NZ’s new privacy law: what you need to know

GDPR or General Data Protection Regulation came into force across the EU (European Union) in 2018 – and now, NZ’s new privacy law is coming into effect.

NZ’s new privacy law – Dec 2020

Changes to the Privacy Act are coming and this will affect most, if not all New Zealand businesses. If you collect, store or use personal information about your employees and/or customers, you will need to review your policies and procedures around how you handle that data and how you notify your users.

The new Privacy Act will take effect from 1 December 2020 and was reported on in NZ’s media in 2018. The Privacy Act 2020 (the Act) repeals and replaces the previous Privacy Act 1993.

“We’re all moving through this world leaking data everywhere… The new Privacy Act provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment,” says Privacy Commissioner John Edwards.

NZ’s new privacy law strengthens privacy protections in New Zealand and largely follows the EU’s GDPR framework. It promotes early intervention and risk management by agencies (the name used for any organisation or person that handles personal information, such as webhosts, service providers or other data collection agencies (e.g. Google) and enhances the role of the Privacy Commissioner.

The Privacy Act 2020

In a nutshell, NZ’s new privacy law key changes include:

• Requirements to report privacy breaches: If an agency has a privacy breach that “causes serious harm” or is likely to do so, it must notify the people affected and the Privacy Commissioner (NZ appointed data privacy government department).
• Compliance notices: The Privacy Commissioner will be able to issue compliance notices to require an agency to do something, or stop doing something.
• Decisions on access requests: The Privacy Commissioner will make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal (per current policy).  The Commissioner’s decisions can be appealed to the Tribunal.
• Strengthening cross-border protections: New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas (such as through or to a technology service provider), it is protected by comparable privacy standards. The Act also clarifies that when a New Zealand agency engages an overseas service provider, it will have to comply with New Zealand privacy laws – many already do, but the onus will be on NZ agencies to clarify this.
• Class actions: The Act permits class actions in the Human Rights Review Tribunal by persons other than the Director of Human Rights Proceedings. This potentially means that a group of people could sue a service provider for data privacy breaches, further applying pressure to ensure such providers to properly manage and mitigate risks.
• New criminal offences: It will be an offence to mislead an agency in a way that affects someone else’s information (for example hacking or social engineering), and to destroy documents containing personal information if a request has been made for it. The penalty will be a fine of up to $10,000.
• Strengthening the Privacy Commissioner’s information gathering power: The Commissioner will be able to shorten the timeframe in which an agency must comply with investigations and the penalty for non-compliance will be increased from $2,000 to $10,000 – effectively meaning agencies will be under greater pressure for compliance.

What Does This Mean For NZ Businesses?

While we are not lawyers, we are happy to provide our interpretation of NZ’s new privacy law and the things you need to do to become compliant by December 2020.  If you want more detail, you can head over to the business.govt.nz website or visit the official Privacy NZ website – or contact us for details of our bespoke consultancy services, where we can provide detailed guidance.

1. Your business management team and staff should meet to discuss data collection and storage procedures and policies.
   1. You should appoint a “privacy officer” – someone who has a general understanding of the Act and can deal with privacy issues if an when they arise.
   2. Your team should have a clear understanding of what data you collect, where and how it is stored.
   3. You should discuss within your business what to do in the event of a serious data breach and what steps you should take.
2. By association, any technology provider you engage with in the course of running your business – such as your website host providers, email providers, email marketing or cloud providers (such as e.g. Xero, Google, Facebook) or other ‘agencies’ that have access to your or your customer’s data – must be consulted to determine what data is collected and how it is stored.
3. You should satisfy yourself that your / your customer data is being collected securely, stored in an encrypted and / or secure fashion and protected with modern and robust techniques to ensure it is as safe as possible.
4. Ensure that your website has the appropriate privacy statements to inform your users what data you collect and what steps you have / are taking to protect their data
5. You need to be able to – within 20 working days – provide users who request it, a copy of the data you hold about them.

How Can Purple Dog Help?

Purple Dog is, amongst other things a webhost and service provider. We employ best practices when it comes to providing secure services and continually review our systems to ensure any data we collect is necessary and is stored securely.

We also employ a range of techniques to assist our clients to collect and securely store the customer data they need to be able to do business.  All data collected and stored is that which is either directly relevant to the operation of the business – such as email services, email marketing, ecommerce and others, or it is used to gather information on how the business is performing – such as analytics, search engine data and other (largely anonymous) information.

For business owners / stakeholders who would like additional guidance or support, we provide one-on-one consultancy to assess current procedures and recommend safe, secure and integrated methods to utilise “best of breed” technology, and engage best practice when it comes to implementation, usage and ongoing maintenance.

Do get in touch to find out more