Business As (Not) Usual? Lending a Private Eye to the Privacy Act in Business

by nadia herlambang

Introduction

The recent revamp of our privacy laws has made managing a business in New Zealand while still safeguarding privacy for all those involved increasingly challenging. The enactment of the Privacy Act 2020 — which replaced its predecessor, the Privacy Act 1993 — has brought significant changes to how businesses can collect, store, use, and share personal data.[1] The Privacy Act 2020 acknowledges and addresses the demands of our progressively data-centric world. We have all at some point shared our personal information, such as our names, contact information, and card details, with a business. In an era of heightened vulnerabilities from digitalisation, the introduction of the Privacy Act 2020 has been a welcome development.[2] 

Preparation for the Privacy Act 2020

In anticipation of the Privacy Act 2020 (“the Act”) being implemented, businesses proactively took several steps to ensure compliance. They conducted thorough evaluations of their contractual agreements with third-party entities, conducted training sessions for their staff, revised their organisation's privacy policies to align with the Act, established efficient protocols to identify, report, and investigate breaches of personal data, and established transparent channels of communication within their internal structure.[3]

The Act implemented the crucial obligation for businesses and organisations to appoint a privacy officer, whose responsibilities encompass the following:[4] 

·       Familiarising themselves with the provisions of the Act, including the Information Privacy Principles (IPPs), as well as relevant legislation; 

·       Ensuring the business or organisation adheres with the Act’s requirements, thereby maintaining compliance;

·       Handling complaints related to potential privacy breaches and responding to Privacy Act requests; 

·       Conducting privacy training sessions for staff members, ensuring they are well-versed in privacy matters; 

·       Providing guidance and advice to the business or organisation regarding compliance with privacy regulations, addressing specific privacy requirements, and suggesting potential improvements. 

The appointment of a privacy officer is a vital measure taken to promote accountability, awareness, and effective management of privacy within the business or organisation in accordance with the Act. For instance, since businesses are required to securely store and handle information, they need to provide adequate training to staff on proper information management practices — for example, a locked cabinet for physical confidential documents. 

Key Changes to the Privacy Act 
In New Zealand, the Office of the Privacy Commissioner (OPC) and the Information Privacy Principles (IPPs) play a central role in the country's privacy laws. The enactment of the Act resulted in changes to the powers and scope of both entities.

The OPC is an Independent Crown Entity with various functions outlined in section 17 of the Privacy Act 2020.[5]These functions include issuing public statements on privacy-related matters, investigating complaints regarding privacy breaches, and ensuring compliance with the Privacy Act. Additionally, the Privacy Commissioner has the authority to establish codes of practice that become legally binding, setting specific rules and guidelines for particular industries or organisations.[6]

The IPPs are the principles within the Act that govern how businesses should collect, handle, and use personal information. Detailed information and explanations of the 13 IPPs under the Act can be found on the Privacy Commissioner’s website.[7] These principles provide guidance on best practices for organisations when it comes to protecting and managing personal data in accordance with the law.

Changes to IPPs

The IPPs play a crucial role in governing the everyday operations of businesses that involve confidential information. The Act introduced changes to IPP 1 (Purpose of Collection) by clarifying that identifying information can only be collected if necessary for a lawful purpose connected to an agency’s function or activities.[8]If a person’s identifying information, like a phone number, is not necessarily required then it is not admissible under IPP1 to collect it. 

Additionally, the Act introduced IPP 12, which clarifies the extraterritorial scope of the Act. The entities working in New Zealand that are considered subject to New Zealand privacy obligations have been broadened and their obligations affirmed, as per section 4 of the Act . Businesses that disclose personal information overseas must ensure that the receiving country offers comparable levels of privacy protection to New Zealand.[9]

Furthermore, under the Act, the term ‘business’ in New Zealand extends beyond traditional commercial activities and encompasses overseas organisations, such as non-profits, if they carry out activities within New Zealand.[10] The extraterritorial scope of the Act means that an overseas business may still be subject to New Zealand’s privacy obligations, even without a physical presence in the country.[11]

Notification Regime

The Act introduced the country's first mandatory breach notification regime. Businesses in New Zealand are required to notify the Privacy Commissioner promptly upon becoming aware of a notifiable privacy breach.[12] In this context, a notifiable privacy breach broadly refers to a breach that has caused or is likely to cause significant harm to the affected individuals.[13] Additionally, New Zealand businesses must also notify the affected individuals as soon as practicable after becoming aware of a notifiable privacy breach, unless certain exceptions apply.[14] Failure to notify the Privacy Commissioner of a breach is considered an offence and can lead to a conviction and a fine of up to $10,000 NZD,[15] unless there is a reasonable excuse for the failure to notify.[16] It is crucial that businesses understand and comply with these breach notification requirements to ensure the appropriate handling and disclosure of privacy breaches to the relevant parties.

Increased Powers of OPC

Under the Act, the Privacy Commissioner is granted increased authority and capabilities to enforce compliance with the Act. The Commissioner has the power to issue compliance notices, requiring businesses to take specific actions or cease certain activities to ensure compliance.[17]

Furthermore, the Commissioner also has the authority to make decisions on complaints lodged by individuals regarding access to or correction of their information. If an individual wishes to make an access[18] or correction[19] request to a business, they can do so directly to the business, who is required to respond within 20 working days. The OPC website features a response date calculator on their home page to help individuals determine when they can expect a response. If a business fails to respond within the specified timeframe or if the individual is dissatisfied with the response received, they have the option to lodge a complaint with the OPC.

