IDC Names Securiti a Worldwide Leader in Data PrivacyView
New Zealand was one of the first countries that enacted a law specifically dedicated to its residents' right to privacy with its Privacy Act of 1993. Whilst the entire definition of what "privacy" means has undergone a radical shift since then New Zealand’s principles based legislation has remained relatively fit for purpose. Even with the advent of social media and the internet adding an entirely new paradigm to that topic.
In recognition of the evolution of privacy, New Zealand updated its legislation in 2020, known as the Privacy Act of 2020. It remains principles based and relatively consistent with the 1993 Act, albeit with some additional protections for individuals and obligations for organizations.
The legislation and organization’s obligations are centred around the 13 Information Privacy Principles (IPPs) within the Act. While it is reassuring for the users in New Zealand, it can present a problem for organizations catering to users in New Zealand as the legislation is principles based rather than prescriptive.
So, to make any compliance effort easier, here are all the significant bits to know about New Zealand's Privacy Act of 2020:
While the Privacy Act of 2020 improves its predecessor, it also clarified and expanded its application. The scope of application of the Act can be broken down into two distinct categories as mentioned below:
The Privacy Act expressly deals with personal information (PI) collected, held, used, and disclosed by any organization. The definition of PI in the Act is information about an identifiable individual.
Importantly, the Privacy Act applies to entities of all sizes and structures, right down to individuals. There is no organizational size limit on the application of the legislation.
Any organization that falls under the following sub-categories have to comply with the Privacy Act of 2020:
It should be noted that any organization that fulfills the criteria mentioned above does not necessarily need to have a physical presence within the country. Suppose it has conducted business that has generated revenue from New Zealand residents in any way or intends to make a profit from business in New Zealand. In that case, it will be subject to the Privacy Act of 2020.
Under the Privacy Act’s jurisdiction, all organizations have specific responsibilities or obligations towards their users. The most important of these obligations include the following:
While data processing has become immensely important for nearly all businesses, the Privacy Act ensures that such data processing can only occur if the organization collecting the data has a lawful purpose for the collection and that collection of the information is necessary for that purpose. It is also expected that the information will be collected directly from the individual concerned.
When collecting personal information, organizations are required to ensure the individual is aware of:
Unlike many other privacy laws, the Privacy Act does not include the word consent in its drafting. The Act states that if the information is collected for a purpose, then it can be used or disclosed for that purpose.
However, there are certain areas where an individual’s authorization will be required to enable the collection, use, or disclosure of information. These are:
This means it is essential that an organization understands the purpose any personal information is collected for and can build in processes to obtain authorization from individuals where it is required.
The Privacy Act and IPP 5 state that an organisation that holds or stores personal information on individuals must take the appropriate safeguards that protect the information against loss, unauthorised access, use, modification, or disclosure or other misuse. Such safeguards include:
The Privacy Act also requires that organisations do everything within their power to prevent unauthorized use or unauthorized disclosure of personal information if it is given to any third-party service providers.
Unlike GDPR, the Privacy Act does not define data controllers or data processors. Under the Privacy Act, if an organisation provides a third party with access to personal information for the purpose of safe custody or processing, that third party is deemed to be an agent of the organisation. This applies whether the agent operates within or outside of New Zealand. For the purposes of the Privacy Act, the personal information is treated as being held by the organisation, not the agent, and the transfer of information is not a use or disclosure by the organisation.
This means robust due diligence over any third-party vendors who will store or process personal information is an essential part of ensuring compliance with the Privacy Act.
Like all major data protection laws globally, the Privacy Act requires all organisations to notify both the Office of the Privacy Commissioner and the affected users in the event of a data breach that has or could cause serious harm to an affected individual. The organisation must inform all relevant parties ``as soon as practicable" after becoming aware of a breach. Guidance from the Office of the Privacy Commissioner indicates they expect organisations to notify them of any breach within 72 hours.
