A new Privacy Act was passed by Parliament at the end of June. The new law creates many new requirements for New Zealand businesses to navigate, and means that on top of current economic troubles, an urgent focus will need to be made on cybersecurity and security processes before the law comes into force on 1 December this year.
The new law replaces our 27-year-old Privacy Act 1993, which was passed just as the age of the internet began with the creation of the world wide web in 1994. With all the changes that have happened in that time, it is not surprising that the update has been so comprehensive and added many additional layers of compliance.
The Act is part of a global trend of tightening restrictions and use of personal data. From General Data Protection Regulation (GDPR) in the European Union to Australia’s Privacy Act, governments the world over are increasingly aware of the value and potential for misuse of personal information and are seeking greater protections for their citizens. In addition to the changes for business, the Act facilitates sharing of personal data between government departments, within a set framework.
In terms of administration, the Privacy Commission is central to the Act. For example, the commission is the responsible body for notifications of privacy breaches, a role that the agency is already fulfilling through a voluntary regime. This is similar to the way notifiable breaches were initially created in Australia, where mandatory reporting has been in place since 2019. Once they became mandatory, there was a massive 712% spike in notifications – a clear indication of why the Act has been passed. The Privacy Commission will acquire the ability to impose fines under the Act as well, and refer cases to the Human Rights Review Tribunal.
In practical terms for business, the Act means several areas now require attention:
- Cybersecurity: The new Act creates compliance notices that could result in a maximum fine of $10,000. The Act broadly defines the risk of harm to an individual whose personal information might be compromised, which means that a cybersecurity breach is, as you would expect, a potentially very costly problem. That means that businesses will need to ensure their cybersecurity is up to scratch to begin with – ensuring, for example, your business is using multi-factor authentication to access information, has up to date firewall rules, has strong endpoint security on your desktops, laptops and even mobile phones, and makes your staff aware of phishing and other scams (especially via email) and their use by criminals to access personal information. All of these lines of defence should already be in place, but the Act creates a new impetus and potential costs for not doing so.
- Breach detection and notifications: the mandatory notifications of breaches created by the Act creates process requirements on business that are perhaps the most significant feature. Anyone storing any personal information is affected, which means practically every business will have to comply in some form. While the definition of the "risk" to an individual by a breach is pretty wide, we will no doubt see court decisions in the coming years that further tightens the definition. Compliance with mandatory notification comes itself in two parts: First, you will need to know what data has been compromised and be able to notify that breach within a reasonable period. That means implementing systems and access monitoring, or tools such as Data Loss Prevention (DLP) which as its name suggests can prevent sensitive information being sent outside of a business in the first place, and failing that provides reporting and event logging to determine the scale of a breach. Second, a business must be able to notify those affected by the breach individually and then the Privacy Commissioner. That means ensuring contact information itself is kept up to date, and that there is the means to contact discreet groups of affected individuals. Again, that will require specific business processes to be put in place and tested.
- Access control: If an organisation or business refuses to make personal information available upon request to an individual, the Privacy Commissioner will have the power to demand release, and the ability to take cases through a legal process that could result in fines of up to $10,000. This means that access control to personal data must be clearly mapped out, including the ability to change personal data as requested. While this is a process issue, it will nonetheless require focus to ensure compliance with the Act.
Another important point is that the Act applies to New Zealanders’ personal information stored overseas. New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand. The fact servers or storage might be outside of New Zealand is not a way to escape the Act's requirements.
There is also explicit application of the Act to businesses whether they have a legal or physical presence in New Zealand or not. If an international digital platform is carrying on business in New Zealand, with the New Zealanders’ personal information, they will be obliged to comply with the Act regardless of where they are, or where their servers are based.
Overall, the effect of the new law is to tighten restrictions on the use of personal information. Business will need to take a close look at their internal processes and cybersecurity systems. It is not clear yet how much leniency the Privacy Commission will have for compliance with the law. What is clear though is that the potential costs – not just in terms of fines, but in terms of damage to reputation resulting from mandatory notifications – will be significant.