Privacy Act 2020

Privacy pic.jpg

On 1 December, the Privacy Act 2020 (the Act) will replace the Privacy Act 1993. The world has come a long way since the 90s; technology in particular has created a need for changing how we deal with privacy. 

All organisations collect information about people they work with – from staff, to suppliers, customers, and clients. New privacy laws may affect how your organisation collects, handles and uses personal information about these people.  

The Act won’t differentiate between a large company with several hundred staff, or a small local business with a few staff – it will apply if you hold personal information about others. 

The privacy principles

The Privacy Act 2020 has 13 privacy principles that govern how your organisation should manage personal information. The Privacy Commissioner briefly outlines these principles here. For the full Act, click here. 

What are some of the key changes?

While the Act reaffirms many of the existing principles, some key changes include:

  • Principle 1: identifying information should not be collected if it’s not necessary for the purpose of collection. Example: if you’re running a survey to find out about trends, but the person’s name isn’t required for the purpose of the survey, you should not collect their name.

  • Principle 2: it will be possible to collect information from people other than the individual concerned if there’s a serious threat to life or health.

  • Principle 4: requires careful consideration when collecting information from children and young people.

  • Principle 8: requirement to check the accuracy of information before disclosing that information.

  • Principle 12 (new): regulates the way personal information can be sent overseas. Example: if you use service providers based overseas, like cloud software, you’ll need to make sure it meets NZ privacy laws.

  • Principle 13: requirements to minimise the risk of misuse with a unique identifier. Example: you already see bank statements that display only part of the account number.

  • Every organisation must have a privacy officer, according to the Act. This is someone who has a general understanding of the Act and can deal with privacy issues when they arise.

  • The Privacy Commissioner will be able to issue compliance notices to organisations to require them to do something, or stop doing something, in order to comply with the Act.

  • Organisations must report serious privacy breaches (including breaches by your service provider). Example: leaked personal information is used in identity theft, or that’s published online.

  • New criminal offences: it will be an offence to mislead an agency to access someone else’s personal information. Example: impersonating someone to access information that you are not entitled to see. It will also be an offence for an organisation to destroy personal information, knowing that a request has been made to access it.
    The penalty for these offences is a fine of up to $10,000.

  • Individuals affected by a breach can appeal to the Human Rights Review Tribunal and may be awarded up to $350K per person (if a breach includes multiple people, this can be costly)! 

While $10K fines may be small comparative to privacy laws in other countries, also important is:

  1. The expectations that your staff, suppliers, and customers have about their privacy – people are increasingly aware of the personal information, what’s collected/stored, and how it’s used.

  2. The Privacy Commissioner will have more powers under the Act to publish the names of organisations who aren’t complying. This could cause staff, suppliers, and/or customers to lose trust in your organisation.

What do we need to do?

Your organisation should review all processes and systems that collect information about staff, suppliers, customers etc. 

In terms of your staff, here are some things you should consider:

  • Does your organisation only ask for and stores information that it needs to?

  • Is there a reason why each piece of information is needed, and do you outline what this reason is? You may need to review questions on candidate application forms, new employee forms, payroll forms etc. Example: only some years ago, you may have needed your staff member’s full home address so as to send them mail in the post. Now with online communication, you may no longer have a necessary reason to collect or retain their full home address.

  • How long is staff information kept for, and how is it disposed of? Staff files must be kept for at least 6 years and pay records 7 years – even for people who are no longer employed.

  • How long are CVs and applications of unsuccessful candidates kept for, and how is it disposed of? We recommend keeping them no longer than 6 months.

  • How do you ensure information about staff members are kept accurate? Example: personal email address, phone number, emergency contact details.

  • Do you gain consent for completing reference checks?

  • Do you forward CVs/applications, staff information etc to other people or third parties? Is there a reason for this that you’ve clarified, and do you have consent?

  • Who stores staff information (online and physical), and are they following the right security protocols?

  • Who has access to staff files (online and physical) and why?

  • Are there reasonable safeguards (i.e. two-factor authentication) to protect information?

  • Have you reviewed and updated Employment Agreement templates, ensuring they comply with the new Act?

  • Do you have a privacy officer?

  • Do staff know how to handle personal information (of staff, suppliers, customers etc), and what to do if there is a breach? Example: do your staff take customer details over the phone, and do they understand their responsibilities under the Act?

  • Do you need to undertake privacy training with your staff?

  • Do you have a policy that outlines how your organisation manages personal information/adheres to privacy requirements (i.e. addresses the questions raised above)?

There’s a lot to consider when it comes to privacy, and it can be overwhelming. It might be useful to discuss requirements for your organisation within your team. If you would like any further advice or assistance, please get in touch with one of our team

This information is general guidance only, and you should not solely rely on this information; specific advice should be sought for your situation.