The Privacy Act 2020 – What You Need to Know

New Zealand’s new Privacy Act comes into effect on 1 December 2020, replacing the Privacy Act 1993. The new Act offers further protection for individuals and spells out new obligations that must be met by businesses and organisations doing business in New Zealand.

New Zealand’s Privacy Act of 2020 significantly impacts businesses by requiring them to be transparent and accountable for how they handle customer information. Businesses must clearly explain why they collect data, obtain consent, and ensure strong security measures. This shift towards stricter privacy protections can be seen as an opportunity to build trust with customers. Compliance is important to avoid potential fines and reputational damage from data breaches. By prioritising user privacy, businesses can demonstrate their commitment to ethical practices and gain a competitive advantage in a privacy-conscious market.

What’s Different in the New Privacy Act?

The following summary outlines the key changes. Click on the links to be directed to more information that will help to further explain your obligations under the Act.

  • Specific Privacy Breaches Must be Notified
    When other people’s personal information that you hold is lost, stolen or accessed without permission this is a privacy breach. If the breach has caused, or may cause serious harm, you must immediately notify the affected people and the Privacy Commissioner.

  • Failure to Comply with the Act
    If a business or organisation is not meeting its obligations under the Privacy Act 2020, the Privacy Commissioner can require a business to comply.

  • Allowing Access to Personal Information
    The Privacy Commissioner will have the power to issue an access direction to businesses or organisations that fail to give people access to their personal information.

  • Updates to Existing Privacy Principles
    The following Privacy Principles have been updated: 
    Principle 1 – Purpose of Collection
    Principle 4 – Manner of Collection
    Principle 13 – Unique Identifiers

  • Addition of a New Privacy Principle 
    The following Privacy Principle, which relates to sending information outside of New Zealand, has been added: Principle 12 – Cross Border Disclosure

  • The Extraterritorial Effect
    The new Privacy Act also covers overseas businesses or organisations carrying out business in New Zealand even if they do not have a physical presence in New Zealand e.g. Google or Facebook. If they hold information about New Zealand individuals, they will be subject to the privacy obligations imposed by the Act.

Mandatory Notifiable Privacy Breaches

If a business or organisation experiences a privacy breach that has caused serious harm to someone (or is likely to do so), it will need to notify both the affected people (so that they can take action to protect themselves) and the Office of the Privacy Commissioner as soon as practicable. It is an offence to fail to notify the Privacy Commissioner of a notifiable privacy breach. Failure to notify could incur a fine of up to $10,000.

More information:
https://www.privacy.org.nz/assets/Privacy-Act-2020-Information-Sheets/Privacy-Act-2020-Information-sheet-2-breach-notifications.pdf

Report Privacy Breaches (NotifyUs Tool):
https://www.privacy.org.nz/privacy-for-agencies/privacy-breaches/notify-us/

Compliance Notices

The Privacy Act 2020 allows the Privacy Commissioner to issue compliance notices to businesses and organisations that are not meeting their obligations under the Act. Refusing to comply with a compliance notice is an offence and can attract a $10,000 fine.

More information:
https://privacy.org.nz/assets/Privacy-Act-2020-Information-Sheets/Privacy-Act-2020-information-sheet-4.pdf 

Privacy Act 2020 – Privacy Principles

We thought it worthwhile to include summaries of all the Principles contained within the Privacy Act 2020 so that you can make sure your business or organisation is compliant. The Privacy Act 2020 has 13 Privacy Principles that govern how you should collect, handle and use personal information. Principles 1, 4 and 13 are all updated from the 1993 Act and Principle 12 is a new addition. These are highlighted within the text below.

The following information has been gathered directly from the Office of the Privacy Commissioner website.

Principle 1 – Purpose for Collection (Updated)

You can only collect personal information if it is for a lawful purpose and the information is necessary for a lawful purpose connected with what your organisation does. You should practice data minimisation and not require identifying information if it is not necessary for your purpose. 


The new Act has clarified that you can only collect identifying information if it is necessary – if you don’t need it, you shouldn’t collect it. 

More information: https://privacy.org.nz/privacy-act-2020/privacy-principles/1/


Principle 2 – Source of Personal Information

You should generally collect personal information directly from the person it applies to. Where that is not possible, you can collect it from other people in certain situations. For instance, if:

  • the person concerned gives you permission
  • collecting it in another way would not prejudice the person’s interests
  • collecting the information from the person directly would undermine the purpose of collection
  • you are getting it from a publicly available source. 

