New Zealand Privacy Act 2020

New Zealand has implemented a much-needed update to its main privacy law, the New Zealand Privacy Act. In effect from December 2020, the amendments bring New Zealand law a little closer to the strict standards of the EU General Data Protection Regulation (GDPR).

Key changes include a broad application that encompasses non-New Zealand businesses, privacy breach notification requirements, and a prohibition on certain transfers of personal information overseas.

This article will outline New Zealand's existing privacy principles, and take a close look at some of the new obligations.

Privacy Principles

Before we look at what's new in the 2020 act, we're going to look briefly at the "information privacy principles," most of which were introduced under the New Zealand Privacy Act 1993.

Note that the Act refers to the people and organizations to which it applies as "agencies." Agencies have responsibility for any personal information (which the Act defines as "information about an identifiable individual") they collect, hold or control.

The Act sets out 13 information privacy principles. One of these principles (number 12) is a new entry under the 2020 act.

Purpose for collection: Only collect personal information if it is necessary to do so for a lawful purpose.
Source of information: Where possible, collect personal information directly from the individual it is about.
What to tell an individual: When you collect personal information, you must tell the individual:
1. Why you are collecting it
2. Who will receive it
3. Whether they have a choice about whether to give it to you
4. What will happen if they refuse
Manner of collection: Only collect personal information in a lawful, fair, and unintrusive way.
Storage and security: Implement reasonable safeguards to protect personal information.
Access: Provide an individual with access to their personal information unless it would:
1. Endanger someone's safety
2. Create a significant likelihood of serious harassment
3. Prejudice a criminal investigation
4. Breach someone else's privacy
Correction: Correct an individual's inaccurate personal information on request.
Accuracy: Make sure personal information is accurate, complete, relevant, up-to-date, and not misleading.
Retention: Only keep personal information for as long as you need it.
Use: Only use personal information for the purposes for which you collect it, or in ways that are directly related to the original purpose, unless you have the individual's permission.
Disclosure: Only disclose personal information to a third party if:
1. You collected the personal information in order to disclose it
2. You have the individual's authorization
3. You have anonymized the personal information
4. Failing to disclose the personal information would endanger someone's health
5. Failing to disclose the personal information would prejudice the maintenance of the law
Disclosure outside New Zealand: This is a new principle which we'll look at below
Unique identifiers: Only assign a unique identifier to an individual if you need to for operational functions. Don't use the same unique identifier as another agency.

Complying with all these principles is essential whenever collecting, storing, or otherwise using New Zealand residents' personal information.

A good way to comply with information privacy principle 3 (what to tell the individual) is to create a Privacy Policy that includes all the necessary information about how and why you process personal information. You can present your Privacy Policy whenever you collect personal information from an individual.

Changes to the New Zealand Privacy Act

Now let's look at the most significant changes to the New Zealand Privacy Act.

Application to Foreign Organizations

The New Zealand Privacy Act is now one of many privacy laws that applies both to domestic and foreign agencies.

An agency based outside of New Zealand must comply with the Act if it is "carrying on business in New Zealand in respect of personal information" the agency holds or collects, regardless of:

Where the agency:
- Collected the personal information
- Holds the personal information
Where the individual (whose personal information the agency collected or holds) is located
Whether the agency:
- Is a commercial operation
- Has a place of business in New Zealand
- Receives any payment for its goods or services
- Intends to make a profit

The Act clearly attempts to apply as broadly as possible: any organization doing business in New Zealand must comply with it.

Privacy Breach Notification

The Act makes some changes to the rules on when agencies must notify people about "privacy breaches."

What is a "Privacy Breach?"

"Privacy breach" means personal information has been subject to unauthorized or accidental:

Access
Disclosure
Alteration
Loss
Destruction

"Privacy breach" can also mean any action that means an agency is permanently or temporarily unable to access personal information. A privacy breach can be caused by a person internal or external to the agency, and can be either ongoing or completed.

When Must You Provide a Privacy Breach Notification?

An agency must provide a privacy breach notification if it is reasonable to believe that the breach has caused serious harm to an affected individual(s) or is likely to do so.

