Hello December. I'm not sure how you got here so quickly, as we are suddenly on the countdown to Christmas. But it isn't time to relax yet as changes continue to roll through.
The biggest of these this side of Christmas is the Privacy Act 2020 which becomes effective as of today, 1 December. The new Act, while retaining many of the existing principles of privacy and confidentiality, introduces greater obligations for businesses, financial penalties, and enforcement powers for the Privacy Commissioner. Read about the changes below.
For those of you following the supply of goods into the country (or lack of it), if you click on this link it will take you to the latest Operational Update from Ports of Auckland released yesterday. It doesn't make great reading with some software issues over the weekend shutting down the automated yard until at least lunchtime today, and an overall red light status indicating "service severely degraded, major delays".
PRIVACY ACT 2020
The new Privacy Act 2020 comes into play today and makes some changes to how organisations and businesses need to manage personal information, giving more strength to the statement "keep it secure". If you use personal information you must protect it and respect it.
While many of your transactions are business to business (and the Act doesn't apply), you all have staff information that falls under this umbrella, and many of you are now dealing in personal data on behalf of your customers.
What do you need to do now?
- Every business must have a Privacy Officer (this is not a new requirement), but the new Act allows you to contract that role out if you don't have anyone suitable to act in that role within your business. Members will be able to contract PrintNZ to act in this role.
- It is now mandatory to notify the Privacy Commissioner of a breach that has or could cause serious harm. Whether it meets the threshold of serious harm depends on:
- how sensitive the information is
- what harm it could do
- how widely spread the breach is
- what has been done to mitigate it
- how secure the information was on the medium it was lost
- The new Act allows for penalties and enforcement. A fine of up to $10,000 can be imposed and criminal charges have been introduced if you impersonate someone to get information, or destroy information when an individual has requested it.
- The Privacy Commissioner can make binding decisions on access to information.
- It applies to every company doing business in NZ, no matter where they are based.
- Cross border protection means if you are sending information outside NZ you have to undertake due diligence to ensure it will still be protected. This does not apply to cloud based storage or if the company is doing business in NZ in their own right and therefore already subject to NZ Privacy laws.
The Privacy Commission has developed some excellent online learning tools you can access by clicking here. Outlined below are a few that would prove useful to all businesses.
- Any documents you use that currently reference the Privacy Act 1993 need to be updated to the Privacy Act 2020. This will include Credit Account Applications and Terms of Trade, but check other documentation such as employment documentation.
- Prepare a Privacy Breach Response Plan.
- Ensure all personal information is safely and securely managed.
- Ensure any overseas organisations you send personal information to offer comparable privacy protections to New Zealand.
- Train your staff.
For general staff: Privacy ABC - a quick oversight of privacy in 30 minutes
For Privacy officers: Privacy 101 - key concepts and definitions in the Act. 2-3 hours but can be done in multiple sessions
For HR/Payroll: Employment and Privacy - will help employers deal with privacy related employment issues.
As a reminder, here is an abridged version of the 13 Principles of Privacy:
- Only collect personal information you need
- Get it directly from the individual when possible
- Be open about what you are going to do with it
- Be fair about how you get it
- Keep it secure
- Let people see their own information
- Correct it if the person thinks it is wrong
- Make sure it is accurate before you use it
- Dispose of it when you no longer need it
- Only use it for the reason it was collected
- Only share it if you have a good reason
- Only send it overseas if it will be adequately protected (new)
- Only use unique identifiers when it is clearly allowed