New Zealand Privacy Act 2020 Comes into Force

New Zealand Privacy Act 2020 came into force on December 1, 2020 granting the Privacy Commissioner greater powers to ensure organisations and businesses comply with the Act.

Privacy Commissioner John Edwards noted “The new Act brings with it a wider range of enforcement tools to encourage best practice, which means we are now able to take a different approach to the way we work as a regulator”.

The Office of the Privacy Commissioner has produced resources and guidance to help people and organisations understand what’s changing in the Privacy Act.

Key changes in the Privacy Act 2020 include:

Notifiable privacy breaches

The Privacy Act 2020 introduces new privacy breach reporting obligations. If a business or organisation has a privacy breach that it believes has caused (or is likely to cause) serious harm, it will need to notify the Office of the Privacy Commissioner and affected individuals as soon as possible. Use the NotifyUs tool to report a privacy breach.

New criminal offences

The Act introduces new criminal offences. It will now be an offence to mislead an agency to access someone else’s personal information – for example, impersonating someone in order to access information that you are not entitled to see. It will also be an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it. The penalty for these offences is a fine of up to $10,000.

Compliance notices

The Privacy Commissioner will be able to issue compliance notices to businesses or organisations to require them to do something, or stop doing something, to comply with the Privacy Act 2020.
Enforceable access directions

The Privacy Commissioner will be able to direct an organisation or business to confirm whether they hold personal information about an individual and to provide the individual with access to that information.

Disclosing information overseas

A new privacy principle 12 has been added to the Privacy Act to regulate the way personal information can be sent overseas. Under principle 12, an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Privacy Act 2020.

Extraterritorial effect

An overseas business or organisation that is ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations, even if it does not have a physical presence here. This will affect businesses located offshore.

The information in this article is taken from the New Zealand’s Privacy Commissioner press release available here.

Photo by Andrea Piacquadio from Pexels.