NZ Privacy Week : Why You Should Care about the New Zealand Privacy Act 2020

New Zealand privacy legislation underwent a major modernisation in 2020 to reflect the changing way in which data is collected and used.

The updated Privacy Act 2020 has 13 information privacy principles that govern how businesses and organisations should collect, handle, and use personal information. 

The Act applies to companies, small businesses, social clubs, charities and societies and community groups and other organisations.

The Act requires at least one person in an agency to fulfil the role of privacy officer who will be responsible for all matters relating to privacy for the organisation.

Under Act, if your organisation or business has a privacy breach that either has caused or is likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able.

Privacy Breaches

A privacy breach occurs when an organisation or individual either intentionally or accidentally:

  • Provides unauthorised or accidental access to someone’s personal information.
  • Discloses, alters, loses or destroys someone’s personal information
  • A privacy breach also occurs when someone is unable to access their personal information due to, for example, their account being hacked.

Under the Privacy Act 2020, if your organisation or business has a privacy breach that either has caused or is likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able.

Failure to notify the commissioner is an offence with potential for a fine of up to $10,000.

The 13 Privacy Principals

The Privacy Act 2020 includes 13 information privacy principals relating to the collection, storage, use of privacy data.

Principal 1: You can only collect personal information if it is for a lawful purpose and the information is necessary for that purpose. You should not require identifying information if it is not necessary for your purpose.

Principal 2: You should generally collect personal information directly from the person it is about. Because that won’t always be possible, you can collect it from other people in certain situations. For instance, if:

  • the person concerned gives you permission
  • collecting it in another way would not prejudice the person’s interests
  • collecting the information from the person directly would undermine the purpose of
  • collection
  • you are getting it from a publicly available source

Principal 3: When you collect personal information, you must take reasonable steps to make sure that the person knows:

  • why it’s being collected
  • who will receive it
  • whether giving it is compulsory or voluntary
  • what will happen if they don’t give you the information

Sometimes there may be good reasons for not letting a person know you are collecting their information – for example, if it would undermine the purpose of the collection, or if it’s just not possible to tell them.

Principal 4: You may only collect personal information in ways that are lawful, fair and not unreasonably intrusive. Take particular care when collecting personal information from children and young people.

Principal 5: You must make sure that there are reasonable security safeguards in place to prevent loss, misuse or disclosure of personal information. This includes limits on employee browsing of other people’s information.

Principal 6: People have a right to ask you for access to their personal information. In most cases you have to promptly give them their information. Sometimes you may have good reasons to refuse access. For example, if releasing the information could:

  • endanger someone’s safety
  • create a significant likelihood of serious harassment
  • prevent the detection or investigation of a crime
  • breach someone else’s privacy

Principal 7: A person has a right to ask an organisation or business to correct their information if they think it is wrong. Even if you don’t agree that it needs correcting, you must take reasonable steps to attach a statement of correction to the information to show the person’s view.

Principal 8:  Before using or disclosing personal information, you must take reasonable steps to check it is accurate, complete, relevant, up to date and not misleading.

Principal 9: You must not keep personal information for longer than is necessary.

Principal 10: You can generally only use personal information for the purpose you collected it. You may use it in ways that are directly related to the original purpose, or you may use it another way if the person gives you permission, or in other limited circumstances.

Principal 11: You may only disclose personal information in limited circumstances. For example, if:

  • disclosure is one of the purposes for which you got the information
  • the person concerned authorised the disclosure
  • the information will be used in an anonymous way
  • disclosure is necessary to avoid endangering someone’s health or safety
  • disclosure is necessary to avoid a prejudice to the maintenance of the law

Principal 12: You can only send personal information to someone overseas if the information will be adequately protected. For example:

  • the receiving person is subject to the New Zealand Privacy Act because they do
  • business in New Zealand
  • the information is going to a place with comparable privacy safeguards to New Zealand
  • the receiving person has agreed to adequately protect the information – through model contract clauses, etc.

If there aren’t adequate protections in place, you can only send personal information

overseas if the individual concerned gives you express permission, unless the purpose

is to uphold or enforce the law or to avoid endangering someone’s health or safety.

Principal 13: A unique identifier is a number or code that identifies a person in your dealings with them, such as an IRD or driver’s licence number. You can only assign your own unique identifier to individuals where it is necessary for operational functions. Generally, you may not assign the same identifier as used by another organisation. If you assign a unique identifier to people, you must make sure that the risk of misuse (such as identity theft) is minimised.

Why should you care?

Consumers these days have become much more wary of providing personal information to businesses. They have “wised-up” to the value of their personal information and the potential for disaster if their private information leaks.

With frequent news about mass data breaches and cases of identity theft, it’s no surprise that this wariness has grown so prevalent.

Consumers worry about things like,

  • How will they use my data?
  • Will they share it with any 3rd parties?
  • Will they use it to continue to advertise to me?
  • What happens if they get hacked and my data leaks?

A well-structured and relevant privacy policy presented to your potential customers demonstrates that your business takes personal information and privacy seriously.  

When was the last time you looked at your privacy policies?

We can help

At EC Credit Control, we provide expert guidance, policy documentation and website terms of use to ensure our clients understand their obligations and comply with the Privacy Act 2020.

Get in touch with your local EC Credit Control Business Support Specialist or fill in the form below if you would like a no obligation review.