Privacy for organisations is important and should be taken seriously. In this article we show you how.
We all value our personal information. No one wants their personal details accessed or used inappropriately. It can lead to spam or more worryingly, identity theft or fraud. It can also exact an emotional toll.
The Privacy Act 2000 (Act) is all about helping to protect individuals and keeping the organisations who collect personal information accountable. The amended Act came into force on 1 December 2020, so you need to be following it now.
Top tips
- Treat other people’s information as if it were your own—with care and respect.
- Follow the rules. If unsure what to do, seek help.
- Adopt or update your Privacy Policy and appoint a Privacy Officer.
- Consider doing a Privacy Impact Assessment to inform projects or proposals. This may save time and money. Use the toolkit.
- Make use of the resources available. Seek legal advice for more serious matters.
Who has responsibilities?
The Act refers to ‘agencies’. This is any organisation or person that collects and holds personal information about people, whether private or public sector. Some examples are companies, businesses (including small businesses), clubs, charities and community groups.
The Privacy Commissioner’s Compliance and Regulatory Action Framework says that its goal is to achieve high levels of voluntary compliance by seeking to make the regulatory approach as clear as possible.
If your organisation breaches privacy rules there can be consequences, such as a failure to report a notifiable breach will be punishable on prosecution with a fine of up to $10,000.
A word of caution – privacy covers all you do so includes emails and texts. Be careful what you say as those might need to be disclosed in a person asks for these records. Also, if a reporter is writing about your organisation, avoid using their real name in internal communications – use a pseudonym instead. Their name is an example of personal information and the journalist is therefore entitled to see the number of times they have been referred to in communication. Furthermore, they may be entitled to see what has been written about them, so our advice is to be scrupulously professional in all communication.
What do agencies need to do?
At the heart, this is about being respectful and careful. Imagine it is your personal information and treat it accordingly. Follow the links below to the Privacy Principles for more detail. What you need to consider falls into these categories.
1. Collecting personal information
- Only collect information that you really need. The more you collect, the more care is needed. (Privacy Principle 1). We do see clients collecting more than is necessary so ask yourself if it is needed.
- Collect information from the person directly (or their authorised representative). (Privacy Principle 2)
- Tell people why you are collecting the information. Having a Privacy Statement is a good idea. You can develop one using the Privacy Commissioner’s generator or we can draft a complete and bespoke version specifically for your circumstances. (Privacy Principle 3)
- Collect information lawfully and fairly, or there may be consequences. (Privacy Principle 4)
2. Storing personal information
- Keep information genuinely Lock it up or password protect it, and limit access. Ensure staff know what they can and cannot access. (Privacy Principle 5)
- Ensure you can provide it promptly to a person on their request. Charges should generally not apply, and if they do they must be reasonable. (Privacy Principle 6)
- Correct personal information if it is not correct. (Privacy Principle 7)
- Keep personal information accurate. (Privacy Principle 8)
- Keep information only as long as you need to and dispose of it carefully. (Privacy Principle 9)
- Use the information only for the purpose it was collected. (Privacy Principle 10)
- Disclose personal information only for a valid reason, for example, when required by law. (Privacy Principle 11)
- Follow the rules for sending personal information out of New Zealand, including digitally. (Privacy Principle 12)
- Only use a ‘unique identifier’ (something that is unique to a person such as a drivers licence), when necessary. (Privacy Principle 13)
FAQs
How do you ask an agency for your information?
Use this form, or request the information by phone, email or letter. Agencies must reply within 20 working days, or 10 days for urgent requests, but can refuse for valid reasons.
1. How do you correct your information?
Contact the agency, explain the error, and ask for it to be corrected. If the correction is refused, you may complain to the Privacy Commissioner.
2. How do you make a complaint?
Try to resolve it with the agency first. If that doesn’t work, complain to the Privacy Commissioner. They will not investigate situations from long ago or that didn’t cause you harm, or things like family disputes, someone else’s personal information, or vexatious matters.
3. Are there any special rules for sensitive personal information?
Codes of practice exist for some sensitive types of personal information, such as for health, credit and superannuation.
4. How can you check if your information has been leaked?
Check at haveibeenpwned.com
5. What happens if your privacy is breached?
Contact New Zealand’s national identity and cyber support community service IDCARE on 0800 121 068.
6. How do you keep your own information safe?
Your personal information is important to you and may be valuable to others who can benefit from it. Be thoughtful about giving out your personal information. Many agencies provide a discount when your join their ‘club’. Ask yourself if it is really worth it.
- When asked for your details by email or phone, question why it is needed and confirm the collection is valid.
- Monitor your email and bank accounts and be alert for any suspicious behaviour.
- Use complex passwords and change them monthly—it’s worth the effort.
- Report breaches.
7. What if you need to breach a privacy obligation?
Look at the guidance and contact the Privacy Commissioner’s Office for clarification.
A key change – Reporting privacy breaches
Agencies must report serious breaches to the Privacy Commissioner and the affected individuals. A serious breach is one that has or is likely to cause serious harm to those affected. Failure to notify the Privacy Commissioner of a notifiable privacy breach may result in a fine of up to $10,000 or the issue of a public compliance notice.
Read more on your personal information rights here.
—-
This article is merely on overview of the Privacy Act. We recommend visiting the Privacy Commissioner’s website.
It is not a substitute for legal advice and you should contact a lawyer about your specific situation. If you think your privacy policy is insufficient (or non-existent!), we strongly encourage you to get in touch with us. We’d love to help. Contact Steven Moe at stevenMoe@parryfield.com or Aislinn Molloy at aislinnMolloy@parryfield.com.