New Zealand recently passed a new privacy bill to update its original Privacy Act 1993. The Privacy Act 2020 will go into effect in December with three major changes to better protect and promote the privacy of its people. While it’s kept many of the same principles in an effort to keep a lid on all data, this law includes additional verbiage on who is included under the measure and how certain measures will be enforced. We’ll go over the key differences, so you can prepare for what’s ahead.
1. The Act Applies to More Businesses
This act applies to any New Zealand-related agency where personal information is collected or held, regardless of where the data is stored or where the individual is located. It’s not just major organisations that are subject to these rules — almost every person and business in the country will be held liable for these standards.
This change was essentially created to prevent entities from finding loopholes based on technicalities or gaps in the original language. It’s also taken steps to ensure that businesses are more proactive about detecting and disclosing a breach. Officials were seeing strong patterns of entities waiting for people to complain before responding to their concerns.
The Privacy Act 2020 includes new guidelines and restrictions that will better protect all data held overseas. These updates were introduced to ensure the country conforms to international best practice recommendations. Essentially, the government wants to guarantee the security of a resident’s data, regardless of who they choose to do business with.
Now, all entities operating within New Zealand are subject to the same privacy laws, even if they store the information off-shore. All New Zealand-based companies will be required to verify the protection laws of any foreign entity with which they do business. If a New Zealand-based business finds that one of its partners does not adhere to similar laws, they will be in violation of the terms of the act.
Similarly, the law also applies to all digital platforms that may be operated from overseas. Any business conducting activity in New Zealand using New Zealanders’ personal data must comply with the laws. In other words, an entity does not need to have a physical or legal establishment within the country to be held accountable for the new act.
Finally, this law has expressly borrowed from some of the same tenets as GDPR regarding who the bill applies to. If two agencies are working together, one is not excluded from this law so long as both agencies have access to the same data. Both agencies that hold the information shall not display or disseminate it on any public medium (e.g., periodicals, the internet, broadcasting, etc.).
If a third-party marketing agency collects ethnicity data from a survey and shares it directly with the marketing department of a soda company, both agencies would be considered holders of the information and both would be subject to the same rules under the new Privacy Act.
2. The Privacy Commissioner Can Take Stricter Enforcement Measures
If you compare the old and updated bills, you’ll see that many of the redundant parts of the old law have been removed, making it easier to interpret each clause. In addition to streamlining the language, it’s also clarified who will be overseeing the enforcement of the act and what the consequences will be for violating the terms.
The Privacy Commission is available to both advise the Parliamentary Under-Secretary and enforce Principle 12 of the new law. (This principle is related to how individual identifies are established, used, and disclosed.) The measures of which include the following:
- Agencies cannot require identifying information from individuals if they cannot show a lawful purpose for doing so.
- Agencies must take into account vulnerable populations (e.g., children, etc.) when collecting information and adjust their policies as such.
- Agencies must clarify to individuals that they can access personal data upon request.
- Agencies must ensure that all information is up-to-date as possible
- Agencies must issue a statement of correction if they’re unable to correct data according to an individual’s request.
It’s the commissioner’s job to interpret these statements and apply the principles to a wide variety of matters. Should an entity commit an offense, the maximum fine under the act is $10,000. This could include any misleading statements that affect a New Zealander’s personal information, a refusal to destroy data against a person’s request, or a refusal to release personal information upon request.
These new updates may lead more companies to reexamine how they do business in order to better comply with the laws. For instance, an agency might change its policies of presenting information to a young child should they need consent for data. An 8-year old may require both written and graphic representation of the request to really understand what they’re consenting to.
It should be noted that there is some degree of flexibility built within the laws.The Privacy Commissioner will consider any and all good-faith efforts that an agency has put forth to comply with the Privacy Law before making their final ruling.
3. A Data Breach May Be Considered Criminal If It Harms Individuals
The new bill defines a notifiable privacy breach as one that has caused harm or is likely to cause serious harm to an individual or group of individuals. If a company or business does experience a harmful breach, they must notify both the affected parties and the Privacy Commissioner.
(The law does include provisions for delays when notifying the affected individuals, such as a blatant security risk of personal information. To qualify for this exemption, an agency would need to prove that the risks are stronger than the benefits if they decide to wait to inform the public.)
One of the most common ways for an agency to be held legally liable is if they fail to enforce strong enough data protection regulations.
One of the most well-documented breaches that could fall into this category was uncovered in 2019, when nearly a million New Zealanders were potentially put at risk of having their medical data exposed. This occurred after a website of Tū Ora Compass Health was compromised by cyber hackers.
Investigators found that there had already been several attacks into the system beginning in 2016. After carefully assessing the situation, both the company of Tū Ora and the Ministry of Health were unable to determine for certain whether the information was accessed by criminals.
However, if the criminals had gotten their hands on it, they would have found the individual’s name, ethnicity, date of birth, National Health Index Number, and maybe even information related to chronic conditions or other personal health data. Under the new law, this incident could have resulted in a criminal charge against Tū Ora.
Legislation is not here to make life more difficult, even if it sometimes seems that way. The best way to handle it is not to study the language and look for gaps, but to find preventative measures that go the extra mile.
Finding the right software can go a long way toward establishing a system of checks and balances on compliance that ultimately protect companies from breaches, challenges, and criminal investigations. If you want to learn more about how to be proactive, GDPR365 might be the right solution for you.