Here's section 113 of the Act, which outlines how to assess whether a privacy breach is notifiable:

Parliamentary Counsel Office: New Zealand Legislation - Privacy Act 2020 Section 113: Assessment of likelihood of serious harm being caused by privacy breach

When assessing whether the privacy breach is likely to cause serious harm, you can consider the following factors:

What you've done to reduce the risk of harm following the breach
Whether the personal information is sensitive
What type of harm the individuals might experience
Who has obtained or might obtain the personal information
Whether the personal information is protected by a security measure
Any other relevant matters

How to Notify the OPC

If you suffer a notifiable privacy breach, you must notify the New Zealand Office of the Privacy Commissioner (OPC) "as soon as practicable" after you become aware of the breach. You can use the OPC's "NotifyUs" page for this.

Your privacy breach notice must contain:

A description of the breach, including:
- How many individuals are affected
- Who has accessed the personal information
The steps you're taking in response to the breach, including whether you're contacting the affected individuals
Details of any public notice you're planning to provide
If you're planning not to notify the affected individuals, or you're planning to delay notification, your reasons for this
The names of any other agencies you've notified, or are planning to notify, and your reasons for doing so
Contact details of someone within your organization who can take inquiries about the breach

How to Notify Affected Individuals

Here's section 115 of the Act, which concerns the notification of individuals affected by a privacy breach:

Parliamentary Counsel Office: New Zealand Legislation - Privacy Act 2020 Section 115: Agency to notify affected individual or give public notice of notifiable privacy breach

You must notify the affected individuals as soon as practicable after you become aware of the breach, unless:

It is not "reasonably practicable" to notify the individual, in which case you must give public notice. The OPC suggests that you can do this "through website information, posted notices, or the media." Do not identify any affected individual in your public notice.
The individual is under 16 and you believe that notifying them would not be in their best interests.
The individual's healthcare provider has advised you that notifying the individual would be harmful to their health.

If either of the latter two points applies, you should consider whether you can notify the individual's representative, if they have one.

Your notice to individuals must contain:

A description of the breach, including whether you have identified the person responsible (do not name them unless doing so would prevent a serious threat to life)
The steps you're taking in response to the breach
What steps the individual can take to mitigate the effects of the breach
Confirmation that you have notified the OPC about the breach
An explanation of the individual's right to make a complaint to the OPC
Contact details of someone within your organization who can take inquiries about the breach

Transferring Personal Information Overseas

The Act introduces new rules about transferring personal information out of New Zealand. This is a new "information privacy principle."

Here's information privacy principle 12, as it appears in the Act:

Parliamentary Counsel Office: New Zealand Legislation - Privacy Act 2020 Information privacy principle 12: Disclosure of personal information outside New Zealand

You cannot transfer personal information collected in New Zealand to a third party outside of New Zealand unless the recipient is covered by "comparable safeguards" to those imposed by the act. There are other exceptions which we'll cover below.

"Comparable safeguards" include the principles set out in Schedule 8 of the act:

Collection limitation: Only collect personal information if it is lawful and fair to do so
Data quality: Personal information should be accurate, adequate, and up to date
Purpose specification: Specify your purposes for collecting personal information at the time of collection and don't use it for any incompatible further purposes
Use limitation: Don't use personal information for unspecified reasons unless you have consent or legal authorization
Security safeguards: Protect personal information against privacy breaches
Openness: Be transparent about your practices and policies
Individual participation: Individuals have the right to receive confirmation that an agency holds their personal information
Accountability: Agencies are accountable under these principles

The OPC hasn't yet provided a list of countries with "comparable safeguards." However, you may wish to consider the EU's list of countries in receipt of an "adequacy decision." The EU deems these countries have laws that are "essentially equivalent" to the GDPR.

If you need to transfer personal information to an agency in a country that doesn't have "comparable safeguards," you may do so only if one or more of the following applies:

You have the authorization of the individual and you have expressly informed them that the country to which you are sending their information does not have comparable safeguards
You reasonably believe that the recipient is subject to the New Zealand Privacy Act
The recipient is subject to a "prescribed binding scheme" (the OPC will approve prescribed binding schemes in the future)

Enforcement Powers

The OPC can issue "compliance notices" to agencies failing to comply with the Privacy Act. This notice will require you to do something or stop doing something. It will provide steps you must take to meet your obligations and a deadline by which you must act.

The Act also introduces "access orders." The OPC can force you to provide and individual access to their personal information.

An agency can face a fine of up to $10,000 NZD (approx. $7,200 USD) if it:

Fails to comply with a compliance notice
Fails to comply with an access order
Makes a prohibited cross-border transfer of personal information
Fails to properly notify the OPC of a notifiable privacy breach