Notification of privacy breaches
The biggest headline change is the new Privacy Act introducing a privacy breach notification regime. If your organisation is involved in a privacy breach that you believe has caused (or is likely to cause) “serious harm”, you must notify the Privacy Commissioner as soon as practicable. You will also need to notify affected individuals. It will be an offence to fail to notify the Privacy Commissioner of notifiable privacy breaches.
A “privacy breach” encompasses unauthorised or accidental access to or disclosure of personal information, and an action that prevents an agency from (temporarily or permanently) accessing information. This is likely to include situations such as “ransomware” attacks where your systems are hacked to lock you out, rather than necessarily stealing your information.
“Serious harm” will be assessed by considering the sensitivity of the information lost, actions taken to reduce the risk of harm, the nature of the harm that could arise, the existence of security measures to protect it (e.g. encryption), and the person or entity who has or may have access to the information. Other matters may also be relevant.
The notice to the Privacy Commissioner must outline certain points regarding the impact of the breach, and mitigations employed. If the breach involves a cybersecurity event, the Privacy Commissioner is likely to also recommend disclosure to CERT NZ, New Zealand’s cybersecurity support and advice agency.
Affected individuals must also be notified either directly, or by public notice
All organisations should review their current internal rules and policies for data and privacy breaches to ensure that your privacy officer knows about issues as soon as possible to establish whether the breach involves personal information, whether it is serious, what has been done to mitigate the impacts, and whether it is a notifiable breach. Figuring this stuff out during a privacy breach will be much more difficult.
Transferring personal information internationally
A brand-new privacy principle 12 has been added to the new Privacy Act to regulate the way personal information can be disclosed overseas. Principle 11 sets out the grounds under which personal information can be disclosed; new Principle 12 adds additional safeguards to some of those permitted grounds for disclosure when that disclosure is made to a person overseas.
The broad intent of these new safeguards is to ensure that personal information being sent out of New Zealand will be subject to privacy protections similar to the new Privacy Act. Organisations must either:
Carry out due diligence on personal information transfers to ensure the recipient is subject to the Privacy Act or comparable privacy protections; or
Expressly inform the affected person that their personal information may be transferred internationally, and that the privacy protections applicable to the transferred information are not comparable to New Zealand’s.
Cloud-based services and data processors
If you are familiar with the European General Data Protection Regulation, you will have come across the idea of “data controllers” and “data processors”. The new Privacy Act doesn’t go into this level of detail but does introduce a new section 11 that provides a mini data processor regime. Under clause 11, sending information to another organisation to hold or process on your behalf is not treated as a disclosure or transfer of information in most circumstances. Importantly, this means that you, and not your cloud service provider, are responsible for holding and managing personal information in accordance with the Privacy Act. This includes reporting privacy breaches.
However, if that provider “uses or discloses the information for its own purposes” then the Privacy Act will apply to it in respect of its own activities. And principle 12 (as outlined above) will apply to any transfer overseas from you to that provider. It’s not clear yet what “using or disclosing information for its own purposes” means, so taking a conservative view seems sensible.
So if you’re sending personal information offshore, you need to carefully consider who you are sending it to, what protections apply, what they do with the information, and who is responsible for what in the event of a breach.
Changes to privacy principles
The language of the new Privacy Act has been updated, but the majority of the privacy principles have not materially changed. Two of the more significant changes are to principles 1 and 4.
Privacy principle 1 has a new emphasis on only collecting personal information when necessary – if you can achieve your objective without collecting personally identifying information, you should not collect it. This is not a new concept, but the Select Committee considered it needed further emphasis. The Privacy Commission’s training modules give the example of an organisation carrying out a survey of people as to how they heard about an event to help the organisation advertise future events. While it is perfectly acceptable to ask “how did you hear about this event?”, requesting any further identifying information (even names) is not necessary for the purpose and so should not be collected.
Privacy principle 4 will require organisations to collect information from children and young people fairly and non-intrusively (not just having regard to their vulnerability). This is consistent with increased international attention on privacy issues concerning children and young persons.
The new Privacy Act has extraterritorial effect. This means that the Privacy Act will apply to:
an overseas business or organisation that is “carrying on business” in New Zealand and is collecting or holding personal information, even if it does not have a physical presence here; and
New Zealand agencies in respect of any action taken and all personal information collected or held by a New Zealand entity, both inside and outside New Zealand.
If you’re a New Zealand business operating internationally, or an international business operating in New Zealand, the new Privacy Act applies to you and you should consider whether your current policies and processes meet the requirements of the new Act.
Increased investigation and enforcement powers
The Privacy Commissioner will have new powers to investigate on his own initiative, require information, and issue compliance notices.
The Privacy Commissioner will be able to issue compliance notices to organisations to require them to do something, or stop doing something, to ensure compliance with the Privacy Act. Compliance notices will describe the steps that must be taken and state a date for when the changes need to be made.
The Privacy Commissioner may publish a compliance notice if he believes it is in the public interest. This means the reputational risk of “naming and shaming” is much higher than has historically been the case.
The Privacy Commissioner will also be able to direct agencies to provide individuals access to their personal information in any manner he considers appropriate. This should allow faster resolution of complaints relating to access to personal information. Access directions will also be enforceable in the Human Rights Review Tribunal.
Under the new Privacy Act, it will be an offence to mislead an agency to access someone else’s personal information – for example, impersonating someone in order to access information that you are not entitled to see. Even though this new offence is in place, it will still be important for organisations to ensure there are appropriate checks in place to ensure any disclosure of information is to the right person.
It will also be an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it.
Finally, the new Privacy Act introduces a class action mechanism. A representative may bring a class action to the Human Rights Tribunal for an interference with their privacy on behalf of a class of individuals. Individuals can also bring an action on the same grounds. The Human Rights Review Tribunal can award up to $350,000 damages to each member of a successful class action.
What do I need to do?
The uptake and proliferation of technology is constantly changing your organisation’s privacy and security risk. Even apart from the Privacy Act changes, privacy can’t be done in a reactive manner; to manage your risks you have to be proactive. Next month we’ll set out some practical steps you can take to make sure your organisation is well-placed to comply with these changes.
If you need assistance with the Privacy Act or help with preparing for these changes, please get in touch.