New Privacy Act comes into force in December
The Privacy Bill is on its third reading in Parliament and will now become law on 1 December 2020. It will repeal and replace the current Privacy Act 1993, and will update the law to reflect the continually-evolving needs of the digital age.
Why new legislation?
Your personal information is stored in many places by organisations such as businesses, government agencies, healthcare providers, financial institutions, social network platforms and telecommunications companies (called 'agencies' in the new legislation).
Technology has enabled large quantities of personal information to be stored, retrieved, used and disclosed; the current law does not address how your personal data can be properly protected. The new legislation aims to provide more protection of personal and sensitive information.
The changes relate to both agencies and individuals. Major features are:
- Reporting data breaches: if an agency has a privacy breach posing a risk of serious harm to people, it must notify the people affected and the Privacy Commissioner
- Compliance notices: the Privacy Commissioner will be able to issue compliance notices to an agency to require it to do something or stop doing something, to comply with privacy law
- Decisions on access requests: if a complaint is made about being unable to access certain information, the Privacy Commissioner will make a decision on the complaint. However, this decision can be appealed to the Human Rights Review Tribunal
- Strengthening overseas connections: at least one permitted category must be satisfied for an agency to disclose information to an overseas agency. In terms of cloud storage, this isn't considered a disclosure for the purposes of the privacy principles, but the disclosing agency is responsible for the cloud storage provider's compliance with the Act, and
- New criminal offences: these include misleading an agency to obtain access to another person's information and destruction of documents by an agency which has been asked to provide information by the person entitled to it. The level of fines has been raised to a maximum of $10,000.
What is a privacy breach?
A privacy breach occurs when someone collects, uses, stores or discloses personal information contrary to the privacy principles, such as accessing personal information without permission, failing to comply with the request for specific information or not using your contact details for the purpose for which they were collected.
An example of a privacy breach could be when an unauthorised person accesses your personal information, such as your banking details, and your credit card is used unlawfully.
In business, a breach could occur when an agency incorrectly disposes of confidential documents containing personal information, and that data becomes public.
Privacy laws are important
The recent COVID requirements, where for example, information was provided to a restaurant when dining out, have highlighted the importance of privacy laws. We, as individuals, have become more aware that we entrust others with our private data and, as a result, we have an increased awareness of compliance with privacy legislation in New Zealand.