Notification to the Office of the Privacy Commissioner must include:
Notification to an affected individual can be direct or via public notice and must include:
There are exceptions to this need to inform the affected individuals about the breach in case the notice would:
In the event of a breach by an agent of the organisation, the organisation will be responsible to fulfill the breach notification obligations. Anything relating to a notifiable privacy breach that is known by any employee or member of the third-party will be considered to be known by the principal data collecting organisation.
The Privacy Act requires all organisations subject to it to employ a dedicated Data Protection Officer within their organisation. The term used for a DPO is a "Privacy Officer". The primary responsibility of a Privacy Officer includes the following:
There is no legislative requirement for organisations to complete privacy impact assessments. However they are encouraged as best practice by the Office of the Privacy Commissioner.
There are provisions within the Privacy Act that allow for the international transfer of data collected inside New Zealand. These include that the transfer is:
Similar to other major data protection laws globally, the Privacy Act guarantees all individuals certain rights, known more accurately as Data Subject Rights.
These include the following:
Under the Privacy Act, the Office of the Privacy Commissioner office was established. Like many data protection agencies worldwide, the Privacy Commissioner is the primary office in charge of ensuring organisations operating in New Zealand or dealing with information on individuals in New Zealand are compliant with the law.
However, it does differ from other agencies because it seeks to educate agencies and organisations in breach of the law rather than taking punitive measures. For this reason, the Office of the Privacy Commissioner regularly publishes guidelines and recommended practices that can help organisations of all kinds comply with the Privacy Act.
Under the Privacy Act, the Privacy Commissioner has a number of specific powers, including to:
Penalties for breaching the Privacy Act of 2020 are a little more complicated than many other data protection laws. The focus within the Act is on civil remedies for affected individuals and there are also limited financial penalties for certain offences.
In the event that an organisation breaches one of the Information Privacy Principles and causes harm to an individual or fails to comply with data subject rights requirements then they can be deemed to have interfered with the privacy of the individual.
In the event of a complaint of an interference with privacy, the Privacy Commissioner will act as mediator between the organisations and affected individual(s). The Privacy Act expects that an organisation will remedy the interference which could be anything from an apology to a financial settlement. In the event that a settlement cannot be reached, the Commissioner has the ability to refer matters to the New Zealand Human Rights Review Tribunal which can award damages up to $350,000 to an individual. Class actions are also able to be taken against an organisation under the changes made under the Privacy Act 2020.
There are also specific offences under the Privacy Act:
These are criminal offences that can result in conviction and a fine of up to NZD 10,000 per offence.
While any data protection-related regulation globally ensures the users' right to adequate privacy online, it does present a conundrum for organisations. For starters, complying with various regulations can be a challenge since each legislation has different requirements that an organisation must be careful to consider.
A few simple steps can go a long way in guaranteeing the ideal platform to ensure compliance with any data protection regulation globally. However, it does not necessarily have to be an arduous task. For organisations aiming to achieve compliance with New Zealand's Privacy Act of 2020, here's what they can do to start:
Data compliance and governance have taken an immensely pivotal role when it comes to cementing customers' trust towards any website and organisation. Today's customers online are more educated about their digital rights, especially regarding their right to privacy online. Laws being enacted around the world reflect this rising trend. It is now becoming a legal requirement for businesses of all sizes to consider data protection a serious responsibility towards their customers.
The New Zealand Privacy Act of 2020 is just one example of that. Several other countries have followed suit, and each country will likely have some sort of data protection-related regulation in place. Considering how traditional big tech firms like Facebook and Google have already faced heavy fines, this is understandably a challenge for organisations.
Fortunately, there is an effective and efficient solution. Securiti has made a name for itself owing to its PrivacyOps framework that has helped multiple organisations achieve compliance towards some of the major data protection laws in the world. It can do the same for your company with New Zealand's Privacy Act of 2020 and any other data protection law globally.
Request a demo today to see its several tools in action and how they can help you.
See how easy it is to manage privacy compliance with robotic automation.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row Suite 450. San Jose,