The new Privacy Act – is your workplace prepared?
It has been a big year for employers, and it is about to get even bigger with the introduction of the Privacy Act 2020. The new Act will come into force on 1 December 2020, repealing and replacing the 27-year old Privacy Act 1993. Its enactment follows years of review, and creates a much needed, and overdue, response to international development in data protection and an increase in serious data breaches.
Moreover, the new Act will change the way employers collect, use, and disclose the personal information of its employees. Most businesses will need to make changes to their systems and processes, so employers should start preparing now.
Does the new Act apply to me?
If you are an employer the new Act applies to your business. The new Act will apply to any business or organisation collecting and holding personal information about other people. It will apply to both New Zealand and overseas employers where information is collected or held while carrying on business in New Zealand.
What are the changes?
Much of the content of the current legislation remains, including the privacy principals, but there are also significant changes. These changes encourage early intervention and risk management by employers, and they add to the role of the Privacy Commissioner. They also bring New Zealand more in line with international policy.
Notifiable Privacy Breaches
Employers will need to report serious privacy breaches. A serious privacy breach is defined as a breach reasonably believed to cause (or likely to cause) serious harm to an employee. If an employer experiences a notifiable privacy breach, it must notify the employee affected, and the Office of the Privacy Commissioner as soon as possible, or potentially be fined up to $10,000. Liability rests on the shoulders of employers, not employees.
The Commissioner will be able to issue employers with Compliance Notices to require them to do, or stop doing, something to remedy non-compliance with the new Act, or any Code of Conduct under another act. Compliance Notices may be issued at any time, including concurrently with the use of any other means for dealing with the breach.
The Commissioner will be able to make binding decisions on complaints relating to an employee’s right to personal information. Access Directions will be enforceable in the Human Rights Review Tribunal and may result in a $10,000 fine if employers do not comply. The powers of the Commissioner will be far wider than under the current legislation, and employers must take any rulings or determinations made under the new Act seriously.
The new Act introduces a new Privacy Principle 12 to prescribe when personal information may be disclosed to a foreign person or entity. Under this new principle, an employer must ensure that information being shared overseas will be protected by safeguards akin to New Zealand privacy laws, unless the relevant employee has authorised disclosure in the knowledge that said safeguards may not be in place.
New criminal liability
There are several new consequences for breaching New Zealand’s privacy laws under the new Act. This includes both criminal liability for the company (and directors if applicable), with fines up to $10,000. Criminal liability may arise, for example, where an employer destroys a document containing personal information once a request has been made for it, or where an employer knowingly gives false information to the Commissioner.
What does the new Act mean for employers?
Employers need to review their current systems and processes to ensure they will be complaint with the new Act come 1 December 2020. It does not matter how big or small a business is; it is the owners responsibility to understand its obligations, and to comply with the new Act.
We recommend employers seek advice and do the following:
Establish a comprehensive management process to hold and share employee personal information (or update the process currently in place).
Update any workplace privacy policies to align with the new Act.
Establish a clear procedure for detecting and reporting notifiable breaches.
Review third party contracts with overseas-based service providers to make sure they are comparable to New Zealand privacy laws.
Provide training for staff, particularly on what a “notifiable” privacy breach is and where to raise one, and on clear record keeping and destroying processes.
Appoint a privacy officer (employer or employee) to manage the above.