New Zealand was one of the first countries that enacted a law specifically dedicated to its residents' right to privacy with its Privacy Act of 1993. Whilst the entire definition of what "privacy" means has undergone a radical shift since then New Zealand’s principles based legislation has remained relatively fit for purpose. Even with the advent of social media and the internet adding an entirely new paradigm to that topic.
In recognition of the evolution of privacy, New Zealand updated its legislation in 2020, known as the Privacy Act of 2020. It remains principles based and relatively consistent with the 1993 Act, albeit with some additional protections for individuals and obligations for organizations.
The legislation and organization’s obligations are centred around the 13 Information Privacy Principles (IPPs) within the Act. While it is reassuring for the users in New Zealand, it can present a problem for organizations catering to users in New Zealand as the legislation is principles based rather than prescriptive.
So, to make any compliance effort easier, here are all the significant bits to know about New Zealand's Privacy Act of 2020:
Who Needs to Comply with the Law
While the Privacy Act of 2020 improves its predecessor, it also clarified and expanded its application. The scope of application of the Act can be broken down into two distinct categories as mentioned below:
Material Scope
The Privacy Act expressly deals with personal information (PI) collected, held, used, and disclosed by any organization. The definition of PI in the Act is information about an identifiable individual.
Importantly, the Privacy Act applies to entities of all sizes and structures, right down to individuals. There is no organizational size limit on the application of the legislation.
Territorial Scope
Any organization that falls under the following sub-categories have to comply with the Privacy Act of 2020:
- Organizations located within New Zealand;
- Organizations located outside New Zealand but offering goods/services to individuals in New Zealand; or
- Organizations located outside New Zealand but collecting information about individuals in New Zealand.
It should be noted that any organization that fulfills the criteria mentioned above does not necessarily need to have a physical presence within the country. Suppose it has conducted business that has generated revenue from New Zealand residents in any way or intends to make a profit from business in New Zealand. In that case, it will be subject to the Privacy Act of 2020.
Obligations for Organisations Under the Privacy Act 2020
Under the Privacy Act’s jurisdiction, all organizations have specific responsibilities or obligations towards their users. The most important of these obligations include the following:
Lawful Purpose Requirements
While data processing has become immensely important for nearly all businesses, the Privacy Act ensures that such data processing can only occur if the organization collecting the data has a lawful purpose for the collection and that collection of the information is necessary for that purpose. It is also expected that the information will be collected directly from the individual concerned.
When collecting personal information, organizations are required to ensure the individual is aware of:
- The fact that the information is being collected;
- The purpose for which it is being collected;
- The intended recipients of the information;
- The details of the organization that will be collecting and holding the information;
- Any laws that authorize or require the collection of the information;
- Any consequences of not providing the information; and/or
- The individual’s right to access or correct the information.
Consent Requirements
Unlike many other privacy laws, the Privacy Act does not include the word consent in its drafting. The Act states that if the information is collected for a purpose, then it can be used or disclosed for that purpose.
However, there are certain areas where an individual’s authorization will be required to enable the collection, use, or disclosure of information. These are:
- If the information is being collected from a third party rather than direct from the individual themselves;
- The organization would like to use or disclose the information for a purpose other than that for which it was originally collected; or
- The organization would like to disclose the information outside of New Zealand.
This means it is essential that an organization understands the purpose any personal information is collected for and can build in processes to obtain authorization from individuals where it is required.
Privacy Notification/ Privacy Policy Requirements
There is no specific requirement for a privacy notice in the Privacy Act. However, as stated above organizations are required to ensure the individual is aware of a range of matters when collecting personal information. Hence, the best practice in such a case would be to adhere to the standard privacy policy requirement elaborated in other major data protection laws and design the website's privacy policy accordingly. Such a policy would include the following information:
- Contact information about the organisation;
- Contact information for the organisation’s Privacy Officer;
- What categories of personal information are being collected;
- The purpose for which the organisation is collecting the individual’s information and why it is necessary;
- How the individual’s information will be used;
- Who the information will be shared with;
- Information on whether the individual’s information will be transferred to other countries;
- The period for which the personal information will be stored;
- Detailed information on individuals’ rights to access and correct the information;
- How the individuals' data is stored and protected; and
- The individuals' right to complain to the Office of the Privacy Commissioner.
Security Requirements
The Privacy Act and IPP 5 state that an organisation that holds or stores personal information on individuals must take the appropriate safeguards that protect the information against loss, unauthorised access, use, modification, or disclosure or other misuse. Such safeguards include:
- The appropriate technical, physical, and/or organisational security controls;
- All security controls in place;
- The encryption protocols being followed.
