The Privacy Act regulates how businesses, governments and organisations (together, agencies) handle personal information. The Privacy Act 2020 replaced the Privacy Act 1993 on the 1st of December 2020. Therefore, there are some key differences, which include:
- the introduction of a new Information Privacy Principle that sets out how you can disclose personal information outside of New Zealand;
- a new privacy breach notification scheme; and
- the inclusion of some overseas agencies within the scope of the Privacy Act.
This article will highlight the key features of the new Act and some of the significant changes from the 1993 Act.
The Information Privacy Principles
The New Zealand Information Privacy Principles (IPPs) are a set of 12 guiding principles that govern how you should use, collect and disclose personal information.
For example, IPP 3 outlines what you should notify to an individual before you collect their personal information. This includes the reason why you are collecting it. Additionally, IPP 6 provides individuals with rights to access and correct their personal information.
The Privacy Act 2020 also introduces a new Information Privacy Principle, which has been inserted as the new IPP 12. Therefore, this makes the former IPP 12 (Unique Identifiers) the new IPP 13.
IPP 12 – Transfers of Personal Information Outside of New Zealand
The new IPP 12 regulates how you can send personal information outside of New Zealand. As an agency, you may only disclose personal information to an entity outside of New Zealand in certain circumstances. These include, if you reasonably believe that the foreign person or entity:
- is subject to the New Zealand Privacy Act;
- is subject to laws that provide comparable safeguards to the New Zealand Privacy Act;
- agrees to protect the information in a way that is comparable with the New Zealand Privacy Act (such as by agreement in a contract); or
- is subject to the laws of a country or is a participant in a binding scheme that the New Zealand government has designated as having comparable safeguards to the New Zealand Privacy Act.
If you do not satisfy any of these requirements, you need to inform the individual that their personal information may not be adequately protected. The individual must then consent to the overseas disclosure.
Will the New IPP 12 Affect Your Business?
The new IPP 12 requirements represent a significant departure from the current privacy landscape in New Zealand, and it will impact many businesses. For example, if your business transfers personal information to international teams, service providers or developers outside of New Zealand, you may be affected.
To date, the New Zealand Government has not whitelisted any countries for having an acceptable privacy regime. However, the European GDPR (data protection law) is one of the strictest privacy regimes worldwide so that may fall within the requirements.
An Exception to the IPP 12 Requirements
There is one important exception to the requirements in IPP 12. This exception affects agencies that transfer personal information to an overseas recipient, for the recipient to:
- hold; or
- process on behalf of the sender.
In this case, the transfer will not constitute a disclosure, unless:
- the overseas recipient uses the personal information for its own purposes; or
- discloses the information.
Therefore, the agency does not have to comply with the steps outlined above. In addition, this exception will allow agencies to rely on overseas cloud storage providers, for example, if they do not have data centres within New Zealand.
Businesses Outside of New Zealand
If your business' location is outside of New Zealand but you are 'carrying on a business' within New Zealand, you will still need to comply with The Privacy Act 2020. While it is not clear what 'carrying on a business' means, the Act does specify that organisations still need to comply, even if:
- they are located outside of New Zealand; or
- do not make a profit based on their activities within New Zealand.
Privacy Breach Notification Scheme
The Privacy Act 2020 introduces a privacy breach notification scheme. This scheme specifies what to do if you suffer a privacy breach. For instance, if you believe the breach has caused (or is likely to cause serious harm), then you need to notify the individuals affected and the Office of the Privacy Commissioner as soon as possible. A breach could include:
- an intentional hack;
- an employee losing a company laptop; or
- an accidental failure to bcc when sending an email to all clients.
However, not all privacy breaches will attract an obligation to notify. If you think you have experienced a privacy breach it is essential to obtain immediate legal advice. For example, your privacy lawyer can help you assess if you need to notify the breach or take any steps to mitigate its impact.
The Privacy Act 2020 replaced the Privacy Act 1993 on the 1st December 2020. It includes:
- a privacy breach notification scheme;
- greater restrictions on agencies when disclosing personal information overseas; and
- it can apply to agencies located outside of New Zealand.