The key changes to the new Privacy Act 2020 are:

Notifiable privacy breaches – if you have a privacy breach that has caused serious harm to someone (or is likely to do so) it must be notified to the Privacy Commissioner ASAP via NotifyUs.  You should also notify affected people. (Failure to notify Privacy Commissioner can result in a fine of up to $10,000.)

Compliance Notices – the Privacy Commissioner can notify you to do something, or to stop doing something, if you are not meeting your obligations under the Privacy Act.  (Failure to comply can result in a fine of up to $10,000.)

Binding decisions on access requests – the Privacy Commissioner can make decisions on complaints relating to access to information.  This means faster resolutions for information access complaints.  (Failure to release personal information can result in a fine of up to $10,000.)

Disclosing Information Overseas – NZ agencies may only disclose personal information to an overseas agency if that agency has a similar level of protection to NZ, or the person is fully informed and authorises the disclosure.

Extraterritorial effect – Overseas businesses/organisations may be treated as carrying on business in NZ for the purposes of its privacy obligations, even if it does not have a physical presence in NZ.  Eg Facebook and Google.

New Criminal Offences – it will now be a criminal offence (penalty is a fine up to $10,000 each) to

1. Mislead a business/organisation by impersonating someone or pretending to act with that persons’ authority, to gain access to their personal information or to have it altered or destroyed.
2. Destroy a document containing personal information, knowing that a request has been made for that information.

What do you need to do?  

• Review and update your Privacy Policy, include how you report notifiable breaches.   Add a breach register to record any breaches, reportable or not.
• Carefully review any personal information you send overseas to ensure the overseas business/organisation meets the new Privacy Act requirements.  
• Ensure that you keep personal information securely and that it is accurate and up-to-date
• Respond quickly to client requests to access and update their personal information.  
• Subscribe to the Privacy Commissioner website for updates.

Contact info@complianz.biz if you need assistance with your Privacy Policy.