On 1st December 2020, the new Privacy Act came into effect in New Zealand. The Act introduces a number of new privacy protections for individuals and obligations for organisations, including mandatory privacy breach notifications, access directions, and compliance notices. After successfully completing the e-learning course on the Privacy Act 2020 (which is available at www.privacy.org.nz), I did a 15 minutes presentation on The Privacy Act 2020 for the Health Intelligence Team at Counties Manukau Health, our team deals with highly sensitive and confidential data, hence it was extremely important to be fully aware with the new privacy act of New Zealand. I have combined my notes on Privacy Act 2020 and shared it below in the article. 🙂
What is Data Privacy?
Data Privacy or Information privacy is a part of the data protection area that deals with the proper handling of data with the focus on compliance with data protection regulations. It is centred around how data should be collected, stored, managed, and shared with any third parties. However, Data Privacy is not just about the proper handling of data but also about the public expectation of privacy. Data protection laws around the world aim to give back individuals control over the data, empowering individuals to know how their data is being used, by whom and why.
What does it mean to protect data?
Protecting data means handling personal data with respect for confidentiality and anonymity. This applies to all data related to individuals, such as their names, birth-dates, addresses, Social Security numbers, financial data and medical records. Failing to ensure data privacy can cause lots of trouble. Even a single leak of personal data can have a serious impact on your organisation’s financial well-being and its reputation, since public, investor and customer trust can be irreparably damaged. To protect data privacy, we need to understand what data we have, where it’s located and who can access it.
New Zealand Privacy Act
The Act applies to all types of entities – both public and private – and it refers to them as ‘agencies’ and the scope of the Act relates to personal information, as opposed to corporate data. Personal information is information about an identifiable individual.
- “Information” – covers anything from a name to an IP address.
- “About” – there needs to be a link between the information and the individual. For example, a weight measurement of “60kg” is not personal, but if the information says “XYZ’s weight is 60kg” then it is about an identifiable individual.
- “Identifiable individual” – a natural person, other than someone who is deceased.
The Privacy Act 1993 had 12 Information Privacy Principles (IPPs) which controlled how ‘agencies’ collect, use, disclose, store and give access to personal information. The Privacy Act applies to almost every person, business or organisation in New Zealand.
The Privacy Act 1993 needed an updated because technology has changed significantly in these 27 years; now a large parts of lives are online and organisations collect a lot of information about us online and through our smartphones, therefore it was the need of the time to update Privacy Act so organisations take good care of the personal information they hold about people.
New Zealand Privacy Act 2020
On 1 December 2020 the new Privacy Act came into effect.
The new Act replaces the Privacy Act 1993 and includes changes to information privacy principles, notification of privacy breaches, and new powers for the Privacy Commissioner.
The new Act also brings New Zealand in line with Europe’s privacy legislation though our penalties aren’t as severe. There will be up-to $10,000 penalties if we are found guilty. (In Europe, penalties for breaching the GDPR include fines of up to either 20 million euros or four percent of the annual global turnover, whichever is higher.)
Under the new Act there are one new IPP (IPP12) and 3 existing IPPs are updated. These updates in the act are summarised below:
- There is a new privacy principle that covers sending information overseas.
- There are new rules about letting affected people, and the Privacy Commissioner know when there has been a privacy breach.
- Overseas companies that do business in New Zealand are required to comply with the New Zealand Privacy Act.
- There are new enforcement measures including compliance directions, access directions and updated offences and penalties.
As we are discussing about the the changes in the Privacy Act 2020, let’s also recall principles that were already there in the act. There are 13 Privacy Principles under NZ Privacy Act 2020. Below is the summarised version of these 13 privacy principles:
We can only collect personal information if it is for a lawful purpose and the information is necessary for that purpose. We should not require identifying information if it is not necessary for our purpose.
We should generally collect personal information directly from the person it is about. Because that won’t always be possible, we can collect it from other people in certain situations. For instance, if: the person concerned gives us permission,collecting it in another way would not prejudice the person’s interests, collecting the information from the person directly would undermine the purpose of collection, we are getting it from a publicly available source.
When we collect personal information, we must take reasonable steps to make sure that the person knows: why it’s being collected, who will receive it, whether giving it is compulsory or voluntary, what will happen if they don’t give us the information. Sometimes there may be good reasons for not letting a person know we are collecting their information – for example, if it would undermine the purpose of the collection, or if it’s just not possible to tell them.
We may only collect personal information in ways that are lawful, fair and not unreasonably intrusive. Take particular care when collecting personal information from children and young people.
We must make sure that there are reasonable security safeguards in place to prevent loss, misuse or disclosure of personal information. This includes limits on employee browsing of other people’s information.
People have a right to ask us for access to their personal information. In most cases we have to promptly give them their information. Sometimes we may have good reasons to refuse access. For example, if releasing the information could: endanger someone’s safety, create a significant likelihood of serious harassment, prevent the detection or investigation of a crime, breach someone else’s privacy.
A person has a right to ask an organisation or business to correct their information if they think it is wrong. Even if we don’t agree that it needs correcting, we must take reasonable steps to attach a statement of correction to the information to show the person’s view.
Before using or disclosing personal information, we must take reasonable steps to check it is accurate, complete, relevant, up to date and not misleading.
We must not keep personal information for longer than is necessary.
We can generally only use personal information for the purpose we collected it. We may use it in ways that are directly related to the original purpose, or we may use it another way if the person gives us permission, or in other limited circumstances.
We may only disclose personal information in limited circumstances. For example, if: disclosure is one of the purposes for which we got the information, the person concerned authorised the disclosure, the information will be used in an anonymous way, disclosure is necessary to avoid endangering someone’s health or safety, disclosure is necessary to avoid a prejudice to the maintenance of the law.
Principle 12 (the new IPP)
We can only send personal information to someone overseas if the information will be adequately protected. For example: the receiving person is subject to the New Zealand Privacy Act because they do business in New Zealand, the information is going to a place with comparable privacy safeguards to New Zealand, the receiving person has agreed to adequately protect the information – through model contract clauses, etc. If there aren’t adequate protections in place, we can only send personal information overseas if the individual concerned gives us express permission, unless the purpose is to uphold or enforce the law or to avoid endangering someone’s health or safety.
A unique identifier is a number or code that identifies a person in our dealings with them, such as an IRD or driver’s licence number. We can only assign our own unique identifier to individuals where it is necessary for operational functions. Generally, we may not assign the same identifier as used by another organisation. If we assign a unique identifier to people, we must make sure that the risk of misuse (such as identity theft) is minimised.
For more detailed information, complete the e-learning course privacy 2.0, you can find this one the privacy commissioners website – www.privacy.org.nz