Get ready for upcoming Privacy Law changes
Changes to the Privacy Act are coming. If you collect, store or use personal information about your employees and/or customers, here’s what you need to do.
What you need to know
When: The Privacy Bill is making its way through Parliament and will most likely become law before the end of 2019.
What: Privacy changes include the following:
- Businesses will need to report serious privacy breaches. For example, if you experience a data breach that poses a risk of harm (eg leaked personal information is used in identity theft or published online), you must notify the people affected. Also, you must notify the Office of the Privacy Commissioner either by email, phone or using their online enquiry form.
Enquiry form (external link) — Office of the Privacy Commissioner
- If someone requests personal information held by a business, the business cannot destroy the information in order to avoid providing it.
- Kiwi businesses using service providers based overseas, like cloud software, will need to make sure their providers are meeting New Zealand privacy laws.
Who: All businesses that collect, store and use personal information about their employees and/or customers.
Why: The Government is updating New Zealand’s Privacy Act 1993 to make sure personal information is kept safe and secure in line with new technology and ways of doing business.
What you need to do
- Talk to your staff about what to do in the event of a serious data breach. Work through various scenarios together so everyone is aware of the steps they should take.
Data breaches (external link) — Office of the Privacy Commissioner
- 60 per cent of complaints to the Office of the Privacy Commissioner are from people denied access to their information. If a customer or employee requests their information, you are required to respond to that request within 20 working days. Make sure you have a process in place to handle customer requests for information held about them if, and when, they are made.
- Make sure you hold and use personal information in a safe and secure way and dispose of it securely when you have finished with it.
- If you use an overseas-based service provider, like cloud software, ask the provider how they’re meeting New Zealand privacy laws.
- Appoint a privacy officer. Every business should have a privacy officer, according to the Privacy Act. This is someone who has a general understanding of the Act and can deal with privacy issues when they arise.
What is a privacy officer? (external link) — Office of the Privacy Commissioner
- Review your privacy statement and make sure it’s up to date. If you don’t have one, the Office of the Privacy Commissioner has a free tool to help you create a privacy statement that tells people how you will be collecting, using and disclosing their information.
Priv-o-matic (external link) — Office of the Privacy Commissioner
- The Office of the Privacy Commissioner has online learning modules that you and your staff can go through to become more familiar your legal privacy responsibilities. The Privacy ABC and Privacy 101 modules are quick and easy introductions to the Privacy Act.
eLearning (external link) — Office of the Privacy Commissioner