Privacy Act 2020 explained

Jack Rainbow, Associate at Dundas Street Employment Lawyers, outlines the main principles of the Privacy Act 2020, consequences of non-compliance and potential upcoming changes.

The Privacy Act 2020 is New Zealand’s governing legislation in respect of how personal information is collected, used, stored and disclosed by both public and private sector agencies. It establishes clear rules to protect individuals’ privacy rights and provides a legal framework to ensure accountability in the handling of personal data.

Privacy Act 2020

The Privacy Act applies to agencies, businesses, government departments, schools, health providers, and other organisations, whether large or small, that collect and hold personal information. Importantly, the Act does not apply to individuals acting in their personal capacity.

Employers are covered under the Act regarding the personal information they hold about their current employees, as well as job applicants. This means information collected during recruitment processes is subject to the same obligations and protections as information held about existing staff. The Act contains 13 Information Privacy Principles, or IPPs. Some of the main tenets of those principles are set out below.

Collection Of Personal Information

When collecting personal information, agencies must ensure it is gathered for a lawful purpose and that the collection is necessary for that purpose. Agencies must consider why they are requesting certain information and whether it is relevant and proportionate to the purpose for which it is being collected.

When collecting personal information, ask yourself: Do I need that specific information to achieve my purpose? For example, asking prospective job candidates about marital status or sexual orientation is typically unnecessary.

Wherever practicable, agencies must collect personal information directly from the individual concerned, rather than from third parties, unless one of the Act’s exceptions applies. When collecting this information, agencies must also inform individuals about the reasons for collection, how the information will be used, and with whom it may be shared. This is a core requirement of Privacy Principle 3.

Use And Disclosure

The Act also requires that personal information only be used or disclosed for the purpose for which it was originally collected (unless another exception applies). Agencies cannot use information obtained or collected for one reason for another entirely unrelated purpose.

For example, contact information collected during recruitment cannot be used later for marketing campaigns or email promotions.

Storage And Security

Agencies must take reasonable steps to protect personal information from loss, unauthorised access or disclosure, or misuse. This includes both physical and digital safeguards, such as secure filing systems, encrypted databases and access controls.

Access To Personal Information

Under the Privacy Act, individuals have the right to request access to their personal information. Agencies must respond to such requests within 20 working days, either by agreeing to provide the information, explaining why it cannot be disclosed or notifying the requirement for an extension to that deadline.

If the request is large or complex, agencies can notify the individual of an extended timeframe, provided notification is done within the initial 20-day period. In some extreme instances, they can be declined. Agencies should keep clear procedures for handling access requests.

Grounds For Refusal

Where a request for personal information has been made, there are only specific grounds on which an organisation can rely on to refuse to provide access to that information.

Those grounds include where:

• the provision of information would likely prevent or hinder the detection or investigation of offences and/or prejudice law enforcement investigations

• the information requested is protected by legal professional privilege

• the provision of information would involve the unwarranted disclosure of personal information about another person

• the information does not exist or, despite reasonable efforts, cannot be found.

The presumption is that access to personal information will be provided where possible. When declining, consider the following.

• Can I provide partial access by redacting documents or providing a summary?

• Can I provide supervised access rather than copies?

• Can I provide the information in batches?

If access is refused, the agency must inform the requester of the reasons and advise them of their right to complain to the Privacy Commissioner.

Notifiable Privacy Breaches

If an agency experiences a privacy breach that it is reasonable to believe has caused, or is likely to cause, serious harm, it must notify both the Privacy Commissioner and the affected individuals as soon as practicable.

Failure to notify the Commissioner is an offence, even if the agency has taken steps to contain or remedy the breach. Limited exceptions exist to notifying individuals, for example, where the individual is under 16 and notification may be contrary to their interests, or where a health practitioner advises against it for health reasons.

Breaching The Privacy Act 2020

Where there is an alleged breach of the Privacy Act, an individual may make a complaint to the Privacy Commission, which can investigate and make recommendations in an attempt to resolve the matter informally. If the matter is not resolved, it may proceed to the Human Rights Review Tribunal, which can award damages for humiliation, loss of dignity and injury to feelings.

Potential Changes

The Government is proposing several minor changes to the Privacy Act. The main change would require an agency to notify an individual, as soon as reasonably practicable, where they collect information from anyone other than that person. This includes notification of the purpose of the collection, the name and address of the agency collecting the information, and the rights to access and correct the information. Some exceptions exist to this new requirement, specifically where the individual has been made aware previously of the relevant matters.

Jack Rainbow, Te Arawa (Tapuika), Ngāti Tūwharetoa, is an Associate at Dundas Street Employment Lawyers. Jack has strong experience in industrial relations, dispute resolution and providing highlevel, strategic advice. He partners closely with his clients, providing advice and assistance from start to finish on a range of complex matters.