The Privacy Act 2020 (Act) came into effect on 1 December 2020.
For the last few months we have run a series of seminars throughout the country, and delivered a webinar, to highlight the most significant changes under the Act and to give you an understanding of how they will impact your business.
We have also reported on the key changes in our previous newsletters, available here.
With the Act now in force, we re-cap on the key changes and take a look at some of the tools provided by the Office of the Privacy Commissioner to assist organisations in their compliance with the Act.
Overseas disclosures – model clauses
One of the key changes under the Act relates to the inclusion of the new privacy principle 12. Under this principle 12 organisations must ensure that that any personal information sent outside New Zealand to a third party that uses that personal information for its own purposes is adequately protected by privacy safeguards that are comparable to the new Act.
This creates an obligation on organisations to undertake due diligence on an offshore based third party, before sending personal information overseas.
One practical way to ensure compliance with the new principle is for organisations to adopt contractual safeguards with their overseas partners. The Office has released model clauses which can be used for this purpose. The clauses are tailored to meet the requirements under the Act, and can be used to ensure the offshore third party is bound to safeguard personal information. The model clauses can be found here.
The model clauses are available for anyone to use, and are specifically aimed at small to medium sized businesses.
It is worth noting that principle 12 will not apply when personal information is sent offshore to a third party service provider, if the provider is only performing a service on behalf of the organisation and not using the information for its own purposes (i.e. transfers to a cloud storage provider). However, in that case the organisation must still comply with privacy principle 5, which requires an organisation to have safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information.
Breach notification
A further key change is the introduction of the new privacy breach notification regime.
Under the Act it is now mandatory for an organisation to notify both the individual concerned and the Office of the Privacy Commissioner if there is a privacy breach that causes, or is likely to cause, serious harm to an individual. The Act requires notification as soon as the organisation is practically able to do so.
In assessing whether a breach is likely to cause serious harm and therefore notifiable, the organisation must consider a number of factors, including any action taken by it to reduce the harm following the breach, and the sensitivity and security of the information.
Under the Act it is an offence if an organisation fails to notify the Privacy Commissioner of a notifiable privacy breach.
The Office has recognised that organisations may be inclined to err on the side of caution in relation to the notification regime, which may cause an influx of notifications. Although this may not cause much detriment to the Office, if individuals are continuously notified unnecessarily, it may adversely affect both the individuals and the organisation.
The Office has developed an online tool, NotifyUs, to assist organisations to assess whether a breach is notifiable. NotifyUs is available here, and can also be used to report the breach.
How we can help
With the new Act now in force, if you have not already done so, we recommend undertaking a privacy audit, to ensure your agreements, policies and processes are up to date. If you would like to understand more about your obligations under the Act, please get in touch with us.
Click here for other Corporate Law articles.