New Zealand’s privacy laws haven’t changed since 1993, but technology and the way we live our lives online has changed significantly since then. Around the world, privacy laws are being updated to cover the needs of our changing world, and now it’s New Zealand’s turn.
The changes to the Privacy Act cover the addition of a new privacy principle, mandatory reporting on data breaches, more jurisdiction given to the Privacy Commissioner, heavier penalties for privacy offences and some updates to existing privacy principles.
The world is much more of a global marketplace now, hence privacy principle 12 was added. This principle puts onus on companies to check the privacy protections in place in the countries where personal information is disclosed. The scope of the Privacy Act has also been updated so that it explicitly applies to all companies who do business in New Zealand, and that doesn’t necessarily mean holding an office there.
If there has been a data breach that has caused, or has the potential to cause serious harm, it is now mandatory to inform the Privacy Commissioner, and usually also the affected people. In the past, people may not have even been aware if their personal information had been breached, which meant they couldn’t do anything to mitigate any potential damage, for example, by changing their passwords. Mandatory reporting aims to prevent this and will also give the Privacy Commissioner more oversight of the types of data breaches New Zealand companies are facing.
The Privacy Commissioner can now issue compliance notices that tell a company to do something or stop doing something in order to comply with the Privacy Act. The Commissioner will be able to shorten the timeframe in which a company must comply with investigations, and the penalty for non-compliance will be increased from $2,000 to $10,000.
The Privacy Commissioner will now make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions can be appealed to the Tribunal.
There are also new penalties, such as destroying documents containing personal information if a request has been made for it, with penalties of up to $10,000 for committing such offences.
Principle 1 has been updated to clarify the requirement to only collect identifying information from people if it is needed for a lawful purpose.
Principle 4 has been updated to clarify that companies must ensure personal information collected from children and young people is done fairly and reasonably.
Principle 13 has been updated to clarify that companies must take reasonable steps to protect unique identifiers from being misused.