New Zealand’s privacy legislation seeks to provide a framework for protecting an individual’s right to privacy of personal information.
Personal information is any information which tells us something about a specific individual. The information does not need to name the individual; it is enough that they are somehow identifiable and it is the content of personal information that is of concern, not the form it takes. This means all sorts of things can contain personal information including notes, emails, recordings, photographs and scans, whether they are in hard copy or electronic form.
The old 1993 Privacy Act set out 12 “guiding” privacy principles. The current 2020 Act, which came into force in December 2020 includes those same guiding principles, with one addition. It also has a number of other amendments, some of which are discussed below.
Notifying a Breach – Part 6
Businesses or agencies which hold personal information are now required to notify the Privacy Commissioner of any “notifiable” privacy breach. A “notifiable” breach will occur in circumstances where it is reasonable to believe that the breach has caused, or is likely to cause, serious harm to an individual. Failure to notify the Privacy Commissioner of a “notifiable” breach without a reasonable excuse may result in a fine of up to $10,000.
What amounts to “serious harm”? If a breach occurs and some action is required to reduce the risk of harm occurring, it is likely that the actual or potential harm will be considered to be serious. The harm is also likely to fall into the category of “serious” where the personal information disclosed is sensitive or where the nature of the harm that may be caused is significant. Also of relevance is who has obtained, or could obtain, the personal information. Finally, the protection of the personal information by a security measure will suggest serious harm will result from any breach. The individual affected by the breach must be notified of it as soon as practically possible. If it is not reasonably practical to personally notify that individual, public notice must be given of the breach.
Are there any exceptions? There are a number of exceptions to the requirement to notify. Notification is not necessary where to do so would endanger the safety of any person or reveal a trade secret. However, protecting you or your company’s reputation is not a sufficient reason to refuse or delay notifying. See s116 of the Act for the full list of exceptions.
Who is responsible for issuing the notification? The business organisation is responsible for issuing the notification, not individual employees. In addition, anything relating to a notifiable privacy breach that is known by an employee or a member of an agency, is treated as being known by the employer or the agency.
What is best practice? In order to ensure compliance, the Act recommends that every business has a Privacy Officer to create and facilitate a privacy breach handling process so that any breaches can be dealt with in a timely manner. The management of any breach will include containing the breach and determining whether the breach must be notified to the Privacy Commissioner.
Disclosing information overseas
A new privacy principle has been added to regulate the way personal information can be sent overseas (Principle 12). Once the new Act is passed, unless the relevant individual has authorised the disclosure of their personal information outside of New Zealand, an organisation or business can only disclose personal information to an overseas agency if that agency is subject to similar safeguards as those contained in the New Zealand Privacy Act 2020. This can be done by imposing contractual data protection requirements on the recipient which are in line with the protections in the Privacy Act, or ensuring that the recipient is subject to laws of another jurisdiction that provide comparable protections.
If that agency is not subject to similar safeguards, the individual concerned must be fully informed of that fact and that there is the possibility that their information may not be adequately protected. In those circumstances, the individual must expressly authorise the disclosure of the information.
The transfer of personal information to an offshore data processor (for example a cloud storage provider) will (usually) not constitute an overseas disclosure. This is an important exception given that none of the major public cloud service providers have
data centres in New Zealand.
Extra territorial effect
Finally, the Act has extra territorial effect. This means an overseas business or organisation that is carrying on business in New Zealand will be subject to the Act’s privacy obligations even if that business or organisation does not have a physical presence in New Zealand (for example Google and Facebook).
There have been many changes since the 1993 Privacy Act came into force, particularly in terms of how we send, receive and store information. The 2020 revisions seek to ensure that an individual’s right to privacy of personal information is protected in this new environment.
Article - Privacy Act (Oct 2020)
By Shyrelle Mitchell, Partner, Heaney & Partners
This article is featured in NAI Harcourts Market Leader Issue 1, 2021