The Privacy Act has changed in New Zealand, is your business ready for it?
The first question should really be, did you even know it was changed?
Or better yet, do you understand your current privacy obligations?
Privacy has always been an important aspect to consider in business. But, that has never been more true than in our current digital age where we hold far more personal information for our staff and customers than ever before.
The Privacy Bill, which amends the Privacy Act 1993, passed through Parliament on 30 June 2020. That means changes are coming! They came into effect on 1 December 2020.
To ensure your business is ready and will be compliant with the new regulations, EC Credit Control has put together all the information you need to know. Read on to find out more.
What Is The Privacy Act 1993 For?
The Privacy Act 1993 was introduced with the sole purpose of protecting people. It details how people’s personal information can be collected and stored here in New Zealand.
The legislation states that people’s personal information can only be obtained for lawful purposes. That means you can only collect the information that is relevant to your business and is necessary for the service you are providing.
For example, if you are offering garden maintenance, then you will obviously need name and address details for your clients. But, you won’t need a record of their personal earnings or what they purchase at the supermarket each week!
Once personal information is obtained, you have a responsibility to keep it safe and secure for the period that it is needed. It should not be disclosed unnecessarily and the person should have the absolute right to amend their information for accuracy.
Sounds pretty straightforward, right?
Well, it was simple to adhere to when the regulations came into effect almost 3 decades ago. Now, with the digital world dominating every aspect of your modern lives, it is no surprise that an almost 30 year old Act surrounding personal information needs some amendments!
What’s Changed?
The core purpose of the Privacy Act is not changing. It is still a piece of legislation that is designed to protect people and their personal information.
The ever increasing problem of cyber threats, numerous data breaches from high profile organisations, and international law like the GDPR have highlighted the need for greater focus in this area. So, the update to the Act makes sure personal information is kept safe even with the use of new technology and new ways of doing business.
The changes impact every business that collects, stores and uses personal information about their employees and/or customers. This includes New Zealand businesses that have overseas team members and use international service providers.
It is your responsibility to ensure that every facet of your business is meeting NZ privacy laws.
The Specifics
These are the specific aspects that are being updated and your responsibilities in regard to those changes.
Reporting Data Breaches
Any company that experiences a data breach that is likely to cause harm to the individual’s whose data has been compromised must report this breach to the Privacy Commissioner and the individuals involved.
This enables a constant demand for transparency and holds you accountable for your data security. It means you need to have strong systems and processes in place for ensuring that all personal data is held securely in your business. That is regardless of whether it is an email database or your cloud accounting software.
International Data Protection
All businesses will need to ensure any personal data will be protected by security that is comparable to New Zealand privacy laws if it is being transferred offshore. The most common example of this is cloud-based storage or software.
This measure ensures that people are guaranteed the same level of safety and security regardless of whether their information is used within New Zealand’s borders or beyond. Permission is always needed before any data is disclosed, both locally and internationally.
Beyond The Borders
The Act now has global borders. So, privacy laws relate to anyone carrying out business in New Zealand. That includes both local and overseas companies. Any business that operates in New Zealand is included, even if they don’t have physical premises here or turn a profit.
This amendment protects the people whose information is collected by companies doing business in New Zealand. It applies regardless of where the information was obtained or where the person resides.
It means your company needs to comply with New Zealand privacy law as well as local overseas jurisdictions, even if the company (or some of your team) is housed outside of NZ’s borders.
Greater Power For The Privacy Commissioner
The Privacy Commissioner will now have greater power. They will be able to issue compliance notices that will require a business to do something, or to stop doing something. They will also be able to make binding decisions on complaints. The Commissioner also has increased information gathering powers and can shorten the timeframe that an agency has to comply with investigations.
Criminal Offences
New criminal offences are being introduced, making it an offence to breach data, destroy documents that contain requested personal information, or releasing data that people are not entitled to see. These new offences will carry a penalty of up to $10,000.
What Your Business Needs To Do
Change in law usually triggers a business to check its processes. So, you need to ensure that your business is going to be fully compliant with the original Act and these new amendments.
Here are the steps you need to take:
- Make sure all personal information is stored securely, both physically and online. If you use any overseas service providers, ensure their security standards are compliant with NZ privacy laws.
- Only hold the personal information for the relevant timeframe and ensure it is securely disposed of when no longer required.
- Appoint a Privacy Officer – this person needs to be familiar with the Privacy Act and what it means for your business. They are also responsible for dealing with any privacy issues, should they arise.
- Speak with your team about what to do if a data breach occurs. Advise them of the process for who to alert and how to handle the situation.
- Review your Privacy Statement to ensure it is up to date. If you don’t currently have a Privacy Statement, then you need to make sure you have one in place. EC Credit Control have all the tools to help you create this vital document, so get in touch with them if you need help putting it together.
Complying with these upcoming changes to the Privacy Act 1993 should be a priority for your business. Data breaches can be costly from a financial perspective, but are also costly to your company’s reputation.
If you are unsure how the amendments will impact your business or how you can ensure you are compliant, then get in touch with the team at EC Credit Control. They have the knowledge and expertise to position your business for safety and security when it comes to protecting the data of your team and customers.