The high profile Privacy Bill has been through public consultation and the Select Committee stages and is now at its second reading. There could still be changes to the Bill.
While the Bill aims to strengthen and modernise New Zealand’s privacy laws, the changes have not gone as far as the Privacy Commissioner had asked for. The result will see New Zealand working under a softer privacy regime than Europe and Australia.
This article explains some of the key changes in the Bill.
Notifiable breaches must be reported
One of the key changes is a new requirement on organisations to notify the Privacy Commissioner and affected individuals of ‘notifiable privacy breaches’.
These are privacy breaches that cause, or are likely to cause, serious harm to the affected individual.
Privacy breaches includes situations where an organisation:
- has lost, changed, disclosed, or given access to, personal information in a way that isn’t authorised
- can’t access information temporarily or permanently.
Not notifying the Commissioner will be a criminal offence.
The privacy principles remain but are updated
The 12 information privacy principles will be largely retained but with some updates, for example:
- if personal information is collected for a purpose that doesn’t require an individual’s identifying information, an organisation can’t require it
- a new information privacy principle to better protect personal information sent overseas.
The new Act will modernise privacy laws
The new Act includes measures to modernise New Zealand’s privacy framework. Some examples are:
- The outdated public register privacy principles are removed, as legislation establishing public registers provides more relevant safeguards.
- New provisions cover information that is stored or processed by one organisation on behalf of another (for example, cloud service providers).
- It will apply to both New Zealand organisations collecting information inside and outside New Zealand, and overseas organisations collecting information while carrying on business in New Zealand.
The Privacy Commissioner will have new powers and there are new offences
The Privacy Commissioner will have new powers to issue compliance notices requiring an organisation to do or stop doing something to comply with the privacy laws.
The Commissioner must publish a compliance notice, unless an organisation can prove that it would cause undue hardship.
The Commissioner will also be able to make binding directions on complaints about access to information.
There are new criminal offences including for destroying documents knowing that a request has been made for that information. Fines for offences will be increased from $2,000 to $10,000.
How to keep an eye on the Privacy Bill
We are tracking the progress of the Privacy Bill in ComplyWatch. If you’d like a demo or a free trial of ComplyWatch please get in touch.
ComplyWatch will give you advanced notice of the changes so that you can review your processes and make sure you are ready to hit the ground running when the new Act comes into force.