After a long journey through Parliament, the Privacy Act 2020 (the Act) was passed into law on 30 June, and will come into force on 1 December 2020.
The Act retains the key privacy principles found in the Privacy Act 1993. It builds on these with additional changes to reflect the major technological developments that have occurred over the last 27 years.
This update briefly describes the key changes the Act will introduce and suggests changes your business may need to make to comply with it.
KEY CHANGES
The key changes made by the Act are:
- Mandatory reporting: agencies are required to notify the Privacy Commissioner and affected individuals about any privacy breach that has caused, or is likely to cause, serious harm to the affected individuals.
- Compliance notices: the Commissioner has a new ability to enforce compliance by issuing compliance notices which can be enforced by the Human Rights Tribunal.
- Cross-border transfers: there are stronger protections relating to the transfer of personal information to an entity outside of New Zealand.
- Information collection: there are tighter controls on the information that can be collected – agencies cannot require a person’s identifying information unless it is necessary for the lawful purpose for which they are collecting the information.
- New offences: there are two new criminal offences: misleading an agency to get someone else’s personal information, and destroying a document that contains personal information knowing it has been requested.
- Fines increased: fines for breaches are increased to up to $10,000.
- Overseas agencies: overseas agencies carrying on business in New Zealand will be caught by the Act.