As part of investigating such complaints, the Privacy Commissioner also has the authority to issue enforceable access directions, compelling organisations to provide individuals with access to their personal information.[20] These measures enhance the Privacy Commissioner's ability to protect individual rights and ensure businesses' compliance with access and correction requirements. This streamlined process aims to facilitate faster resolution of access and correction requests. 

New Criminal Offences and Fines

The Act introduced new criminal offences that are encompassed within its provisions. These offences include:

·       Misleading an agency with the intention of gaining unauthorised access to someone else's personal information.[21]

·       A business intentionally destroys personal information after an individual has made a request to access that information.[22]

If an offence is committed, the Office of the Privacy Commissioner (OPC) has the authority to enforce fines of up to $10,000. These penalties are intended to deter and discourage actions that undermine privacy rights and obligations outlined in the Act. It is important for businesses and individuals to be aware of these offences and ensure compliance with the Act to avoid legal consequences. 

Moreover, if a company breaches one of more IPPs in the Act, a complaint can be made to the Privacy Commissioner. The Commissioner can escalate the complaint by a public interest inquiry, a public naming of the business, or referring it to the Human Rights Review Tribunal. The Tribunal can award damages for humiliation, loss of dignity and injury to an aggrieved individuals’ feelings.[23]

Conclusion 

Privacy has become an increasingly pervasive concern across various aspects of life. This is evident in the repeal of the Privacy Act 1993 and its 2020 replacement, which necessitated consequential amendments to other legislation, such as the Accident Compensation Act, Building Act, and Companies Act. Consequently, organisations and businesses have had to adapt and align themselves with the updated requirements outlined in the new Act. As society continues to evolve in the modern age, there is a heightened awareness of the potential repercussions that can arise from non-compliance with privacy requirements. The fear of reputational damage has intensified, particularly given the increasing reliance on data in various sectors. It will be intriguing to observe how future case law will reflect the amendments introduced by the Privacy Act 2020 and how they interact with businesses in practice.

[1] Office of the Privacy Commissioner “ Privacy Act 2020 and the Privacy Principles” <https://www.privacy.org.nz/privacy-act-2020/privacy-principles/>.

[2]  “The new Privacy Act 2020- what you need to know”(29 July 2020) Duncan Cotterill <https://duncancotterill.com/publications/the-new-privacy-act-2020-–-what-you-need-to-know>.

[3]  “The new Privacy Act 2020- what you need to know”(29 July 2020) Duncan Cotterill <https://duncancotterill.com/publications/the-new-privacy-act-2020-–-what-you-need-to-know>.

[4] Office of the Privacy Commissioner “Privacy officers” <https://www.privacy.org.nz/responsibilities/privacy-officers/>.

[5] Office of the Privacy Commissioner “Introduction” 

<https://www.privacy.org.nz/about-us/introduction/>.

[6] Office of the Privacy Commissioner “Codes of practice” <https://www.privacy.org.nz/privacy-act-2020/codes-of-practice/>.

[7] Office of the Privacy Commissioner “Privacy Act 2020 and the Privacy Principles” <https://www.privacy.org.nz/privacy-act-2020/privacy-principles/>.

[8] Office of the Privacy Commissioner “Principle 1 - Purpose for collection of personal information”< https://www.privacy.org.nz/privacy-act-2020/privacy-principles/1/>.

[9] Office of the Privacy Commissioner “Principle 12- Disclosure outside New Zealand” <https://www.privacy.org.nz/privacy-act-2020/privacy-principles/12/>.

[10] Caroline Hopland, Hunter Dorwart and Gabriela Zanfir-Fortuna “A Deep Dive into New Zealand’s New Privacy Law: Extraterritorial Effect, Cross-Border Data Transfers Restrictions And New Powers Of The Privacy Commissioner” (8 December 2020) Future of Privacy Reform <https://fpf.org/blog/a-deep-dive-into-new-zealands-new-privacy-law-extraterritorial-effect-cross-border-data-transfers-restrictions-and-new-powers-of-the-privacy-commissioner/>.

[11] Privacy Act 2020, s 12, and Office of the Privacy Commissioner “Principle 12- Disclosure outside New Zealand” <https://www.privacy.org.nz/privacy-act-2020/privacy-principles/12/>.

[12] Privacy Act 2020, s 114. 

[13] Privacy Act 2020, s 112(1).

[14] Privacy Act 2020, s 115(1). 

[15] Office of the Privacy Commissioner “Privacy 2.0: Key changes in the Privacy Act 2020” <https://www.privacy.org.nz/blog/key-changes-in-the-privacy-act-2020/>.

[16] Privacy Act 2020, s 118.

[17] Privacy Act 2020, s 123. 

[18] Privacy Act 2020, s 40, and Office of the Privacy Commissioner “Principle 6- Access to personal information” <https://www.privacy.org.nz/privacy-act-2020/privacy-principles/6/>.

[19] Privacy Act 2020, s 59. 

[20] Privacy Act 2020, s 92. 

[21] Privacy Act 2020, s 212(2)(c).

[22] Privacy Act 2020, s 212(2)(d).

[23] Privacy Act 2020, s 103.

The views expressed in the posts and comments of this blog do not necessarily reflect those of the Equal Justice Project. They should be understood as the personal opinions of the author. No information on this blog will be understood as official. The Equal Justice Project makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The Equal Justice Project will not be liable for any errors or omissions in this information nor for the availability of this information.

Featured image source: Geograph