The new Privacy Bill, now the Privacy Act 2020 was passed into law on 30 June and comes into force on 1 December 2020. In this note we briefly summarise the most salient aspects of the reforms.

Mandatory notification of harmful privacy breaches

• Agencies are required to notify the Commissioner and affected individuals when a privacy breach occurs that causes serious harm or is likely to do so occurs.
• There are a number of mandatory factors to consider when an agency assesses whether a breach is likely to cause serious harm including actions taken by the agency to reduce the risk of harm and whether the personal information subject to the breach was protected by a security measure, such as encryption for example.

Introduction of compliance notices

• The Commissioner will be empowered to issue compliance notices to agencies who have failed to adequately respond and remedy a privacy breach previously identified by the Commissioner and notified to the agency in writing.
• Importantly, the Commissioner may issue a compliance notice concurrently while dealing with the breach under other provisions of the Act.

Binding access directions

• The Commissioner will be empowered to issue binding directions against agencies to allow individuals to access their information.

Controls on the disclosure of information overseas

• An agency will remain responsible for information held by another agency as its agent. This applies where agencies are using cloud service providers or sending information overseas for storage and processing.
• However in situations where the agent uses or discloses the information for its own purposes, it too is treated as “holding” the information and will be subject to the Act.

Class actions

• For the first time, “aggrieved individuals” (whose privacy is the subject of a complaint, investigation or proceeding) may commence proceedings in the Human Rights Review Tribunal as a class.

New criminal offences and penalties

• Misleading an agency to obtain access to someone else’s personal information and destroying a document which is the subject of an information request are included in the new criminal offences created by the Act.
• The new maximum fine will be $10,000. While higher than the current maximum penalty of $2000, this pales in comparison to the 20 million euro maximum fine that can be levied under the European Union’s General Data Protection Regulation (GDPR) or even the 2 million dollar maximum in Australia.

Application to overseas agencies

• Overseas agencies carrying on business in New Zealand will be subject to the Act regardless of where the personal information is collected and held and regardless of where the person to whom the personal information relates is located.

Watch this space for our practical guides on how your business can ensure compliance with the new disclosure rules and what to do if your business suffers a data breach.

If you have any questions or need assistance or training to ensure continued compliance under the new Act, please get in touch.