On 1 December 2020, New Zealand’s updated Privacy Act comes into force. Here’s what AML businesses need to know to prepare for the changes.
The world in 2020 is almost unrecognisable compared to 1993 when the first Privacy Act was passed. The Privacy Act 2020 significantly modernises New Zealand’s privacy law and recognises the enormous technological advances of the past 27 years.
The new Act, like its predecessor, is based on information privacy principles that set broad standards around how organisations can collect, use, store, and share people’s personal information.
The updated Act gives the Privacy Commissioner additional powers including:
- The ability to issue compliance notices to compel organisations to do something – or stop doing something.
- The power to direct organisations to give individuals access to their personal information.
“There are new criminal offences for non-compliance and new fines.
Some behaviour which has been optional will now become mandatory.”
New Zealand companies engaged in international trade need to get up to speed with the changes. The Privacy Act 2020 contains a new information privacy principle (IPP), principle 12, which sets rules around sending personal information to organisations or individuals outside of New Zealand.
Sending personal information overseas is known as “cross-border disclosure”. Businesses and organisations are now responsible for ensuring that any personal information they disclose to organisations outside New Zealand is adequately protected. They must demonstrate that they have undertaken necessary due diligence before making a cross-border disclosure.
Personal information may only be disclosed to an offshore organisation if that organisation is:
- Subject to the Privacy Act because they do business in New Zealand.
- Subject to privacy laws that provide comparable safeguards to the Privacy Act – or they agree to protect the information in such a way (for example, by using ‘model contract clauses’).
- Covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government.
If none of the above criteria apply, a business or organisation may only make a cross-border disclosure with the permission of the person concerned. That person must be informed that their information may not be given the same protection as provided by the New Zealand Privacy Act.
A business or organisation may send information to an overseas organisation to hold or process on their behalf as their ‘agent’. This will not be treated as a disclosure under the Privacy Act.
A typical example of this is an overseas company providing cloud-based services for a New Zealand organisation. The latter will be responsible for ensuring that their agent – the overseas company – handles the information in accordance with the New Zealand Privacy Act.
A business or organisation may need to make a cross-border disclosure in certain urgent circumstances where it would not otherwise be allowed. IPP 12 allows cross-border disclosure when it is necessary to maintain public health or safety, to prevent a serious threat to someone’s life or health, or for the maintenance of the law.
What else you need to know
If a business is issued with a compliance notice, it will have the opportunity to respond before it is finalised. Once finalised, the business can still appeal to the Human Rights Review Tribunal.
If the business loses its appeal and does not comply, or does not comply and does not appeal, it can be fined up to $10,000.
Because the new Act incorporates new criminal offences – with potential fines of up to $10,000 – businesses will now take on more financial risk when dealing with personal information.
The following behaviours are offences under the new Act:
- Failing to comply with a compliance order from the Privacy Commissioner.
- Misleading an agency to get someone else’s personal information.
- Destroying someone’s personal information when they ask for it.
- Failing to alert the Privacy Commissioner about a serious privacy breach.
Use the NotifyUs tool
For businesses, one of the key changes to the Privacy Act is mandatory privacy breach notification.
This means businesses must notify the Privacy Commissioner, and affected individuals, if there’s a privacy breach that has caused serious harm – or could cause serious harm.
But how is “serious” defined? How does a business know if a privacy breach is serious enough to report?
The Office of the Privacy Commissioner has developed a new tool on its website called NotifyUs, that businesses can use to report privacy breaches. The NotifyUs tool assists businesses to assess whether their breaches are notifiable or not. Organisations or businesses that fail to notify privacy breaches can be fined up to $10,000.
Here’s what to do now
It’s not too late to adjust to the changes within the Act. Here’s what you can do today:
- Review the personal information your business holds and your information management practices. For example, can you provide someone with their personal information in a timely manner if requested?
- Develop a privacy breach response plan – who needs to be aware and involved?
- Consider any process changes you might need to make to incorporate the changes to the Privacy Act, such as mandatory breach notification.
- Assign someone in your business the role of privacy officer.