Workers of the World Rejoice: Government poised to increase Sick Leave entitlementsMarch 15, 2021
Making driving your business: Employment Court finds Uber driver is an independent contractorMarch 15, 2021
An important update that may have fallen under the radar came into force on 1 December 2020. The Privacy Act 2020 ushered in new obligations on organisations and businesses when handling personal data.
We set out some thinking points for you below on the new Act:
- How much information can be collected?
- The Act now clarifies that you should only collect identifying information as necessary for the performance of your services. Less is better in this case.
- What are my reporting obligations?
- It used to be that you were only encouraged to inform the Privacy Commissioner of breaches. Under the new Act you are obliged to notify the Privacy Commissioner AND the affected persons of notifiable breaches as soon as possible. Breaches that fall into this category are breaches that are reasonably believed to have caused serious harm to someone or are likely to do so.
- While yet to be clarified by the Commissioner, the wording of the Act regarding breaches seems to include where an organisation is temporarily prohibited from accessing information. This could mean mandatory reporting for incidences like the dreaded ransomware if it is a notifiable breach.
- What happens if we fail to comply?
- The Privacy Commissioner now has greater powers – it can compel a company to do or stop doing something.
- Failing to notify the Privacy Commissioner can incur a fine of up to $10,000 per breach.
- Where does the Act apply and how does it apply?
- Local and overseas organisations who carry on business in New Zealand are subject to the Act, regardless of where they have their physical presence. This means when you engage an overseas provider, both you and the provider will have to comply with the Act.
- If you intend to disclose or store personal information outside New Zealand, you must ensure comparable safeguards to the Act are in place. Where there are no such safeguards, you must obtain express consent from the potentially affected individual.
- Lastly, this may be common sense but best to be said just in case:
- Be aware that people sometimes pretend to be someone else, or to have authority from someone else, in order to access or modify that other person’s personal information. It is an offence to do this and also a beach of the Act to act on such instructions.
- If a request is made by a person to access their information, be reasonably helpful with providing that information and do not withhold or destroy and information (unless under one of the limited exceptions set out in the Act)
- These transgressions also attract a fine of up to $10,000.