pexels-erik-mclean-12579260

 New Zealand’s Privacy Regulations  

by
with no comment
Regulations

What’s required under New Zealand’s new privacy legislation, and how can your organization comply? New Zealand introduced the Privacy Act 2020 on December 1, 2020 to strengthen data protection. The law establishes 13 information privacy principles that govern how organizations can collect, store, use, and share data. It also includes new rules for notifying individuals about data breaches and strengthens enforcement mechanisms. As a result, it’s essential for every company that operates in New Zealand to understand what’s required under the law. 

Who is subject to New Zealand’s Privacy Act 2020? 

The Privacy Act 2020 applies to any organization that collects, stores or handles personal information about New Zealand residents. 

Specifically, the law covers:

  • New Zealand agencies: any organization based in New Zealand.
  • Overseas agencies: any organization not based in New Zealand when carrying on business in the country.
  • Individuals: Any individual who is not a resident of New Zealand who collects or stores personal information while in the country (regardless of where the subject of that information is located). 

But it does grant several exceptions for: 

  • New Zealand government agencies 
  • Ombudsman 
  • News entities carrying on new activities 
  • Overseas governments performing government functions 

A Note on Scope 

The Privacy Act 2020 has an extraterritorial scope, meaning it does not matter where personal information is collected or where the individual is located if the subject of the data is a New Zealand resident. Additionally, the law only allows organizations to transfer personal information to another country if that country’s privacy laws are comparable to New Zealand’s.

How does New Zealand enforce the Privacy Act 2020?

The Office of the Privacy Commissioner is responsible for enforcing the Privacy Act 2020. The Commissioner can investigate any instances of potential non-compliance following a complaint or on its initiative. Upon investigation, the Commissioner can issue a compliance notice requiring an organization to take action or stop doing certain activities. Finally, the Commissioner can provide advice to the New Zealand government and organizations on the application of the Privacy Act 2020. 

What is the Penalty for Non-Compliance? 

Instances of non-compliance with the Privacy Act 2020, including not responding to requests for information from individuals and failing to notify the Commissioner about a serious privacy breach, are criminal offences and carry fines of up to $10,000 NZD. Affected individuals can also issue complaints to the Human Rights Review Tribunal, which can order the offending organization to pay damages. 

What is considered a privacy breach?  

Any unauthorized or accidental access to personal information; disclosure, alteration, loss, or destruction of personal information, or action that prevents an organization from accessing information temporarily or permanently. 

What is the standard for serious harm?  

The Commissioner offers an online survey, found here, to assess whether or not a privacy breach meets the standard for serious harm. It considers: 

  • If personal information is involved. 
  • Whether or not the personal information is sensitive. 
  • Who has obtained or may obtain the data? 
  • The harm that may be caused to affected individuals. 
  • Any action already taken to reduce the risk of harm. 
  • If the data is protected by a security measure. 

How to Respond to a Notifiable Privacy Breach 

Organizations that experience a notifiable privacy breach must notify the Privacy Commissioner and affected individuals as soon as practicable after becoming aware that the breach occurred. 

Notifying the Commissioner; 

These notifications should include this information: 

  • Contact details for the organization and person issuing the notification. 
  • Timeline details about the breach, including when it occurred and when it was discovered. 
  • Details about the breach, including how many people were affected, and the type of personnel. The information involved, and who might have the information. 
  • Details about the harm that may be caused to affected individuals following the breach. 
  • Steps the organization has taken or intends to take to notify individuals. 
  • Whether or not any other organizations were affected by the breach. 
  • Whether or not the organization has notified any other agencies about the breach. 

Notifying Individuals; 

 These notifications must include: 

  • Details about the breach, including when it happened, the personal information involved, and who might have the information (however it cannot identify that party unless it’s necessary to lessen a serious threat to the life or health of individuals). 
  • Steps the organization has taken or intends to take in response to the breach. 
  • Steps that affected individuals can take to mitigate or avoid potential harm. 
  • Confirmation that the organization has notified the Commissioner about the breach. 
  • A note that affected individuals have the right to make a complaint to the Commissioner. 
  • Contact details for a person within the organization who can field inquiries. 

Note: These notifications cannot identify any other affected individuals. To avoid a delay, organizations can share information in increments if it’s not all available immediately. 

Exceptions for issuing a notification 

Organizations are not required to notify affected individuals or give public notice if they believe the notification would: 

  • Prejudice the security or defense of New Zealand, international relations of the New Zealand government, or the maintenance of the law 
  • Endanger the safety of any person or reveal a trade secret 
  • Be contrary to the affected individual’s interests, if that individual is under the age of 16 
  • Be likely to prejudice the individual’s health, in consultation with the individual’s health practitioner (where practicable) 
  • Organizations can delay notifying affected individuals or giving public notice if they believe the risks of issuing the notification outweigh the benefits. 

What Types of Incidents Require Notification Under the Privacy Act 2020? 

Any privacy breach that meets the standard of creating a serious risk for the individuals whose data is involved requires notification under the Privacy Act 2020. Common examples include: 

  • Phishing malware or Trojan 
  • Man in the Middle Attack 
  • A type of privacy breach in which an attacker intercepts a digital conversation by sitting in between the two parties involved, which gives them access to the information being shared. 
  • Stolen-records 
  • Lost or Stolen Data 
  • Any case in which personal information gets lost or stolen, even if it was an accident. Organizations will need to assess what data was involved and who might have access to the data, among other factors. 
  • Data-theft 
  • Exfiltration 
  • Techniques that allow attackers to gain unauthorized access to data and then move that data to their servers or devices. This theft can create serious harm depending on the personal information involved. 

How Can Organizations Prepare for Compliance with the Privacy Act 2020? 

Under the Privacy Act 2020, organizations must appoint a privacy officer responsible for: 

  • Monitoring compliance with the law’s 13 information privacy principles 
  • Fielding requests made under the law 
  • Working with the Commissioner on any investigations 
  • Proactively preparing for incident response 

As part of this effort, the privacy officer should prepare for three phases of incident response: 

  • Readiness 
  • Response 
  • Ongoing Management 
Tags: No tags

Comments are closed.