On 1 December, the Privacy Act 2020 comes in to force. It replaces the Privacy Act 1993. Key changes include:
Privacy breaches will be notifiable
New rules will be introduced for transferring personal information internationally, along with some implications for cloud-based services
The rules about collecting personal information and dealing with young people have been tightened
Changes to the way the Privacy Act applies to overseas businesses in New Zealand and New Zealand businesses with national and international customers
The Privacy Commissioner is getting increased investigation and enforcement powers.
Penalties for non-compliance are increasing.
What does the new Privacy Act apply to?
The new Privacy Act (like the old Privacy Act) sets out rules for how we collect, hold and store personally identifiable information. This includes names, contact details, dates of birth, health and education information, and how the person has interacted with us. It can also include things like photos, videos, and internet history.
But this information is public, doesn’t that mean it isn’t private?
The Privacy Act applies to personally identifiable information; it doesn’t matter if it was collected in public.
I’ve got some personal information. What do I do with it?
We are currently carrying out a stock take of all personal information that we hold. Please get in touch with [our Privacy Officer] to let us know what information you’ve got and what system it is in.
What’s a privacy breach?
Privacy breaches include all unauthorised or accidental access to or disclosure of personal information. Privacy breaches also includes losing access to personal information we hold or control.
This includes big things like system hacks or online vulnerabilities exposing personal information, but can include simple things like misdirected emails and using CC instead of BCC.
What do I do if I think there might have been a privacy breach?
What happens if I don’t report a privacy breach?
The new Privacy Act has serious consequences for failure to report data breaches. This includes fines and official “naming and shaming”. There could also be serious reputation consequences.
What do I need to think about for cloud-based services?
The Privacy Act introduces new rules about overseas cloud-based services. Before signing up to any new cloud-based service, you must contact [IT]. They may ask you to do a privacy impact assessment that outlines the service provider and the type of information held there.
Who is our privacy officer and how do I get in contact with them?