More information: https://privacy.org.nz/privacy-act-2020/privacy-principles/2/


Principle 3 – What to tell an individual

When you collect personal information, you must take reasonable steps to make sure that the person knows: 

  • why the information is being collected 
  • who will receive and have access to the information
  • whether giving information is compulsory or voluntary
  • what will happen if they don’t give you the information. Sometimes there may be good reasons for not letting a person know you are collecting their information – for example, if it would undermine the purpose of the collection, or if it’s just not possible to tell them. 

More information https://privacy.org.nz/privacy-act-2020/privacy-principles/3/

Principle 4 – Manner of Collection (Updated)

You may only collect personal information in ways that are lawful, fair and not unreasonably intrusive. 

Organisations must now take particular care when collecting personal information from children and young people.

More information https://privacy.org.nz/privacy-act-2020/privacy-principles/4/

Principle 5 – Storage and Security

You must make sure that there are reasonable security safeguards in place to prevent loss, misuse or disclosure of personal information. This includes limits on employee browsing of other people’s information – if they are not entitled to do so as part of their job. 

More information  https://privacy.org.nz/privacy-act-2020/privacy-principles/5/

Principle 6 – Access to Personal Information (New Access Directions)

People have a right to ask you for access to their personal information. In most cases you must promptly give them their information. Sometimes you may have good reasons to refuse access. For example, if releasing the information could:

  • endanger someone’s safety
  • create a significant likelihood of serious harassment
  • prevent the detection or investigation of a crime
  • breach someone else’s privacy. 

More information  https://privacy.org.nz/privacy-act-2020/privacy-principles/6/

If an organisation refuses or fails to provide access to personal information without a proper basis, the Commissioner may now compel the agency to give this information to the individual concerned.

More information here: https://privacy.org.nz/assets/Privacy-Act-2020-Information-Sheets/Privacy-Act-2020-information-sheet-6.pdf

If a business or organisation destroys personal information to avoid handing it over to a person that has requested the information, this will be a criminal offence and the business or organisation can be fined up to $10,000.

More information here: https://privacy.org.nz/assets/Privacy-Act-2020-Information-Sheets/Privacy-Act-2020-information-sheet-4.pdf

Misleading an agency to get personal information (e.g. impersonation) is also now a criminal offence under the Privacy Act 2020 and can attract a $10,000 fine.

More information here: https://privacy.org.nz/assets/Privacy-Act-2020-Information-Sheets/Privacy-Act-2020-information-sheet-4.pdf 

Principle 7 – Correction of Personal Information

A person has a right to ask an organisation or business to correct their information if they think it is wrong. Even if you don’t agree that it needs correcting, you must take reasonable steps to attach a statement of correction to the information to show the person’s view.

More information https://privacy.org.nz/privacy-act-2020/privacy-principles/7/

Principle 8 – Accuracy

Before using or disclosing personal information, you must take reasonable steps to check it is accurate, complete, relevant, up to date and not misleading.

More information https://privacy.org.nz/privacy-act-2020/privacy-principles/8/

Principle 9 – Retention of Information

You must not keep personal information for longer than is necessary. Information can only be held for as long as needed to achieve the purpose in which the information was collected for.

More information https://privacy.org.nz/privacy-act-2020/privacy-principles/9/

Principle 10 – Limits on Use

You can generally only use personal information for the purpose you collected it. You may use it in ways that are directly related to the original purpose, or you may use it another way if the person gives you permission, or if the information won’t identify the person concerned, or for certain law enforcement purposes.

More information https://privacy.org.nz/privacy-act-2020/privacy-principles/10/

Principle 11 – Limits on Disclosure

You may only disclose personal information (share, transfer, give a copy) in limited circumstances. For example, if:

  • disclosure is one of the purposes for which you got the information
  • the person concerned authorised the disclosure
  • the information will be used in an anonymous way
  • disclosure is necessary to avoid endangering someone’s health or safety
  • disclosure is necessary to avoid a prejudice to the maintenance of the law.

You should get consent to share wherever possible.

More information https://privacy.org.nz/privacy-act-2020/privacy-principles/limits-on-disclosure-of-personal-information-principle-11/

Principle 12 – Disclosure outside New Zealand (New)

Cross border disclosure – you can only send personal information to someone overseas if the information will be adequately protected. For example:

  • the receiving person is subject to the New Zealand Privacy Act because they do business in New Zealand
  • the information is going to a place with comparable privacy safeguards to New Zealand
  • the receiving person has agreed to adequately protect the information – through model contract clauses (DOCX 69KB), etc. If there aren’t adequate protections in place, you can only send personal information overseas if the individual concerned gives you express permission, unless the purpose is to uphold or enforce the law or to avoid endangering someone’s health or safety.

