Key changes to the 2020 Privacy Act

The Privacy Act came into force on 1 December 2020, affecting all industries holding personally identifiable data, notably healthcare. Here are the significant changes in Privacy Act 2020.

SOP Amendments

1) Liability for privacy breach notifications sits with a business or organisation and not individual employees.

2) The Act allows the Human Rights Review Tribunal to award up to $350,000 to each member of a class action.

3) Privacy principle 4 requires agencies to ensure the way they collect information from children and young people is fair.

Notifiable privacy breaches

Firstly, the communication of a breach to the Privacy Commissioners Offices figures prominently in the Act. For example, suppose a privacy breach causes or is likely to cause harm. In that case, the organisation must notify the affected individuals and the Privacy Commissioner as soon as possible. As noted above, the liability for breach notifications sits with the business and not the individual employees.

However, you are not required to notify the Office of the Privacy Commissioner of all privacy breaches. The threshold for a notifiable breach is ‘serious harm’. To assess serious harm, consider the following:

• the sensitivity of the information lost
• actions taken to reduce the risk of harm
• the nature of the harm that could arise
• any other relevant matters

Current guidance on handling privacy breaches can be found here.

Compliance notices

Under the Privacy Act 2020 changes, the Privacy Commissioner can issue compliance notices to organisations. The purpose is to require them to do something or stop doing something to comply with the Act. Compliance Notices describe the steps that the Commissioner considers as necessary to remedy non-compliance with the Act. Moreover, the Commissioner specifies a date by which the business must make the required changes.

Enforceable access directions

The Privacy Commissioner can direct agencies to provide access for individuals to their personal information. As a result, faster resolution of complaints relating to information access under principle 6 will occur. In addition, access directions are enforceable by the Human Rights Review Tribunal.

Disclosing information overseas

A new principle 12 regulates personal information. Businesses may only disclose information to an agency outside of New Zealand if the receiving party is subject to similar safeguards to those in the NZ Privacy Act.

Also, when a jurisdiction does not offer similar protections, the agency must inform the individual that their information may not be properly protected. Moreover, they must expressly authorise the disclosure.

Extraterritorial effect

The new Act clearly states that it has an extraterritorial effect meaning an overseas business that is ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations, even if it does not have a physical presence here. Subsequently, offshore businesses, such as Google and Facebook, are now subject to the Act.

New criminal offences

The changes in Privacy Act 2020 introduces new criminal offences. For example, it is an offence to mislead an agency to access someone else’s personal information by impersonating them to access the information you are not entitled to see. Furthermore, it will also be an offence for a business to destroy personal information, knowing that a request has been made to access it. Moreover, the penalty for these offences is a fine of up to $10,000.

Further changes in the 2020 Privacy Act

The new Act retains the principles of the current legislation, with some changes. For example, Principle 1 has been clarified to ensure that businesses do not collect information from people if it is not necessary. In addition, there are new withholding grounds for access requests under principle 6 and the Codes of Practice, such as the Health Information Privacy Code.

In today’s fast-paced cyber business environments, the privacy of patient data must remain top of mind for medical practices. We only need to look at the recent incident at the Waikato DHB for evidence of how a cyber attack can affect patients, with surgeries cancelled and personal data exposed. Moving forward, more and more organisations are choosing preventive IT solutions to keep their staff and patient data safe.

Source: Privacy Act 2020

Editor’s Note: This post was originally published on 23 June 2020 by Alastair Miller. This edition has been edited to include updated information and examples for 2021.

Learn more about NSP security solution.