From 1st December 2020, New Zealand will be under a new Privacy Act. This is the first time the act has been updated in over 27 years and affects the way businesses and organisations collect, store and disclose personal information.
It’s crucial to understand how these changes will impact your business – the penalties for breaking the rules are going to be stricter than before. Not to mention that failing to protect client info will damage your hard-earned reputation.
We’ve put together this handy get-ready guide so that you are aware of the new rules and what you need to do, well in advance. It’s not individual legal advice though, so make sure you talk with your lawyer for that and check out the external links in the article.
What counts as personal info?
Personal information can include, but is not limited to:
- names
- addresses
- pictures of faces
- a record of someone’s opinion and views
- employment information
- health records
- financial information (including credit card numbers).
Do you collect, handle or store personal information?
If you do, you must ensure that this information is necessary to do your job.
If you don’t need it to provide your product or service, you shouldn’t have it in the first place. Don’t hoard data: collect only what you need; keep only what you need.
If you do have information that you don’t need, dispose of it properly and securely. Think paper shredders, deleting backup files and decluttering your hard drives.
Okay, I’m sure what I collect is necessary info. Now what?
Mistakes happen so you need to do all you can to mitigate your risks of a privacy breach. You also need to know how to handle one.
Safeguards include: secure web hosting, password protected files and systems, doing all you can to avoid documents and emails being sent to the wrong recipients, keeping your IT networks secure, and preventing employees browsing through communication or data they don’t need.
What is a privacy breach? And what do I need to do if I’ve noticed one?
A privacy breach is any unauthorised release or compromise of people’s information. Take them seriously and act quickly.
If your agency faces a privacy breach that you consider could cause serious harm, you need to:
- Contain the breach and conduct a first assessment of the risks.
- Report this breach to the Privacy Commissioner immediately.
- It is likely you will need to notify the people affected. Find out more about this process and find free resources to help you here.
- Put measures in place to prevent the breach from reoccurring.
What happens if I need to release personal info?
Your clients might request that you disclose their personal info to them. It is their right to ask this, and you must comply unless you think the release of this information is seriously unsafe or could compromise another person’s safety. You may also be required by law enforcement to release personal information.
Do you collect or handle data that is sent or processed overseas?
If you answered yes, you need to check that the overseas recipients of this data have similar privacy regulations to New Zealand. This is to ensure personal information is treated with equal care offshore.
To cover this, include simple contractual clauses with the other party before sharing information – resources and model clauses are being developed and will be released once the Privacy Act 2020 comes into force.
If a cloud service holds and processes people’s information for you, both you and the cloud service will be held responsible for any privacy breach or misuse of information. If you use cloud software and would like to find out more about how the Privacy Act may impact this, there are some resources here.
Do you collect or handle the data of children or young people?
If you do, you will need to review how you collect this data and evaluate whether it is fair and reasonable for this age group under the circumstances.
For example, can this person fairly understand the kind of information you are asking from them, and can they make an informed agreement or decision? You may need to evaluate which data you collect, whether it’s appropriate, and how you’re asking for it, to make it as clear and reasonable as possible.
Do you provide and use unique identifiers to process people’s information, like a customer number or some other identifying label?
Unique identifiers include:
- Your passport
- Drivers’ licence
- IRD numbers.
The Privacy Act 2020 has been updated to ensure those unique identifiers (and, therefore, the people they identify) are kept secure from privacy breaches and identity theft. Practically, this may mean locking your physical documents in a safe or using password protection for sensitive files.
Keep informed
The Privacy Commission has put together some excellent resources, including an online quiz to test your privacy knowledge. Check out some links to further reading below, too. Getting your head around it now can save a lot of pain later.
Keep an eye out for privacy week on 2-6 November 2020. It’s part of the Privacy Commission’s programme of events and resources as New Zealand gears up for the Privacy Act coming to force on 1st December.
Recap: Key points to remember and action
- Understand what counts as personal info and a privacy breach.
- Reduce the level of information you collect and store.
- Securely destroy any info that is unnecessary.
- Prevent privacy breaches by putting robust safeguards in place.
- Update contracts with your overseas agencies and partners.
- Notify the Privacy Commissioner immediately after any privacy breach and affected parties (if required).
- Evaluate what went wrong and put structures in place to stop recurrence.
- Keep informed with Privacy changes and your obligations.
Some further reading:
- Information about your privacy responsibilities as an agency can be found here.
- The Office of the Privacy Commissioner has provided a great collection of resources for agencies (including small businesses).
- The PADLOCK principles also provide a helpful guideline when collecting, using and protecting personal information. Find the brochure here.