You will likely be aware that there is a new Privacy Bill being considered by Parliament. While there has not been any progress for some time, on 17 March 2020, Justice Minister Andrew Little tabled a supplementary order paper (SOP) in relation to the Bill.
The SOP sets out some proposed amendments to the Bill, and importantly provides a new commencement date of 1 November 2020. Previously, the Bill contemplated a 1 March 2020 commencement. This development and new date provides a clear target for New Zealand businesses to ensure their privacy policies and processes are compliant with and ready for the new regime.
The key change for most businesses under the new regime will be the requirement to report on serious privacy breaches. The SOP does not change that requirement. For an overview of the breach reporting requirement and the other key changes proposed by the Bill, please read our earlier newsletter, which can be found here.
The SOP makes a number of minor amendments to the Bill. While most of them bring some greater clarity to aspects of the Bill, there are three changes that you should be aware of. They are:
- Clarifying that an agency collecting personal information from children and young persons must pay particular attention to ensure the collection is by a means that is fair and not unreasonably intrusive. Previously the Bill had required agencies to take into account the vulnerability of such individuals when collecting personal information. This change clarifies that the focus remains on fairness and reasonableness of the collection.
- Providing that an agency will not be liable for failure to notify a privacy breach if it does not have actual knowledge of the privacy breach. However, it does appear there is now a gap in the notifiable breach regime, as service providers who just process personal information on behalf of an agency do not have their own obligation to notify the agency if the breach is with the service provider. Regardless, we recommend that when the Bill becomes law service providers promptly advise agencies of such a breach.
- Reversing the Select Committee proposals that required the Privacy Commissioner to publish the names of agencies issued with a compliance notice (where those agencies were failing to comply with their privacy obligations). Instead, to publish or not will be a matter for the Commissioner’s discretion, applying the public interest test.
With the date for the new Act now set, it is a great time to review your privacy policies and processes to ensure they are up to date. You should also be updating your breach response plans to be ready for the notifiable breach regime. If you would like to understand more about new Privacy Bill, and how it may impact you, please get in touch with us.
Also refer to:
Click here for other Corporate Law articles.