The New Zealand Privacy Act received a well-deserved overhaul to bring data privacy for individuals in line with global standards like the GDPR. Read on to learn how the changes to the Act impact you.
New Zealand’s original privacy legislation was passed in 1993. As a piece of legislation, it was well ahead of its time, detailing a number of privacy principles that guide organisations and other data collectors on the rights of the individual when it comes to their data privacy.
With GDPR leading the global push for improved data privacy for individuals, the Act was updated to give better control to individuals over how their data is used. The updates place several requirements on organisations that could make compliance challenging.
The commencement date for the Privacy Act 2020 is 1 December 2020, leaving organisations across New Zealand with precious little time to ensure that they are fully compliant.
A particular challenge is that of SAP systems where the degree of complexity can make a compliance effort feel overwhelming, especially if you don’t have the right data privacy tools.
Privacy breaches now require notifications to be sent to the Office of the Privacy Commissioner and affected individuals. However, this is only required if the breach poses a significant risk for the individuals in question.
The challenge here is twofold. On the one hand, your organisation must have a very clear idea as to which fields in your SAP system are regarded as sensitive enough to warrant a breach notification. On the other, you need to have a well-developed breach detection and notification process designed and implemented.
The Privacy Commissioner now has the ability to issue compliance notices. These notices allow the Commissioner to force organisations to do something or stop doing something for the purpose of compliance with the law.
Since these notices will come with a deadline, your organisation will have to be agile enough to respond within the time frame, otherwise you may face fines. For example, how quickly can you mask your sensitive SAP test data if that is required of you?
The Privacy Commissioner will also be able to force organisations to give individuals access to their data. The reason for this change is to allow for faster resolution of complaints under Principle 6 of the Act.
Disclosing data within SAP is tricky. The interrelationships between the various data tables make it complicated to extract and report on personal data across entire systems.
Privacy principle 12 was added to the Act to regulate how personal information can be sent overseas. With the cloud driving technological advancements, the transfer of personal data to other jurisdictions had to be addressed. In essence, the principle requires the organisation to make sure that personal information can only be transferred overseas if the receiving party has similar legislative safeguards in place that the Act affords.
If this is not possible, the individuals will need to be informed before the transfer takes place, so that the individuals can provide authorisation.
This presents a potentially more complex challenge. At a starting point it affects the choices your organisation makes in terms of hosting or cloud services providers. For example, you won’t be able to transfer data to US cloud servers without authorisation by every individual on your database. There is currently no Federal law that gives the same protections as the Act does.
This makes any decisions regarding the overseas transfer of personal information particularly complex, especially if you are already hosting your data in a jurisdiction that doesn’t qualify. What will you be doing with your data to ensure that you don’t need to request authorisation?
The Privacy Act 2020 now clearly states that it has extraterritorial effect. Any business or organisation that has some form of activity within New Zealand, and that collects personal information, must comply regardless of where they are located.
If your organisation is active in New Zealand, you must comply.
A number of new criminal offences are introduced by the new Privacy Act. Impersonating someone in order to gain access to personal information will now be a criminal offence. Also, it will be a criminal offence if a business or organisation destroys data, knowing that an access request is pending. These offences carry fines of up to $10,000.
For your organisation this means that a) you will need to have specific measures in place to confirm the identity of individuals who request personal information and b) you will need internal controls that disallow the deletion of data when a pending request is active.
Some additional changes highlighted by the Office of the Privacy Commissioner includes clarification in Principle 1 that cements the concept of “data minimisation”, where business and organisations are not permitted to collect information they don’t specifically need.
New withholding grounds for access requests under Principle 6 has also been added.
The Act refers to entities that must comply as “agencies.” In Section 3A of the Act, agencies are defined as organisations, business, or even individuals who collect personal information.
If you have no data privacy program in place, you need to start one with some urgency. Here are a number of steps that you should consider:
A fully developed program that aligns with GDPR (or similar) can assist as you may already have the necessary processes in place to be compliant with the Privacy Act 2020. The latter is less stringent in many ways than the GDPR, but don’t be lulled into a false sense of security. As technology advances, so will amendments to the Act.
However, it is still a worthwhile exercise to compare GDPR with the New Zealand Privacy Act 2020, to understand how any differences should be handled.
We understand the complexity of implementing data privacy compliance in large organisations, especially when it comes to complex SAP systems. To understand your options, read our white paper on making compliance easier from an SAP perspective.
This blog is not intended as legal advice and should not be construed as such. Its purpose is to provide information for educational purposes only and makes no claims or guarantees with regards to efficacy, accuracy or full compliance with the law discussed herein.
Please consult with an appropriate legal advisor before implementing any part of a Privacy Act 2020 compliance project. EPI-USE Labs will not take any responsibility for misinterpretation or incorrect application of practical measures towards compliance resulting from the use of this information.