New Zealand's  Privacy Act 2020 regulates the collection, storage, use, and disclosure of personal information by agencies and businesses. The Act aims to protect individuals' privacy rights. In particular there are 13 principles that govern how your business should be collecting, handling and using the personal information  of an employee. It is important that your business does not misuse any private information. You can be subject of a complaint under the Privacy Act even if you only accidentally missed private information. This article will provide employers with a comprehensive guide to understanding the Privacy Act. 

What if My Business Needs to Ask for Private Information?

If your business needs to collect information, you need to inform the persons whose information you are collecting. Further to this, your business should have a privacy statement which should include:

  • how you are collecting the information;
  • when you are collecting the information;
  • why you are collecting the information; and
  • what you will be doing with it.

How to Handle Personal Information

Managing and utilising employee information, such as contact details and addresses, is an integral aspect of conducting business.  It is important to ensure that you:

  • safeguard and protect this information securely;
  • only request the necessary personal details for business transactions, such as names and contact information;
  • utilise  personal information, such as emails and phone numbers, only after verifying its accuracy and ensuring it is up-to-date;
  • allow employees to request and view their personal information;
  • obtain consent from the employee before sharing email addresses with other organisations or businesses;
  • inform individuals about the information being collected from them and the reasons behind it; and
  • notify individuals if their personal information needs to be transmitted overseas.

How to Store Private Information 

It is important that all information that you own about employees is stored in a secure way. Once it is no longer needed, it should be disposed of securely. It is recommended that you have policies, training, and expectations for team members around how private information should be handled and disposed of. You may want to restrict access for most employees to personal information unless it is integral to their job. It is recommended that you constantly check access to information within your business such as who may have the keys to access or passwords to certain documents.

Use of Privacy Officers

It is important that all businesses have a privacy officer. This does not need to be a new staff member but can be an existing staff member or even yourself. You must ensure that the privacy officer is someone who is familiar with how information should be handled. Often this could be a manager or someone in the Human resources department. The Privacy Officer has multiple duties including:

  • ensuring policies are in place to handle private information;
  • managing privacy complaints about clients, customers and other employees;
  • alerting the employer to any risks to access to personal information; and
  • liaising with the Privacy Commissioner if required.

Role of the Privacy Commissioner

Under the Privacy Act, the Privacy Commissioner oversees various important tasks. Most notably, the Privay Commissioner investigates complaints of breahces of privacy. Further to this, the Privacy Commissioner makes public statements related to an individual's privacy. 

The Privacy Commissioner may intervene in your workplace if there are complaints made regarding privacy breaches. For instance, your employee may discover that your business is mishandling their data or sharing it improperly. It is likely then that the Privacy Commissioner will launch an investigation into your business's practices.

It's important to note that the Privacy Commissioner lacks: 

  • the authority to mandate monetary payments to employees; 
  • impose fines;
  • coerce parties into accepting settlement offers; and
  • enforce acceptance of their findings.

Instead, their role primarily revolves around determining whether there has been a breach of the Privacy Act and facilitating a resolution between the concerned parties.

Personal Information Requests

Principle 6 of the information privacy principles under the Privacy Act gives people the right to request access to their own personal information. Generally, if someone, especially an employee, requests access to personal information about themselves, you must provide it. But it is important to note that people are only able to request information about themselves. The Privacy Act does not allow for information to be requested about another person unless:

  • the person is acting on behalf of the person whose information is being requested; and
  • there is written permission for the information to be sought.

What if I Want to Refuse Access to the Information?

Sometimes there may be good reason for you to refuse access to a request for personal information. This may be because providing access to personal information may also result in another person's information being released. However, generally, you must provide this information. This is unless there is a valid reason not to provide it under the Privacy Act. You may be able to refuse access to information for the following reasons:

  • you do not have the information;
  • releasing the information could put someone in danger;
  • the information was provided in confidence;
  • the information is not retrievable;
  • the request is "vexatious" – this means that the request was not made in good faith or there has been an abuse of process; or
  • the request is "trivial" – this means that the information may be something that the requestor already knows or is not relevant to the requestor.

It is important to have a valid reason if you fail to provide the information requested. Otherwise, the Privacy Commission can issue a direction requiring you to release the information.

Key Takeaways

Understanding and adhering to the regulations outlined in the Privacy Act 2020 is vital for you as an employer. The Privacy Act  governs the handling of personal information to safeguard individuals' privacy rights. It is important that you, as an employer, remain vigilant to prevent inadvertent breaches that could lead to complaints to the Privacy Commissioner. Employers must appoint a Privacy Officer to oversee compliance, manage complaints, and mitigate risks. Your Privacy Officer should also understand the role and limitations of the Privacy Commissioner in resolving disputes and facilitating resolutions. As an employer, you should prioritise privacy protection and implement robust privacy policies and procedures. This well help your business navigate the complexities of managing personal information responsibly and ethically.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.