New privacy laws to replace the Privacy Act 1993 are passing through Parliament. Digital technology has progressed so much that it is necessary to provide new measures of privacy protection for businesses that collect, store or use personal information about their employees and/or customers. This Privacy Bill is likely to come into effect by the end of this year.
The key privacy law changes that businesses should be aware of include:
- The requirement to report data breaches. If any breach of data carries the risk of harm (such as leaked personal information being used in identity theft or published online), the business must notify the people affected as well as the Office of the Privacy Commissioner.
- New Zealand businesses using overseas service providers must ensure those providers comply with New Zealand privacy laws, and that personal information sent overseas is protected by acceptable privacy measures.
- The Privacy Commissioner will have the authority to shorten the timeframe in which a business must comply with investigations. Non-compliance will carry a penalty of $2,000 to $10,000.
- If someone requests personal information held by a business, the business is not permitted to destroy that information as an attempt to avoid providing it. The proposed penalty for this is a fine of up to $10,000.
- The Privacy Commissioner will be able to issue compliance notices to require a business to do (or stop doing) something, and have the authority to make binding decisions on complaints regarding information access. This previously sat with the Human Rights Review Tribunal.
There are several steps your business can take to comply with the upcoming privacy law changes, including:
- Ensuring you have an up-to-date privacy statement in place. The Office of the Privacy Commissioner has a Privacy Statement Generator to help create one.
- Making sure that everyone knows what steps to take in the event of a serious privacy breach.
- Ensuring personal information is stored and used in a safe and secure manner.
- Contacting any overseas suppliers you deal with to find out if they comply with New Zealand’s privacy laws.
- Considering appointing a privacy officer who will take responsibility for keeping up-to-date with the new privacy laws and deal with the business’ privacy issues as they arise.
For more information about the new privacy law changes, visit the Office of the Privacy Commissioner website.