IDC Names Securiti a Worldwide Leader in Data PrivacyView
New Zealand has recently replaced its Privacy Act of 1993 with a modernized version, the Privacy Act 2020. The New Zealand Privacy Act 2020 (NZPA) went into effect on December 1, 2020. It treats natural persons including consumers as well as employees equally and grants them several rights and safeguards in connection to the processing of their personal data.
This article provides a guide to the Human Resource Management team of an organization aiming to comply with New Zealand’s Privacy Act 2020. Let’s look into some of the key obligations under the NZPA that a Human Resource Management team must consider while handling employees’ personal data.
Under the NZPA, employers can collect employee's personal information only if it is necessary for the employer to carry out its legitimate function (lawful function) The employer is not allowed to collect employees’ personal information just because it can - it has to be able to justify why it needs to collect the information in order for the business to function.
Employers must also be open with their employees about what information they are collecting and what they will be using the information for. Additionally, they cannot collect information in ways that are unfair or unreasonably intrusive. For example, asking a remote employee to have a camera in their home at all times raises considerable privacy concerns and is likely to be considered unfair and unreasonable as it places the employee under constant surveillance. Similarly, misleading employees about what the information will be used for or unnecessarily collecting sensitive personal information is unfair and unreasonable.
The employer must always ensure that the employees’ data it has is accurate, up-to-date, complete, relevant and not misleading. In addition, it must not use the employees’ personal information that was obtained in connection with one purpose for any other purpose unless there are reasonable grounds to do so.
Employees’ data must be protected by security safeguards in order to prevent loss, disclosure, or any other misuse of the data. In case of a privacy breach that has caused serious harm to the concerned employee, the employer must notify the Privacy Commissioner and the affected employee as soon as practicable after becoming aware of the breach. This will also include the obligation of notification of those privacy breaches that are caused by outsourced third-parties.
While sharing an employees’ personal data with external third parties and vendors such as HR services, security contractors or medical insurance services, employers must assess their privacy practices and their third-party/vendor’s compliance with NZPA requirements. As far as cross-border data transfers are concerned, an employer can transfer an employee’s personal information outside New Zealand only if the destination country provides comparable safeguards to those in the NZPA, the destination country is part of a prescribed binding scheme issued by the government of New Zealand, or if the employee expressly authorizes the disclosure of personal information after having been informed of the inadequate data protection standards of the foreign country.
Employers must protect an employees’ vaccination status in accordance with the provisions of the NZPA. This means that employers must not share an employees’ vaccination details with third-parties or other employees unless the concerned employee has provided his/her consent. Another exception where vaccination status may be shared is where it is necessary to prevent or lessen a serious threat to public health or public safety. Additionally, employees must be made aware of how the information related to their vaccination status will be used and why it is being collected.
The data subjects’ requests in relation to access and correction of their data will apply even during the COVID-19 emergency. An employer must respond to a data access request within 20 working days. However, an employer may notify an extension of time if the volume of information is such that a response cannot be given within 20 working days or necessary consultations cannot be completed within 20 working days, considering that the information requested is not readily retrievable.
HR Management must meet the requirements of the above provisions of the NZPA. To achieve compliance, organizations need to operationalize their processes. This can be achieved in the following ways:
Manual processes are becoming obsolete and automation is the way forward if organizations hope to comply with global privacy regulations such as the NZPA. Securiti recruits the help of artificial intelligence and robotic automation to help organizations operationalize their processes.
Request a demo today and see how Securiti solutions can help your organization on the road to compliance.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.