Privacy Act 2020

The new Privacy Act 2020 (the Act) came into force on 1 December 2020. The Act brings New Zealand in line with a global shift towards strengthening the protection of personal information and is responsive to the demands of the new digital landscape.

While the Act contains various new provisions, including a new Information Privacy Principle along with new compliance and enforcement powers for the Privacy Commissioner (the Commissioner), the fundamental features of the Act remain the same. Below are some of the changes you can expect to see under the new Act.

Mandatory reporting of privacy breaches

The Act introduces a privacy breach notification system. If an agency experiences a ‘privacy breach’ that has caused, or is likely to cause, ‘serious harm’, it will need to notify the Commissioner and affected individual(s) as soon as possible.

Privacy breaches involve unauthorised or accidental access to, or disclosure of, personal information. Agencies must report breaches where they pose a risk of serious harm to individuals.

Agencies assessing if the breach has reached the threshold of ‘serious harm’ must consider any action taken to reduce the risk of harm, the level of sensitivity of the information, the potential harm to the affected individual, who holds the information now and the security safeguards in place.

Failure to notify the Commissioner of a notifiable privacy breach is an offence and could result in a fine of up to $10, 000.

Failure to notify affected individual(s) may be an interference with a person’s privacy under the Act. However, the Commissioner recognises exceptions to the requirement to notify, such as if it would be more harmful to tell the individual concerned about the breach or if there are other public interests to consider.

The Office of the Privacy Commissioner has created an online privacy breach notification tool, NotifyUs, to lodge notifications. This tool guides agencies through the process and the information required by the Commission.

Agencies should ensure they have robust systems in place to:

  • secure personal information held both in physical and digital forms; and
  • identify and report a breach.

Even if your agency only has a ‘near miss’, this is an opportunity to learn from the mistake and improve your systems to prevent any further breaches.

New powers of the Commissioner

The Act provides the Commissioner with enhanced powers including to:

  • issue compliance notices to agencies who have failed to adequately respond and remedy a privacy breach; and
  • give enforceable access directions, to provide individuals access to their information.

Compliance notices will set out the steps required to remedy non-compliance with the Act and specify a timeframe for making the necessary changes.

The Commissioner may issue a compliance notice at the same time as dealing with the breach under other provisions of the Act. Failure to follow a compliance notice could result in a fine of up to $10,000.

The Commissioner will now be able to direct agencies to provide individuals access to their personal information, allowing for a faster resolution of complaints relating to information access under Information Privacy Principle 6. These access directions will be enforceable in the Human Rights Review Tribunal.

The Office of the Privacy Commissioner’s website provides detailed information and resources regarding access directions and what may be required of agencies.

Disclosing information overseas

The Act creates a new Information Privacy Principle 12 (IPP12), which regulates the way personal information can be sent overseas. The new principle only permits New Zealand agencies to disclose information to an overseas agency if the receiving agency is in a country where the information will be protected by comparable data protection laws (unless the disclosure is necessary because of a serious threat to health and safety, or for enforcement purposes where it is not reasonably practicable to comply with the requirements of IPP12).

Agencies will need to think carefully about where they are sending data and if this information will be adequately protected by overseas data privacy laws.

If there is a lack of comparable privacy protections, a disclosure may only occur if the individual concerned is fully informed and authorises the disclosure once made aware of the potential lack of protections.

The Office of the Privacy Commissioner’s website provides a detailed resource for understanding cross border disclosure.

There is ongoing discussion regarding the applicability of IPP12 to cloud storage information. The Commissioner intends to provide further guidance on this. However, the consensus is information sent to an overseas agency to hold or process on behalf of a New Zealand agency will not be treated as a disclosure under the Act.

Extraterritorial effect

The Act has extraterritorial effect. This means an overseas agency may be treated as carrying out its business in New Zealand for the purposes of its privacy obligations, regardless of whether the agency has a physical presence in New Zealand. As a result, the new Act will apply to global agencies such as Facebook or Google.

Managing information requests

The crux of the Act is an individual’s right to access personal information. In addition to the grounds for refusal carried over from the 1993 Act, the 2020 Act introduces new refusal grounds for agencies where the release of personal information:

  • about a victim of an offence would cause significant distress, loss of dignity or injury to their feelings;
  • would likely pose a serious threat to life, health, or safety; or
  • would create a significant likelihood of harassment of an individual.

These grounds each have a high threshold and recognise a range of situations where there will be conflicting interests at stake.

New criminal offences

The Act prescribes new criminal offences and increases the maximum penalty from a fine of $2,000 to a fine of $10,000.

Under the Act it is an offence to:

  • knowingly give false or misleading statements;
  • misrepresent one’s authority under the Act;
  • mislead an agency by impersonating another person for the purposes of obtaining access to that person’s personal information or having it used, altered or destroyed; and
  • destroy documents containing personal information knowing a request has been made for that information.

This is in addition to the existing offences of obstructing or hindering the Commissioner and failing to comply with a requirement under the new Act.

We encourage you to seek advice about what the Act and its obligations mean for you.