Law change: Privacy Act for the digital age
Law change: Privacy Act overhaul to protect personal information in the digital age
If you collect, store or use personal information about employees and/or customers, it’s important to:
- check your business meets existing privacy requirements
- get ready for the law change.
Here’s what you need to know and do to keep people’s information safe and secure.
When: From 1 December 2020
What: Changes to the Privacy Act mean businesses must:
- not destroy personal information if someone asks for information held about them
- report serious privacy breaches
- check personal information shared with overseas companies will have similar protection to New Zealand.
Overseas businesses operating in New Zealand must meet privacy requirements, including multi-nationals offering services like cloud software or social media.
The revamped Act gives the Privacy Commissioner greater powers. This includes:
- ordering a business to give a person their personal information
- issuing a compliance notice if a business fails to comply with the Privacy Act.
So it’s a good idea to appoint a privacy officer, eg add privacy duties to a trusted employee’s existing role.
Why: The Privacy Act aims to keep people’s personal information safe and secure. The law updates reflect changes in technology and the ways business is done online and offline.
Privacy Act 2020(external link) — Office of the Privacy Commissioner
What you need to do
Anyone who collects, uses and stores personal information must follow new and existing rules in the Privacy Act. This applies to all business types, including sole traders and freelancers/contractors. Common examples of personal information collected by businesses include:
- contact details
- employment records
- photos of workers or customers used for marketing, eg flyers or social media posts.
To meet new requirements in the Privacy Act, here are some of your key responsibilities.
Decide who in your business will take the lead on privacy matters. This could be you, an office manager, or another trusted worker. This person will be your privacy officer, in addition to their current tasks.
This role involves:
- a general understanding of how the Privacy Act relates to your business
- checking personal information is collected responsibly and stored safely
- making sure any issues or requests for personal information are handled promptly
- handling privacy complaints made to your business, including working with the Office of the Privacy Commissioner (OPC) on any escalated complaints.
Learn about privacy requirements with free online training on the Privacy Commissioner website. Modules include
- Privacy 101
- Employment and privacy
- Reporting privacy breaches
- Privacy Act 2020
e-Learning(external link) — Office of the Privacy Commissioner
Requests for personal information
If someone asks for their personal information held by your business, you must respond within 20 working days. Most complaints to the Privacy Commissioner are from people denied access to their personal information.
You and/or your privacy officer should think about how the business stores and handles information:
- Could you respond to a request within the time limit?
- How do you store personal information?
- How secure is it?
You must not delete personal information to avoid the request. This will be illegal in the revamped Privacy Act.
Talk with your staff about what to do if there’s a serious privacy breach. Work through various scenarios together, eg accidentally losing personal information vs cyber attack. This helps everyone knows the steps they should take.
An important new step is to report serious breaches to the Privacy Commissioner by phone, email or using the online tool Notify Us:
Sharing information with overseas companies
Under the new Privacy Act, you may only share personal information with an overseas business if they meet New Zealand’s privacy requirements. This does not apply to overseas cloud-based services.
More guidance is being developed to help you understand these requirements.
In the meantime visit the Privacy Commissioner’s website for current guidance, and for contact information if you have questions.
Disclosing personal information outside New Zealand(external link) — Office of the Privacy Commissioner
Personal information: What it is, how to protect it (external link)
If you worry a company doesn’t properly protect personal information, it’s a good idea to report it to the Privacy Commissioner.
This includes multi-nationals and other overseas organisations operating in New Zealand.
Existing privacy requirements
You continue to be required to:
- Only collect personal information needed for business reasons.
- Store personal information safely and securely.
- Only keep information while you need it or are legally allowed to keep it.
- Respond to someone’s request for personal information within 20 working days.
- Update or correct personal information as required, eg new phone number.
You can only share personal information with others in specific circumstances. For example, it’s justified to give a courier a customer’s details to deliver a parcel. It’s one of the reasons your business gathered the information.
It's a good idea to check your privacy statement is up to date. This should tell people how you collect and use personal information. If your business doesn’t have a privacy statement, use this free online tool to create one:
Priv-o-matic(external link) — Office of the Privacy Commissioner