New Zealand’s New Privacy Act Commencement Looms
New Zealand update.
New Zealand’s Privacy Act 2020 comes into force on December 1st, bringing with it greater enforcement powers and penalties and some new obligations. The new Act brings New Zealand’s privacy laws more closely into line with Australia’s.
New obligations will control cross-border personal information disclosure more tightly, and require certain privacy breaches to be notified, both to affected individuals and the Privacy Commissioner’s office.
Cross-border transfers of personal information are now regulated on two tracks.
For disclosures to third parties who are not processing the information for themselves, but are acting only as an agent of the discloser, the rules are unchanged. In those circumstances the discloser must take responsibility for the acts of its agent, and so agencies will need to consider whether their contractual arrangements with, for example, cloud service providers, give them what they need. Do those agreements require the provider to notify you of a breach, for example?
On the other track, disclosures to overseas parties are prohibited unless the discloser has reasonable grounds to believe that equivalent privacy protections apply. Equivalency can be in terms of local law or contractual protection, but the new rules require agencies to turn their mind to what will happen to personal information transferred offshore in more granularity than has previously been necessary.
Mandatory breach notification in cases of serious harm
Mandatory notification of breaches has been the most widely discussed element of the new legislation. The Privacy Commissioner and all affected individuals must be notified where a breach has, or may have, caused serious harm unless one of a very limited range of exceptions applies.
Consistent with the Australian approach, the test of what is “serious harm” in cases of breach has been left up to agencies to work out. The scope of “breach” is very wide meaning agencies must consider notification not just in cases of unauthorised disclosure of personal information, but also of unauthorised alteration or deletion, or loss of access to that information.
The Office of the Privacy Commissioner has released some guidance as well as a breach reporting tool, but the guidance is high-level.
Agencies will need to have a breach management plan designed and ready to go so that they can move quickly to determine the scope of the breach, contain it, calculate the risk of harm and notify (if necessary) the Commissioner and the affected individuals.
Fines, awards, and bolstered Commissioner powers
On top of the ever-present reputational harm costs of privacy breaches the new Act imposes a fine of up to $10,000 for failing to notify the Commissioner when notification is required. It remains to be seen how the Human Rights Review Tribunal will approach awards where an individual is not notified as required. The Tribunal’s powers reach to $200,000 per individual, although they have seldom wielded those powers to their full extent to date.
The Commissioner’s teeth have been sharpened by the addition of powers allowing him to issue directions and require information from agencies. Failure to comply with those orders also carries fines.
Before December 1st
Make sure you have reviewed your overseas disclosures for compliance with the new rules.
Establish a breach management plan to give you a game plan if something does go wrong. Make sure it is clear in your agency who will make the call about serious harm and notification.
By Guy Smith, Senior Associate, Duncan Cotterill