Proposed Changes to the Privacy Act in New Zealand

Do the Privacy Bill’s proposed changes mean that your business needs to change its privacy policies? This article looks at the upcoming changes to the Privacy Act and what it means for your business. In the 21^st Century, there is a growing concern that personal information is being mishandled by businesses and public authorities. This has led to the Privacy Bill introducing stronger measures in order to protect our personal data.

What changes does the Privacy Bill propose?

Currently, the Privacy Act 1993 governs how agencies handle personal data. However, Parliament is looking to update New Zealand’s privacy laws through the Privacy Bill, which is likely to become law in 2020. Three key changes the Bill introduces are:

• a business must report any serious privacy breaches to both the Office of the Privacy Commissioner and all people affected by the breach;
• a business cannot destroy requested personal data in order to avoid disclosing it;
• a New Zealand business using a foreign service provider must ensure personal information is kept secure and complies with New Zealand’s privacy laws.

What is a serious privacy breach under the Privacy Bill?

One of the most significant changes is the requirement to report a serious privacy breach. If the Bill is enacted, businesses will have to report a privacy breach where it is reasonable to believe it has caused or is likely to cause serious harm to an individual. Factors such as the nature of the personal information and the nature of the harm are used to determine whether a privacy breach is likely to cause serious harm.

How can your business prepare for the potential changes in New Zealand privacy law?

There are several steps your business can take to ensure its privacy policies are compliant. These include:

• inform staff of the relevant changes;
• set up processes for when customers request their information;
• ensure all personal information is held safely;
• ask your foreign service provider if/how they are meeting New Zealand privacy laws;
• appoint a privacy officer. This is a current requirement of the Privacy Act 1993;
• review and update your privacy statement.

The Office of the Privacy Commissioner provides useful guidance for businesses, including educational resources (here).

If you have any questions about this topic, please contact us and we would be happy to discuss further.