John Edwards (Privacy Commissioner)
The new Privacy Act 2020 has come into force, ushering in new obligations on organisations and businesses when handling personal information.
The new Act, which affords New Zealanders better privacy protections, also gives the Privacy Commissioner greater powers to ensure organisations and businesses comply.
Key changes include:
New privacy breach reporting obligations
If a business or organisation has a privacy breach that it believes has caused, or is likely to cause, serious harm, it will need to notify the Office of the Privacy Commissioner and affected individuals as soon as possible. The Commissioner has deployed a new tool on its website for reporting a privacy breach.
New criminal offences
It will now be an offence to mislead an agency to access someone else’s personal information – for example, impersonating someone in order to access information that you are not entitled to see. It will also be an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it. The penalty for such offences is a fine of up to $10,000.
Compliance notices
The Privacy Commissioner will be able to issue compliance notices to businesses or organisations to require them to do something, or stop doing something, to comply with the Privacy Act 2020.
Enforceable access directions
The Privacy Commissioner will be able to direct an organisation or business to confirm whether they hold personal information about an individual and to provide the individual with access to that information.
Disclosing information overseas
A new privacy principle 12 has been added to the Privacy Act to regulate the way personal information can be sent overseas. From today, such information can be disclosed to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Privacy Act 2020.
Extraterritorial effect
An overseas business or organisation that is "carrying on business" in New Zealand will be subject to the Act’s privacy obligations even if it does not have a physical presence in New Zealand.
Privacy Commissioner John Edwards said the new law reflected the changes in New Zealand’s wider economy and society as well as a modernised approach to privacy.
“The new Act brings with it a wider range of enforcement tools to encourage best practice, which means we are now able to take a different approach to the way we work as a regulator,” he said.
The Office of the Privacy Commissioner has produced resources and guidance to help people and organisations understand the changes.
