After years of discussion New Zealand’s first big legislative push to improve data privacy in the digital age has finally passed into legislation.

On June 2020 New Zealand’s new privacy legislation passed through Parliament. The Privacy Act 2020 was passed unanimously and will come into effect in December 2020.

The Act applies to all organisations that conduct business in New Zealand. It enforces a new legal framework and regime for the protection of information.

One of the key elements of the new legislation is that all organisations, big and small, will be required to report serious privacy breaches to The Privacy Commissioner. Significantly, under this new legislation, The Privacy Commissioner has extensive special powers to enforce compliance notices if it considers an organisation has breached the Act.

There is widespread agreement that New Zealand’s privacy laws were long overdue for an overhaul. New Zealand has been plagued by security breaches of confidential customer information, with some of the more notable cases including property management firm LPM, national tax advisory, Inland Revenue, energy sector dominant Vector Z Energy and, most recently, the DDoS attacks on NZX. Those are examples of security breaches we know about.

Of particular note is that awareness of the implications of the Act is essential not just for business but for all New Zealanders. Connon Daly, General Manager at the IT Team, a full-service nationwide IT support and service provider, explains that, contrary to what is generally assumed, the new legislation has significance not only for large organisations but for every small and medium enterprise, as well as the privacy of individuals generally.

“It’s not just the breaches to the NZ stock exchange and other corporate level incidents that are important. Smaller businesses and organisations will fall under these changes and will also potentially be up for fines for activities that occur regularly.”

“Phishing attacks are one common example – you click on an innocent enough looking link in an email and in a manner of seconds your email and documents (which will likely contain individuals private information) has been compromised by a third party. These Law changes and their implications should be taken seriously for all organisations and businesses”

The new Privacy Act is important news for New Zealand. It’s first serious attempt since 1993 to manage the privacy implications of digital data and the internet age.

But while parliament is quick to assure the New Zealand public that the new law’s purpose is to promote confidence that personal information will be stored and secured properly, they have been less forthcoming about what the new legislation means on a practical level for business.

How do we stack up when it comes to privacy compared to the rest of the world?

The rest of the world has experienced a rapid evolution in data protection laws. The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, regulates how companies protect EU citizens’ personal data. Under this law companies could get fined as much as $US 600 million.

Instead of a central federal law, the US has so far largely depended on vertically-focused federal privacy laws pertaining to specific supply chains, but a newer generation of consumer-oriented privacy laws are being developed.

The Australian Government made significant changes to their privacy laws in March 2019 and 2020 to increase the maximum civil penalties for privacy breaches, as well as more fully commit online platforms’ to notify users about data collection, set user-friendly data-collection settings, and introduce consumer actions for breaches.

Australia’s laws have been regarded as largely successful, so New Zealand’s has modelled our changes on Australia. New Zealanders do not have the same rights as data subjects in other countries, such as the ‘right to be forgotten’ or the right to data portability.

As of yet, under the New Zealand privacy legislation the Privacy Commissioner does not have the ability to hand out the eye-watering fines that can be administered for privacy breaches in the UK, EU and USA.

Be prepared!

December 1 is D-day and, to ensure you meet the requirements under the new Privacy Act it is essential that your business has formally reviewed and updated its privacy policy and data protection practices.

The legal implications are significant: from December 1st, 2020 business bosses will be responsible for any privacy breach committed by anyone in their organisation who is engaged in any element of the “data lifecycle”. That is any activities involved with the collection, storage, use or disclosure of personal information undertaken by your business. Therefore new approaches to capturing, tracking and auditing all organisational data are necessary.

There are things are your company can do now to mitigate the risk of a breach. Put in place privacy breach protocol and steps to capture learnings for future breach mitigation. Make sure all your contractors, agents and commercial partners who are engaged or involved in any part of the “data lifecycle” of your business are prepared to immediately notify you of a privacy breach so you can take action to contain the breach and assess if the breach is sufficiently serious to be notifiable.

All organisations that deal will data – which, according to Daly, consists every new Zealander – will need to have a basic understanding of what’s required with new obligations on privacy breaches, or else risk being held subject criminal penalties. New Zealand’s law firms are readying themselves to play an increasing role in the new security environment, too – but if you get good advice you can avoid costly legal intervention.

Next steps

Although Microsoft already has its own global strategy for countering security breaches, their products and services are sensitive to the local legislative context, and geared towards being fully compliant by the date the New Zealand legislation comes into force.

Fortunately, help and advice is available to business. The IT Team is of the Microsoft network’s key actors specialising in understanding and incorporating privacy protocols into New Zealand businesses.  They are hosting a security advancement webinar, “What do the NZ privacy law changes mean for your organisation?”

Register to find out how you can best prepare your organisation before the December 1st 2020 legal deadline. You’ll find out about:

– Key changes to the Information Privacy Principles
– Mandatory reporting of data breaches, including fines
– The Privacy Commissioner’s new compliance powers
– How functions in Microsoft 365 can help protect your data
– What protocols your organisation needs to implement now

Time/date: Wednesday, 23 September 2020; 2:00pm

Registration link: REGISTER