The Privacy Act also requires that organisations do everything within their power to prevent unauthorized use or unauthorized disclosure of personal information if it is given to any third-party service providers.
Outsourcing to Third Parties
Unlike GDPR, the Privacy Act does not define data controllers or data processors. Under the Privacy Act, if an organisation provides a third party with access to personal information for the purpose of safe custody or processing, that third party is deemed to be an agent of the organisation. This applies whether the agent operates within or outside of New Zealand. For the purposes of the Privacy Act, the personal information is treated as being held by the organisation, not the agent, and the transfer of information is not a use or disclosure by the organisation.
This means robust due diligence over any third-party vendors who will store or process personal information is an essential part of ensuring compliance with the Privacy Act.
Data Breach Requirements
Like all major data protection laws globally, the Privacy Act requires all organisations to notify both the Office of the Privacy Commissioner and the affected users in the event of a data breach that has or could cause serious harm to an affected individual. The organisation must inform all relevant parties ``as soon as practicable" after becoming aware of a breach. Guidance from the Office of the Privacy Commissioner indicates they expect organisations to notify them of any breach within 72 hours.
Notification to the Office of the Privacy Commissioner must include:
- The number of affected users;
- The identity of the person or organisation who may be in possession of the breached information;
- What steps the organisation has taken in response to the situation;
- Whether affected individuals have or will be contacted;
- The basis for delaying or not not notifying an affected individual if notification will be delayed or an exception is being relied upon;
- Details of a person within the organisation to contact related to the breach.
Notification to an affected individual can be direct or via public notice and must include:
- Details of the breach;
- Whether the organisation has identified the individual or organisation that is in possession of the information (without disclosing information that could identify them);
- Steps taken in response to the breach;
- What steps the individual could take to mitigate potential loss or harm (where practicable);
- Confirmation that the Commissioner has been notified;
- That the individual has the right to make a complaint to the Commissioner; and
- Details of a contact person for inquiries.
There are exceptions to this need to inform the affected individuals about the breach in case the notice would:
- Prejudice the security or defence of New Zealand or the international relations of the Government of New Zealand;
- Prejudice the maintenance of the law by any public sector agency, including the prevention, investigation, and detection of offences, and the right to a fair trial;
- Endanger the safety of any person;
- Reveal a trade secret;
- Be contrary to the individual’s interests if they are under the age of 16; or
- Notification would likely prejudice the health of the individual, based on consultation with the individual’s health practitioner.
In the event of a breach by an agent of the organisation, the organisation will be responsible to fulfill the breach notification obligations. Anything relating to a notifiable privacy breach that is known by any employee or member of the third-party will be considered to be known by the principal data collecting organisation.
Data Protection Officer Requirement
The Privacy Act requires all organisations subject to it to employ a dedicated Data Protection Officer within their organisation. The term used for a DPO is a "Privacy Officer". The primary responsibility of a Privacy Officer includes the following:
- Encouraging the agency to comply with the IPPs;
- Dealing with requests made to the organisation under this Act;
- Working with the Commissioner about any investigations;
- Ensuring that the organisation complies with the provisions of this Act.
Privacy Impact Assessment
There is no legislative requirement for organisations to complete privacy impact assessments. However they are encouraged as best practice by the Office of the Privacy Commissioner.
Cross border data transfer Requirements
There are provisions within the Privacy Act that allow for the international transfer of data collected inside New Zealand. These include that the transfer is:
- Authorised by the individual;
- To an organisation that is also subject to the Privacy Act;
- To a country that is subject to privacy laws that provide a comparable level of safeguards to those in the Privacy Act;
- To an organisation operating in a prescribed binding scheme or country; or
- To an organisation that is required to protect the information with a comparable level or safeguards to those in the Privacy Act (for example through an agreement between the parties).
Data Subject Rights
Similar to other major data protection laws globally, the Privacy Act guarantees all individuals certain rights, known more accurately as Data Subject Rights.
These include the following:
- Right to access the data subject's data - Arguably the most important right a user can have. The Privacy Act ensures that a user can request any website to provide prompt and complete access to all the data collected on the user since the moment they consented to the data processing. In the event of such a request being made, the organisation must respond to the request within 20 days. If such a request isn’t fulfilled in that timeframe, a user may bring their case to the Privacy Commissioner who can then issue a binding access determination requiring the organisation give the user access to the information requested.
