It’s not just the reputation of your business that will suffer!
The protection of personal information has been a hot topic in New Zealand since the introduction of the new Privacy Act in December 2020. Key changes to the old Act include:
1. Notifiable Breaches
Organisations are now required to report serious privacy breaches to the Privacy Commissioner and to any affected people.
A privacy breach occurs when an organisation or person intentionally or accidentally gives unauthorised access to, discloses, changes or destroys someone’s personal information.
A “serious” privacy breach is a breach that is likely to or has already caused serious harm to an individual.
The Privacy Commissioner has said that reports should be made within 72 hours of a serious breach occurring. Organisations will also be expected to take steps to assess and contain the breach during this period.
2. Compliance Notices and Access Directions
The Privacy Commissioner now has powers to issue Compliance Notices and Access Directions.
A Compliance Notice will contain an order that requires an organisation or person to do something or to stop doing something.
An Access Direction will contain a binding notice for an organisation or person to give an individual access to their personal information.
If an organisation or person disagrees with a Compliance Notice or Access Direction they will need to appeal it to the Human Rights Review Tribunal.
3. Criminal Liability
The new Act introduces several criminal offences, including the offences of misleading an organisation or person into providing someone’s personal information, or destroying personal information after someone has asked for it.
If a person is convicted of an offence under the new Act they may be liable to a fine of up to $10,000.
4. Overseas Disclosure
The disclosure of personal information across jurisdictions is now only lawful if the organisation carries on business in New Zealand, if the country that they carry on business in has a privacy regime that is similar to ours or if the organisation agrees to protect the information.
If none of the above protections apply the individual must have provided consent before any information is disclosed and they must have been informed of the potential risk.
In the age of the internet, data and constant exchanging of information, we expect that businesses will keep our personal information safe. Now, failure to do so may not only result in serious harm to the reputation of your business but also in consequences under the new Act.
You should take the time to develop key privacy processes and to train your staff so that the entire organisation meets its obligations.
If you are unsure whether the way that you collect, store, and use personal information complies with the Privacy Act 2020, get in touch with Grace Moore, Senior Solicitor (DDI 03 343 8452 / email@example.com).