New privacy data legislation comes into effect in NZ

New Zealand’s Privacy Act 2020 has come into effect, providing New Zealanders with better privacy protections and greater obligations for organisations and businesses handling personal information. The new Act also gives the Privacy Commissioner greater powers to ensure organisations and businesses comply with the Act.

Privacy Commissioner John Edwards noted that the new law reflects the changes in New Zealand’s wider economy and society, as well as a modernised approach to privacy.

“The new Act brings with it a wider range of enforcement tools to encourage best practice, which means we are now able to take a different approach to the way we work as a regulator,” Commissioner Edwards said.

The new Act introduces privacy breach reporting obligations. Businesses or organisations that have experienced a breach that they believe has caused (or is likely to cause) serious harm must notify the Office of the Privacy Commissioner and affected individuals as soon as possible, by using the NotifyUs tool.

The Act has also introduced new criminal offences. It is now an offence to mislead an agency to access someone else’s personal information (such as by impersonating someone to access information). It is also an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it. The penalty for these is a fine of up to $10,000.

The Privacy Commissioner will also be able to issue compliance notices to businesses or organisations, to ensure their compliance with the Privacy Act 2020. The Privacy Commissioner will also be able to direct an organisation or business to confirm whether they hold personal information about an individual, and to provide the individual with access to that information.

A new privacy principle 12 has been added to the Privacy Act, to regulate the way personal information can be sent overseas. Under principle 12, an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards as those in the Privacy Act 2020.

Overseas businesses or organisations that are ‘carrying on businesses’ in New Zealand will also be subject to the Act, even if the business or organisation has no physical presence in New Zealand. This will affect businesses located offshore.

The Office of the Privacy Commissioner has produced resources and guidance to help people and organisations understand what’s changing in the Privacy Act.

Image credit: ©stock.adobe.com/au/Egor