Further information about cross-border disclosure is provided here:
https://privacy.org.nz/privacy-act-2020/privacy-principles/12/
https://privacy.org.nz/publications/guidance-resources/disclosing-personal-information-outside-new-zealand/

Principle 13 – Unique Identifiers (Updated)

A unique identifier is a number or code that identifies a person in your dealings with them, such as an IRD or driver’s licence number. You can only assign your own unique identifier to individuals where it is necessary for operational functions. Generally, you may not assign the same identifier as used by another organisation.

More information https://privacy.org.nz/privacy-act-2020/privacy-principles/13/

If you assign a unique identifier to people, you must make sure that the risk of misuse is minimised to reduce the frequency and impact of identity theft.

How Do You Ensure You’re Compliant?

The following action steps are provided to assist you in ensuring to are meeting your obligations under the new Privacy Act 2020, but they do not constitute legal advice. We suggest that you seek legal advice to ensure you are taking the right steps to become and remain compliant.

  1. Make sure that you assign the role of Privacy Officer to at least one person within your organisation – this is a legal requirement in New Zealand. Information for Privacy Officers is available here.

  2. Update your Privacy Policy to ensure that people know exactly what information you collect, how you collect that information, what you use the information for, who will have access to the information, how (and for how long) you will store the information and how a person can request an update to or gain access to the information.

  3. Make sure you have a clear need for collecting different types of personal information and know exactly what information you collect and store and who is authorised to access it – including employees and third parties.

  4. Make sure that you are only holding personal information for the purpose in which it was first given. You cannot use personal information for other purposes without the express consent of the person whose information you hold. Safely dispose of any information that you no longer require.

  5. Consider who you are collecting personal information from — in general it should only come directly from the person that it applies to. Have a think about how processes are set up for things such as referral programmes, gift certificates and page shares, and decide if you are collecting and storing information from people who haven’t expressly requested you to do so.

  6. Make sure your security policies and storage systems are robust enough to minimise the risk of a security breach and make sure your staff know what constitutes a breach under the Act.

  7. Put a ‘security breach response plan’ in place to mitigate harm and allow you to expedite your notification obligations, should they be needed.

  8. Review current third-party contracts of those who process or have access to information provided by your company to ensure you are meeting your obligations.

  9. If using off shore cloud based storage, that contains your client’s personal information, such as CRM or accounting software, pay careful attention to the provider’s privacy policy to ensure adequate protections are in place – and specifically that they do not use the personal information for their own purposes.

  10. Check out the Essential Resources links below.

Essential Resources for Businesses and Organisations

Privacy Act Resources – Office of the Privacy Commissioner website

Free Online Privacy Education – Office of the Privacy Commissioner website

Full Privacy Act 2020  – Legislation New Zealand

Protecting Customer and Employee Information – Business.govt.nz

Cyber Security Resources – Cert NZ

Lastly, if your business is operating with the European Economic Area you may also need to make sure you are compliant with the requirements of the General Data Protection Regulation (GDPR). Check out our blog post for more information.

Related

Limelight
Apex Digital and Limelight Online are now Limelight Digital
Limelight
Thinking of getting a new website in 2016? Now is the time to start planning
Limelight
The annoyance of rubbish emails – A light-hearted review of Spam & Scams
Limelight
Apex Digital and Limelight Online are now Limelight Digital
Limelight
Thinking of getting a new website in 2016? Now is the time to start planning
Limelight
The annoyance of rubbish emails – A light-hearted review of Spam & Scams

Our thoughts

Let's collaborate • Let's collaborate • Let's collaborate • Let's collaborate • Let's collaborate • Let's collaborate • Let's collaborate • Let's collaborate • Let's collaborate • Let's collaborate • Let's collaborate

Like what you see?
Get in touch

"*" indicates required fields

Your personal information will only be used to service your enquiry. We will only contact you with relevant information. For further information view our full Privacy Policy.
This field is for validation purposes and should be left unchanged.

CONTACT

Hi, let's see how
we can help

"*" indicates required fields

Your personal information will only be used to service your enquiry. We will only contact you with relevant information. For further information view our full Privacy Policy.
This field is for validation purposes and should be left unchanged.

Looking for Apex Digital?

You’re in the right place, we’re now Limelight, the same people and same great work.