The New Zealand Privacy Act is Changing Review your privacy practices to ensure they meet the new regulations.
ew Zealand’s 27-year-old Privacy Act changes on 1 December. The new Privacy Act 2020 will update our privacy environment and make some important changes to how organisations and businesses need to manage personal information. Privacy should be at the heart of how a business handles personal information. If privacy is managed well, there will be few or no complaints, apologies and in some cases, compensation for harm caused. Instead, a business would be able to highlight how it preserves privacy as an important part of its brand or reputation. Hospitality businesses collect a lot of personal information, in the form of customer information, but also in the form of employee information. Recently, we’ve seen privacy issues arise with customer contact tracing details on Covid-19 contact tracing registers. Some of these cases were serious privacy breaches which resulted from poor safeguards around the register. In other cases, some businesses were using contact tracing information collected from customers to add them to their marketing mailing list. The new Privacy Act introduces new obligations for businesses, a financial penalty of up to $10,000 for some types of privacy breaches and gives the Privacy Commissioner more enforcement powers to make a business comply with the Act. Mandatory privacy breach notification Up to now, there’s been no obligation to report a serious privacy breach to the Office of the Privacy Commissioner (OPC). That is about to change. If your business has a privacy breach that has caused, or is likely to cause, serious harm, you will need to tell OPC and the affected individuals as soon as possible. It will be an offence to fail to inform the Privacy Commissioner - and a business can be liable for a criminal offence and face a fine of up to $10,000. 24 NOVEMBER/DECEMBER 2020 - HOSPITALITY BUSINESS
But not all privacy breaches will need to be reported. The threshold for a notifiable breach is whether it has caused or is likely to cause ‘serious harm’. The OPC’s NotifyUs tool can help you determine whether a privacy breach meets that threshold of seriousness. Compliance notices The Privacy Commissioner will be able to issue compliance notices to businesses which will require them to comply with the Privacy Act by doing, or to stop doing something.Compliance notices will set out the steps that the Commissioner considers are required to fix a situation and will specify a date by which the changes must be made. Enforceable access directions An important privacy right is the right to ask for any information about yourself. While this right is unchanged under the new law, the Privacy Commissioner will be able to direct businesses to give people access to their information. Up to now,
“Did you know that it is a legal requirement for every organisation in New Zealand to have a privacy officer?”