Keep Up

keep up icon

NZ Privacy Act Updates - 1 Dec 2020

-As published by OpenHost

The updated Privacy Act is a response to the advent of the Internet. Experiences of instantaneous communication that breaks down distance-related barriers, of individuals coordinating efforts across the globe, and open tether for individuals business to access much of the same online technologies. For governments on the other hand, the Internet risks citizens being exposed to unprecedented interactions that weren’t conceived at the 1993 drafting.

The Privacy Act 2020 also taps into the reputational risk that comes with operating in a small country – essentially telling businesses, ‘do the right thing and protect customers information or else be outed’. New Zealanders tend to place a lot of faith and trust in businesses. Our high degree of social connectedness lends to greater pressure on organisations to do the right thing.

NZ Privacy Act Updates_Lit Marketing, SEO & Social Media Tauranga.jpg

For individuals and customers, the Act provides new tools to enforce rights. It undoubtedly means that organisations must take their privacy obligations more seriously. For businesses, it means action is needed to check the right privacy systems are in place and all staff understand their obligations.

Harmful privacy breaches

Under the new Act, a privacy breach is identifiable when it already has, or could, cause serious harm to an affected individual. It is essential the privacy breach that is causing, or could cause, serious harm is immediately notified to those individuals and to the Privacy Commissioner.

Exceptions to this obligation include the possibility that this notification could result in further breaches, or could prejudice an individual’s health. At the other extreme, if the risks are serious, as in threatening to the individual’s life or health, organisations are also expected to let individuals know the details of any person or organisation in possession of their information.

Customers and individuals have more rights under the new Act, for example for the first time being able to begin proceedings in the Human Rights Review Tribunal as a class action.

It’s not just New Zealand companies who’ll be subject to the Act. Also counted will be overseas companies seen to be doing business in New Zealand — regardless of whether they have a physical office in New Zealand or not.

Compliance notices

The Commissioner has new powers to issue businesses with notice that they are considered to have breached the new Act, and require them to take action to remedy the breach. Organisations that fail to follow a compliance notice or mislead an organisation in a way that affects personal information, may be liable for fines of up to $10,000, considerably up from the maximum $2000 in the 1993 Act.

The Act widens the powers of the Commissioner. The Commissioner will have the power to publish compliance notices for breaches. Compliance notices will be made public, unless the Commissioner believes it is in the public interest to withhold them.


The future of New Zealand privacy law – up for debate

While maybe not transforming New Zealand’s privacy laws as radically as other countries, the Privacy Act 2020 is undoubtedly a step forward. It sets out non-exhaustive factors businesses should consider when deciding what is likely to cause serious harm, but falls short of actually defining what ‘serious harm’ is.

Things will become clearer as cases start to be enacted by the courts once the Act comes into force. In the meantime, if you’re a kiwi business, you’re advised to err on the side of caution when figuring out what the category of ‘serious harm’ could cover. You wouldn’t want to be caught in the crossfire.

Written by Cat Mules
Cat is Umbrellar Connect's Digital Journalist, coming from a background in tech reporting and research. Cat's inspired by the epic potential of tech and helping kiwi innovators share their success stories.

Source: Umbrellar Connect

back to top