A new Privacy Act will take effect from 1 December 2020. The Privacy Act 2020 (the Act) repeals and replaces the Privacy Act 1993.
The Act strengthens privacy protections. It promotes early intervention and risk management by agencies (the name used for any organisation or person that handles personal information) and enhances the role of the Privacy Commissioner.
The key changes include:
Requirements to report privacy breaches: If an agency has a privacy breach that causes serious harm or is likely to do so, it must notify the people affected and the Commissioner.
Compliance notices: The Commissioner will be able to issue compliance notices to require an agency to do something, or stop doing something.
Decisions on access requests: The Commissioner will make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions can be appealed to the Tribunal.
Strengthening cross-border protections: New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by comparable privacy standards. The Act also clarifies that when a New Zealand agency engages an overseas service provider, it will have to comply with New Zealand privacy laws.
Class actions: The Act permits class actions in the Human Rights Review Tribunal by persons other than the Director of Human Rights Proceedings.
New criminal offences: It will be an offence to mislead an agency in a way that affects someone else’s information, and to destroy documents containing personal information if a request has been made for it. The penalty will be a fine of up to $10,000.
Strengthening the Privacy Commissioner’s information gathering power: The Commissioner will be able to shorten the timeframe in which an agency must comply with investigations and the penalty for non-compliance will be increased from $2,000 to 10,000.
If you would like to learn more about the changes, please see the following documents: