Securiti announces a $75M Series C Funding Round

View
Schedule a Demo

Blogs

Protecting Employees’ Data Under New Zealand’s Privacy Act

Published on August 14, 2021 AUTHOR - Privacy Research Team

New Zealand has recently replaced its Privacy Act of 1993 with a modernized version, the Privacy Act 2020. The New Zealand Privacy Act 2020 (NZPA) went into effect on December 1, 2020. It treats natural persons including consumers as well as employees equally and grants them several rights and safeguards in connection to the processing of their personal data.

This article provides a guide to the Human Resource Management team of an organization aiming to comply with New Zealand’s Privacy Act 2020. Let’s look into some of the key obligations under the NZPA that a Human Resource Management team must consider while handling employees’ personal data.

Collection and processing of employees’ data:

Under the NZPA, employers can collect employee's personal information only if it is necessary for the employer to carry out its legitimate function (lawful function) The employer is not allowed to collect employees’ personal information just because it can - it has to be able to justify why it needs to collect the information in order for the business to function.

Employers must also be open with their employees about what information they are collecting and what they will be using the information for. Additionally, they cannot collect information in ways that are unfair or unreasonably intrusive. For example, asking a remote employee to have a camera in their home at all times raises considerable privacy concerns and is likely to be considered unfair and unreasonable as it places the employee under constant surveillance. Similarly, misleading employees about what the information will be used for or unnecessarily collecting sensitive personal information is unfair and unreasonable.

The employer must always ensure that the employees’ data it has is accurate, up-to-date, complete, relevant and not misleading. In addition, it must not use the employees’ personal information that was obtained in connection with one purpose for any other purpose unless there are reasonable grounds to do so.

Securiti can help organizations map data to their owners, create privacy notices and incorporate sensitive data intelligence to ensure that all data protection principles are complied with.

Security of employee's personal data and privacy breaches:

Employees’ data must be protected by security safeguards in order to prevent loss, disclosure, or any other misuse of the data. In case of a privacy breach that has caused serious harm to the concerned employee, the employer must notify the Privacy Commissioner and the affected employee as soon as practicable after becoming aware of the breach. This will also include the obligation of notification of those privacy breaches that are caused by outsourced third-parties.

Securiti’s Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations deliver breach notification within hours of a security incident.

Third-party or cross-border data transfers:

While sharing an employees’ personal data with external third parties and vendors such as HR services, security contractors or medical insurance services, employers must assess their privacy practices and their third-party/vendor’s compliance with NZPA requirements. As far as cross-border data transfers are concerned, an employer can transfer an employee’s personal information outside New Zealand only if the destination country provides comparable safeguards to those in the NZPA, the destination country is part of a prescribed binding scheme issued by the government of New Zealand, or if the employee expressly authorizes the disclosure of personal information after having been informed of the inadequate data protection standards of the foreign country.

Securiti’s Vendor Management Solution allows organizations to assess their vendors based on a predefined risk score and also offers a centralized process to assess how compliant the third-party vendors are with the NZPA. Securiti also offers transfer impact assessments that will help organizations identify and review data transfers from New Zealand and remediate discovered vendor risks.

Also read International data transfers under New Zealand’s new Privacy Act.

Protection of vaccination status:

Employers must protect an employees’ vaccination status in accordance with the provisions of the NZPA. This means that employers must not share an employees’ vaccination details with third-parties or other employees unless the concerned employee has provided his/her consent. Another exception where vaccination status may be shared is where it is necessary to prevent or lessen a serious threat to public health or public safety. Additionally, employees must be made aware of how the information related to their vaccination status will be used and why it is being collected.

Securiti’s Sensitive Data Intelligence Solution can help your organization to discover, analyze and protect large data sets. It can help incorporate data intelligence in an automated fashion to achieve privacy compliance across all data processing activities and projects.

Employees’ requests to access and correction of their information:

The data subjects’ requests in relation to access and correction of their data will apply even during the COVID-19 emergency. An employer must respond to a data access request within 20 working days. However, an employer may notify an extension of time if the volume of information is such that a response cannot be given within 20 working days or necessary consultations cannot be completed within 20 working days, considering that the information requested is not readily retrievable.

Securiti offers the DSR Automation Solution to help organizations honor all rights and simplify the process of exercising these rights. This process turns manual work into an automated system that will help enterprises swiftly process data subject requests and enable coordination between stakeholders for reviews and approvals.

Operationalizing the NZPA

HR Management must meet the requirements of the above provisions of the NZPA. To achieve compliance, organizations need to operationalize their processes. This can be achieved in the following ways:

  • Disclose how you collect, process, retain, share and process employees’ data through transparent formal policies
  • Develop formal policies and procedures for the collection and handling of employees’ data
  • Update privacy policies as needed and share with all employees as well as consumers
  • Ensure privacy policies and notices are easily accessible and understandable to your workforce as well as incorporated in your employees’ handbooks
  • Review and update your processes
  • Maintain proper documentation with regards to your employees’ personal data

Manual processes are becoming obsolete and automation is the way forward if organizations hope to comply with global privacy regulations such as the NZPA. Securiti recruits the help of artificial intelligence and robotic automation to help organizations operationalize their processes.

Request a demo today and see how Securiti solutions can help your organization on the road to compliance.

Also read the Compliance Checklist for New Zealand’s new Privacy Act.

Securiti for Workday

Security | PrivacyOps | Governance | Compliance

See a Demo

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Related Content

Cookie Consent Requirements in Slovakia View More

November 23, 2022

Cookie Consent Requirements in Slovakia

On 9 November 2022, the Office for the Protection of Personal Data for the Slovak Republic (ÚOOÚ) published updated guidance on the use of cookies. Prior consent is required for the use of cookies except for those cookies...

Consent Requirements Under Thailand’s Data Protection Framework View More

November 19, 2022

Consent Requirements Under Thailand’s Data Protection Framework

On 7 September 2022, the Personal Data Protection Committee of Thailand (the “Data Protection Committee”) released Guidelines for Obtaining Consent from Data Subjects (the “Guidelines”). These Guidelines must be read together with Thailand’s Personal Data Protection Act (the...

Privacy-by-Design and Privacy-by-Default View More

November 16, 2022

Privacy-by-Design and Privacy-by-Default

Privacy-by-design and privacy-by-default are two cornerstone concepts of data protection regulatory frameworks. Thus, compliance thereof is an essential legal prerequisite for any entity which is involved in the collection, storage and processing of user's personal data. The foregoing...

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.

Copyright © 2022 Securiti · Sitemap · XML Sitemap

Newsletter

Company

Resources

Terms

Get in touch

[email protected]
3031 Tisch Way Suite 110 Plaza West, San Jose,
CA 95128

Users love Securiti on G2 G2 leader spring 2022 G2 leader summer 2022 G2 leader easiest business 2022 RSAC Leader Forrester Badge IAPP Innovation award 2020 Gartner Cool Vendor Award Sinet Innovator Award