New Zealand has implemented a much-needed update to its main privacy law, the New Zealand Privacy Act. In effect from December 2020, the amendments bring New Zealand law a little closer to the strict standards of the EU General Data Protection Regulation (GDPR).
Key changes include a broad application that encompasses non-New Zealand businesses, privacy breach notification requirements, and a prohibition on certain transfers of personal information overseas.
This article will outline New Zealand's existing privacy principles, and take a close look at some of the new obligations.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. Privacy Principles
- 2. Changes to the New Zealand Privacy Act
- 2.1. Application to Foreign Organizations
- 2.2. Privacy Breach Notification
- 2.2.1. What is a "Privacy Breach?"
- 2.2.2. When Must You Provide a Privacy Breach Notification?
- 2.2.3. How to Notify the OPC
- 2.2.4. How to Notify Affected Individuals
- 2.3. Transferring Personal Information Overseas
- 2.4. Enforcement Powers
- 3. New Zealand Privacy Act 2020 vs. the GDPR
- 4. Summary
Before we look at what's new in the 2020 act, we're going to look briefly at the "information privacy principles," most of which were introduced under the New Zealand Privacy Act 1993.
Note that the Act refers to the people and organizations to which it applies as "agencies." Agencies have responsibility for any personal information (which the Act defines as "information about an identifiable individual") they collect, hold or control.
The Act sets out 13 information privacy principles. One of these principles (number 12) is a new entry under the 2020 act.
- Purpose for collection: Only collect personal information if it is necessary to do so for a lawful purpose.
- Source of information: Where possible, collect personal information directly from the individual it is about.
What to tell an individual: When you collect personal information, you must tell the individual:
- Why you are collecting it
- Who will receive it
- Whether they have a choice about whether to give it to you
- What will happen if they refuse
- Manner of collection: Only collect personal information in a lawful, fair, and unintrusive way.
- Storage and security: Implement reasonable safeguards to protect personal information.
Access: Provide an individual with access to their personal information unless it would:
- Endanger someone's safety
- Create a significant likelihood of serious harassment
- Prejudice a criminal investigation
- Breach someone else's privacy
- Correction: Correct an individual's inaccurate personal information on request.
- Accuracy: Make sure personal information is accurate, complete, relevant, up-to-date, and not misleading.
- Retention: Only keep personal information for as long as you need it.
- Use: Only use personal information for the purposes for which you collect it, or in ways that are directly related to the original purpose, unless you have the individual's permission.
Disclosure: Only disclose personal information to a third party if:
- You collected the personal information in order to disclose it
- You have the individual's authorization
- You have anonymized the personal information
- Failing to disclose the personal information would endanger someone's health
- Failing to disclose the personal information would prejudice the maintenance of the law
- Disclosure outside New Zealand: This is a new principle which we'll look at below
- Unique identifiers: Only assign a unique identifier to an individual if you need to for operational functions. Don't use the same unique identifier as another agency.
Complying with all these principles is essential whenever collecting, storing, or otherwise using New Zealand residents' personal information.
Changes to the New Zealand Privacy Act
Now let's look at the most significant changes to the New Zealand Privacy Act.
Application to Foreign Organizations
The New Zealand Privacy Act is now one of many privacy laws that applies both to domestic and foreign agencies.
An agency based outside of New Zealand must comply with the Act if it is "carrying on business in New Zealand in respect of personal information" the agency holds or collects, regardless of:
Where the agency:
- Collected the personal information
- Holds the personal information
- Where the individual (whose personal information the agency collected or holds) is located
Whether the agency:
- Is a commercial operation
- Has a place of business in New Zealand
- Receives any payment for its goods or services
- Intends to make a profit
The Act clearly attempts to apply as broadly as possible: any organization doing business in New Zealand must comply with it.
Privacy Breach Notification
The Act makes some changes to the rules on when agencies must notify people about "privacy breaches."
What is a "Privacy Breach?"
"Privacy breach" means personal information has been subject to unauthorized or accidental:
"Privacy breach" can also mean any action that means an agency is permanently or temporarily unable to access personal information. A privacy breach can be caused by a person internal or external to the agency, and can be either ongoing or completed.
When Must You Provide a Privacy Breach Notification?
An agency must provide a privacy breach notification if it is reasonable to believe that the breach has caused serious harm to an affected individual(s) or is likely to do so.
Here's section 113 of the Act, which outlines how to assess whether a privacy breach is notifiable:
When assessing whether the privacy breach is likely to cause serious harm, you can consider the following factors:
- What you've done to reduce the risk of harm following the breach
- Whether the personal information is sensitive
- What type of harm the individuals might experience
- Who has obtained or might obtain the personal information
- Whether the personal information is protected by a security measure
- Any other relevant matters
How to Notify the OPC
If you suffer a notifiable privacy breach, you must notify the New Zealand Office of the Privacy Commissioner (OPC) "as soon as practicable" after you become aware of the breach. You can use the OPC's "NotifyUs" page for this.
