New Zealand's Privacy Act 2020 (Privacy Act) commenced on 1 November 2020. It levelled-up on information privacy obligations and introduced a new notifiable privacy breaches scheme.
Your business will need to ensure it handles personal information relating to New Zealand in accordance with the new Privacy Act and its 13 information privacy principles (IPPs).
Similar to New Zealand's previous 1993 privacy legislation, the new Privacy Act's central tenants are its set of IPPs. The IPPs have been modernised and expanded to 13 IPPs, including a new privacy principle (IPP 12) concerning disclosure of personal information outside of New Zealand.
The new changes bring New Zealand’s privacy framework into closer alignment with internationally recognised privacy obligations.
The Privacy Act applies to organisations who conduct business in New Zealand, regardless of:
- whether it has a legal or physical presence in the country;
- whether it charges money for goods or services, or makes a profit from its activities;
- the place where the information having a New Zealand link is collected or held; or
- the place where the person to whom the information relates is located.
This includes organisations who make digital platforms available to individuals in New Zealand, regardless of whether the business or its servers are located.
The policy will need to include the appointment of your Privacy Officer, and criteria for assessing whether a data incident is a notifiable privacy breach.
The Privacy Act also introduced an obligation for your business to ensure that an overseas recipient of personal information operates with similar levels of privacy protection to those in New Zealand.
Your business need a trans-Tasman data breach response plan.
The Privacy Act now includes a mandatory privacy breach notification scheme.
Similar to the Australian notifiable data breaches scheme, not all privacy breaches are notifiable – a breach is reportable only if it creates a likelihood of serious harm for the affected individuals.
If a notifiable privacy breach has occurred, your business will need to notify the New Zealand Privacy Commissioner and the affected individuals.
The main difference between the Australian and New Zealand schemes is the timeframe for assessing and reporting a notifiable breach: "as soon as practicable" in New Zealand, versus 30 days in Australia.
The penalties for non-compliance have been increased.
The Privacy Act now provides for increased intervention and enforcement powers, including higher financial penalties up to $10,000 for a breach of a Commissioner compliance order or destruction of requested documents containing personal information.
While these are not high-value penalties by international standards, they do represent a significant change in the New Zealand privacy regime.
What else should your business do?
- Develop and document clear processes and training so that your Privacy Officer (have you appointed one?) and relevant team members are appropriately prepared and trained for responding to complaints or investigations, and interacting with the affected individuals and the Privacy Commissioner. Consider including your external legal advisors, cyber security advisors, and your communications or public relations personnel in this response team.
- Understand where and how your business collects, uses, stores and discloses personal information relating to New Zealand.
- Check your contracts with services providers. In particular, those agreements which involve transferring personal information to suppliers or partners outside of New Zealand – including to the home office in Australia. Do they require your service provider to protect personal information in at least the same manner as required in New Zealand?