Following our recent employment legislation update, we discuss key changes to the new privacy legislation.
The Privacy Act 2020 (“the new Act”) comes into force on 1 December 2020. It moves closer to representing the digital and international age we live in. While there are many consistencies with the existing legislation, there are also some significant changes that agencies need to be aware of. We summarise some of the key changes, focusing on those that are likely to have the biggest impact on the employment law arena, below.
A new Information Privacy Principle
The new Act introduces Principle 12 relating to cross-border disclosures of information.
Principle 12 covers situations where personal information is sent and stored overseas. Agencies will be responsible for ensuring any personal information disclosed overseas will be adequately protected, for example, by ensuring the overseas recipient is subject to privacy laws that provide comparable safeguards to the new Act. There will also be a due diligence obligation requiring businesses and organisations to be able to demonstrate appropriate steps were taken under this Principle, prior to making an overseas disclosure.
Overseas businesses operating in New Zealand will also be bound by, and liable under, the Privacy Act 2020.
Responding to requests for information
Data, often in the form of personal information, is a commodity in today’s society. In our area of specialisation, we commonly see requests for personal information, and responses to them, in the context of potential, existing or past employees/contractors.
Principle 6 gives individuals the right to request access to their personal information, and there are strict obligations in terms of when a response is due, and what information needs to be included in it. There are a number of reasons an agency can refuse access to some personal information, but they need to be utilised carefully, as there is also a positive obligation on an agency to explain to the requester that they have the right to make a complaint about the response to the Privacy Commissioner (see below for new powers and liabilities in that event).
The request and response obligations are not new. However, there are some changes to the permitted reasons for refusing access to personal information, including an amendment to the “evaluative material” exception, as well as the introduction of new grounds, for example relating to limiting disclosure where it would create a significant likelihood of serious harassment of an individual.
Enhanced powers for Privacy Commissioner
The new Act will also give the Privacy Commissioner further enforcement powers, including to issue binding decisions in relation to access requests covering confirmation of whether the agency holds the information requested, permit the individual to access the information, and make information available in a specified way (for example, electronic versus in-person or hard copy access).
The Privacy Commissioner has also been given the power to issue compliance notices to agencies not meeting their obligations under the new Act. The notices can require an agency to start doing something or stop doing something in order to comply with the new Act’s requirements, and may publicly identify the organisation.
Notifying privacy breaches and failing to do so
The new Act introduces an obligation on agencies to notify the Office of the Privacy Commissioner as soon as possible where there has been a breach of privacy that has caused serious harm to an individual/s, or is likely to do so. The definition of serious harm lists a range of factors to be considered, including any action taken by the agency to reduce the risk following the breach, whether the information is sensitive in nature and the nature of the harm that may be caused.
There is also a new obligation on the agency to notify the individual/s concerned, although there are also limitations on that obligation, including relating to it not being reasonably practicable to notify (for example if there is a group – in which case a public notice may be required).
A failure to comply with notification obligations can be treated as an offence under the new Act.
Offences and sanctions
In addition to existing offences such as obstructing the duties of the Privacy Commissioner, the new Act introduces criminal offences, including for:
- Misleading an organisation for the purpose of obtaining, altering or destroying someone’s personal information (this includes impersonating someone or pretending to act with their authority).
- Destroying documents containing personal information when it is known that a request has been made for that information.
- Failing to notify a privacy breach.
- Refusing to comply with a compliance notice.
The sanctions for these and other offences under the new Act are not insignificant – breaches of the Act may attract a fine up to $10,000.
What do the changes mean for your business?
The obligations and liabilities under the new Act need to be considered against your existing data collection and storage systems, policies, employment agreement clauses, and other ways in which information is collected (including, for example, surveillance systems). We can assist by providing tailored advice on, for example:
- reviewing the privacy policies of organisations you work with, particularly if the work involves the sharing of personal information;
- reviewing current processes, including how and where information is stored and, how it is shared and with whom;
- helping you manage communications with key stakeholders (including staff) to inform them of the steps you have taken to comply with the new Act;
- responding to requests for information;
- your notification requirements, including the roles of key personnel in these situations; and
- the process for appealing directions made by the Privacy Commissioner.