Your privacy breach notice must contain:
A description of the breach, including:
- How many individuals are affected
- Who has accessed the personal information
- The steps you're taking in response to the breach, including whether you're contacting the affected individuals
- Details of any public notice you're planning to provide
- If you're planning not to notify the affected individuals, or you're planning to delay notification, your reasons for this
- The names of any other agencies you've notified, or are planning to notify, and your reasons for doing so
- Contact details of someone within your organization who can take inquiries about the breach
How to Notify Affected Individuals
Here's section 115 of the Act, which concerns the notification of individuals affected by a privacy breach:
You must notify the affected individuals as soon as practicable after you become aware of the breach, unless:
- It is not "reasonably practicable" to notify the individual, in which case you must give public notice. The OPC suggests that you can do this "through website information, posted notices, or the media." Do not identify any affected individual in your public notice.
- The individual is under 16 and you believe that notifying them would not be in their best interests.
- The individual's healthcare provider has advised you that notifying the individual would be harmful to their health.
If either of the latter two points applies, you should consider whether you can notify the individual's representative, if they have one.
Your notice to individuals must contain:
- A description of the breach, including whether you have identified the person responsible (do not name them unless doing so would prevent a serious threat to life)
- The steps you're taking in response to the breach
- What steps the individual can take to mitigate the effects of the breach
- Confirmation that you have notified the OPC about the breach
- An explanation of the individual's right to make a complaint to the OPC
- Contact details of someone within your organization who can take inquiries about the breach
Transferring Personal Information Overseas
The Act introduces new rules about transferring personal information out of New Zealand. This is a new "information privacy principle."
Here's information privacy principle 12, as it appears in the Act:
You cannot transfer personal information collected in New Zealand to a third party outside of New Zealand unless the recipient is covered by "comparable safeguards" to those imposed by the act. There are other exceptions which we'll cover below.
"Comparable safeguards" include the principles set out in Schedule 8 of the act:
- Collection limitation: Only collect personal information if it is lawful and fair to do so
- Data quality: Personal information should be accurate, adequate, and up to date
- Purpose specification: Specify your purposes for collecting personal information at the time of collection and don't use it for any incompatible further purposes
- Use limitation: Don't use personal information for unspecified reasons unless you have consent or legal authorization
- Security safeguards: Protect personal information against privacy breaches
- Openness: Be transparent about your practices and policies
- Individual participation: Individuals have the right to receive confirmation that an agency holds their personal information
- Accountability: Agencies are accountable under these principles
The OPC hasn't yet provided a list of countries with "comparable safeguards." However, you may wish to consider the EU's list of countries in receipt of an "adequacy decision." The EU deems these countries have laws that are "essentially equivalent" to the GDPR.
If you need to transfer personal information to an agency in a country that doesn't have "comparable safeguards," you may do so only if one or more of the following applies:
- You have the authorization of the individual and you have expressly informed them that the country to which you are sending their information does not have comparable safeguards
- You reasonably believe that the recipient is subject to the New Zealand Privacy Act
- The recipient is subject to a "prescribed binding scheme" (the OPC will approve prescribed binding schemes in the future)
The OPC can issue "compliance notices" to agencies failing to comply with the Privacy Act. This notice will require you to do something or stop doing something. It will provide steps you must take to meet your obligations and a deadline by which you must act.
The Act also introduces "access orders." The OPC can force you to provide and individual access to their personal information.
An agency can face a fine of up to $10,000 NZD (approx. $7,200 USD) if it:
- Fails to comply with a compliance notice
- Fails to comply with an access order
- Makes a prohibited cross-border transfer of personal information
- Fails to properly notify the OPC of a notifiable privacy breach
New Zealand Privacy Act 2020 vs. the GDPR
We mentioned that the New Zealand Privacy Act brings Kiwi law a little closer to EU standards. However, the GDPR imposes more extensive obligations on businesses.
Here's a roundup of some of the key differences between the two laws.
|New Zealand Privacy Act
|Data breach requirements
Transfers of personal data to non-EEA countries are prohibited unless:
Transfers of personal information to agencies outside of New Zealand are prohibited unless:
Two levels of penalties:
|Up to $10,000 NZD (approx. $7,200 USD)
The New Zealand Privacy Act 2020 impacts on any business operating in New Zealand that processes personal information.
Key updates to the law include:
- Any agency that is "carrying on business" in New Zealand is now covered by the law
Agencies must report privacy breaches:
- "As soon as is practicable"
- Whenever it is "reasonable to believe" that the breach might cause a "risk of serious harm"
- To the New Zealand Office of the Privacy Commissioner (OPC)
- To the affected individuals
Agencies must not transfer personal information to third parties based overseas unless:
- The recipient country is covered by "comparable safeguards"
- The recipient is covered by the New Zealand Privacy Act
- The sender has the individual's authorization and has informed them of the risks
- The recipient is covered by a "prescribed binding scheme"
- The OPC may issue fines of up to $10,000 NZD ($7,200 USD) for non-compliance with certain provisions in the act.