, failing to notify the Commissioner of a notifiable data breach without reasonable excuse, can also result in criminal charges.

Changes introduced in the new Act mean that organisations in New Zealand, or those businesses from abroad who choose to do business in New Zealand, need to take steps to better manage and protect personal information.

Susan Bennett, Executive Director of Information Governance ANZ, points to the continuing significant changes being made in global privacy regulations since the European’s Union GDPR came into force two years ago, and the increasing focus that is being placed on the protection of personal information.  “The New Zealand Privacy Act 2020, bookends a year of further changes in privacy regulations, commencing with the California Consumer Privacy Act  (CCPA) coming into force, the release for comments of the draft Personal Data Protection Law of China,  and the amendments made to South Korea’s Personal Information Protection Act and the Network Act.  Australia is also undertaking a review of the Privacy Act 1988 and a second consultation on outcomes from the preliminary review is due to occur in early 2021.”  

Ms Bennett goes on to explain that “these regulatory developments all highlight the need for organisations to implement good information governance.  In particular, it requires organisations to focus on data minimisation – by collecting and storing personal data that is limited to what is necessary and relevant to fulfil your stated purpose – this means, you do not hold more information than you need for your organisation’s stated purpose. The benefits of robust information governance and data minimisation include increasing customer trust and reducing information security threats and data breach.”

Ultimately, good information governance means understanding the types of information you hold, the repositories in which they are kept and managing the disposal of personal information, planning for data breach incident response, and ensuring roles and responsibilities for protecting and managing information are defined.

It pays to be prepared. Familiarising yourself with the basics of the new Act by taking some of the Commission’s free e-learning modules and working with trusted advisors will help ensure you remain compliant.