- Right to rectify/correct the data subject's data where inaccurate or incomplete - A user has the right to request that any data collected on them that becomes outdated, incomplete, or inaccurate can be easily corrected once requested. A decision to either grant or deny such a request must be made within 20 days of the request being made, with the decision being forwarded to the user.
Regulatory Authority
Under the Privacy Act, the Office of the Privacy Commissioner office was established. Like many data protection agencies worldwide, the Privacy Commissioner is the primary office in charge of ensuring organisations operating in New Zealand or dealing with information on individuals in New Zealand are compliant with the law.
However, it does differ from other agencies because it seeks to educate agencies and organisations in breach of the law rather than taking punitive measures. For this reason, the Office of the Privacy Commissioner regularly publishes guidelines and recommended practices that can help organisations of all kinds comply with the Privacy Act.
Under the Privacy Act, the Privacy Commissioner has a number of specific powers, including to:
- Investigate complaints or data breaches;
- Issue a compliance notice requiring an organisation to stop or change its business practices;
- Compel an organisation to release information that is subject to a request for access; and
- Issue codes of practice in relation to the Information Privacy Principles for specific industries (i.e. health care, telecommunications, credit reporting agencies).
Penalties for Non-compliance
Penalties for breaching the Privacy Act of 2020 are a little more complicated than many other data protection laws. The focus within the Act is on civil remedies for affected individuals and there are also limited financial penalties for certain offences.
In the event that an organisation breaches one of the Information Privacy Principles and causes harm to an individual or fails to comply with data subject rights requirements then they can be deemed to have interfered with the privacy of the individual.
In the event of a complaint of an interference with privacy, the Privacy Commissioner will act as mediator between the organisations and affected individual(s). The Privacy Act expects that an organisation will remedy the interference which could be anything from an apology to a financial settlement. In the event that a settlement cannot be reached, the Commissioner has the ability to refer matters to the New Zealand Human Rights Review Tribunal which can award damages up to $350,000 to an individual. Class actions are also able to be taken against an organisation under the changes made under the Privacy Act 2020.
There are also specific offences under the Privacy Act:
- Obstructing, hindering, or resisting the Privacy Commissioner;
- Refusing or failing to comply with a lawful requirement of the Privacy Commissioner;
- Making false or misleading statements to the Privacy Commissioner;
- Impersonating an individual to obtain access to, use, alter or destroy that individual’s personal information;
- Destroying a document containing personal information that is subject to a request for access; or
- Failing to comply with a compliance notice issued by the Privacy Commissioner.
These are criminal offences that can result in conviction and a fine of up to NZD 10,000 per offence.
How an Organisation Can Operationalize the Law
While any data protection-related regulation globally ensures the users' right to adequate privacy online, it does present a conundrum for organisations. For starters, complying with various regulations can be a challenge since each legislation has different requirements that an organisation must be careful to consider.
A few simple steps can go a long way in guaranteeing the ideal platform to ensure compliance with any data protection regulation globally. However, it does not necessarily have to be an arduous task. For organisations aiming to achieve compliance with New Zealand's Privacy Act of 2020, here's what they can do to start:
- Have an easy-to-read privacy policy that clearly communicates all the data subject's rights without leaving any room for ambiguity;
- Hire Privacy Officers that understand the Privacy Act, both legally and strategically to aid your data processing strategies and tactics;
- Ensure all the company's employees and staff are acutely aware of their responsibilities under the law;
- Conduct regular data protection impact assessments as well as data mapping exercises to ensure maximum efficiency in your compliance efforts;
- Implement robust vendor due diligence processes for third party agents;
- Notify the relevant authorities of a data breach as soon as possible.
How can Securiti Help
Data compliance and governance have taken an immensely pivotal role when it comes to cementing customers' trust towards any website and organisation. Today's customers online are more educated about their digital rights, especially regarding their right to privacy online. Laws being enacted around the world reflect this rising trend. It is now becoming a legal requirement for businesses of all sizes to consider data protection a serious responsibility towards their customers.
The New Zealand Privacy Act of 2020 is just one example of that. Several other countries have followed suit, and each country will likely have some sort of data protection-related regulation in place. Considering how traditional big tech firms like Facebook and Google have already faced heavy fines, this is understandably a challenge for organisations.
An effective solution is readily available. Securiti, renowned for its innovative PrivacyOps framework, has empowered numerous organizations to achieve compliance with major data protection laws worldwide. It can similarly support your company in meeting the requirements of New Zealand's Privacy Act of 2020 and other global data protection regulations.
Request a demo today to see its several tools in action and how they can help you.
