By Lisa Pirihi – Support Parent Coordinator for Parent to Parent
The Privacy Act 2020 (The Act) replaces and repeals the Privacy Act 1993, and came into force on 1 December 2020. The Act was introduced to better protect people’s private information and to ensure that our privacy laws are appropriate for the digital age that we now live in. There have been many changes in technology over the last 20 years, resulting in changes to our wider economy and society, and many of us now live large parts of our lives online. As a result, the privacy laws have been updated to reflect this.
The Act has 13 Information Privacy Principles (IPPs) that must be followed when collecting, using and storing an individual’s personal information. The Act also provides for reporting obligations for privacy breaches, enforcement tools for the Privacy Commissioner, fines and some criminal offences for non-compliance.
An excellent summary of the 13 IPPs can be found here.
Changes included in The Act
The main changes to our privacy laws, as included in The Act, are summarised below.
There are now 13 IPPs in The Act instead of 12. A new IPP, IPP 12, has been added which regulates how personal information can be sent overseas. If an organisation or business discloses information to an overseas entity, it must ensure that the information is adequately protected and that there are comparable privacy rules in that country as those that apply in New Zealand (some exemptions apply).
The previous IPP 12 is now known as IPP 13.
The Act now applies to overseas businesses or organisations that operate in New Zealand, even if they have no physical presence here (i.e Google and Facebook).
It is now mandatory for a business or organisation to notify the Privacy Commissioner of any privacy breaches that have caused (or are likely to cause) serious harm. In most cases the people affected by the breach must also be notified.
Three of the privacy principles have been updated. IPP 1 now clarifies that identifying information should only be collected if it is necessary – if it isn’t needed, it shouldn’t be collected! IPP 4 has been updated to reflect that when collecting personal information from children, specific consideration should be given as to whether the way in which the information is being collected is fair and reasonable. As previously mentioned, the original IPP 12 is now known as IPP 13.
Where a complaint has been made under IPP 6 regarding access to someone’s own personal information, the Privacy Commissioner can now direct an organisation to disclose that personal information. This means that there should be a faster resolution to information access complaints.
Compliance notices can now be issued by the Commissioner. These notices require a business or organisation to do something, or to stop doing something, in order to comply with the Act.
New offences and higher potential fines have been introduced. For example, if a business or organisation destroys information instead of providing it when requested, they can be fined up to $10,000.
Complaints can now be made on behalf of other people and by groups. This allows groups of individuals affected by privacy breaches to bring class actions against businesses/organisations that committed the breach.
The Act has also been renumbered and the language modernised in some places.
The Codes of Practice issued under The Act (which set rules for specific industries or organisations) have also been updated. Changes have been made to ensure consistency with the updated principles in The Act. For example, the Health Information Privacy Code 1994 has been replaced by the Health Information Privacy Code 2020.
For further information please see www.privacy.org.nz – this is a great website with many resources and easy to understand articles on all aspects of our privacy laws in New Zealand.