The new Privacy Act came into force on 1 December 2020, providing a modified (and in certain respects more onerous) regime governing the collection, storage and use of information about identifiable individuals (referred to in the Act as ‘personal information’). In particular, the new Act requires any entity or person who holds personal information (referred to in the Act as an ‘agency’):
- To take reasonable steps to ensure that any person from whom they collect personal information is aware of various matters, such as the fact that the information is being collected, why it is being collected and who will be the recipients.
- To only collect private information from individuals for a lawful purpose (and only to the extent it is necessary for that lawful purpose).
- To notify the Office of the Privacy Commissioner and the individual affected where a privacy breach poses a risk of serious harm to that individual (which is assessed taking into account various factors prescribed in the new Act).
- To appoint a privacy officer who will be responsible for:
- ensuring that the agency complies with the Act (which of course means that the privacy officer themselves must be familiar with the requirements of the Act);
- dealing with requests made under the Act, such as access to personal information, or correction of personal information; and
- acting as the agency’s liaison with the Office of the Privacy Commissioner in relation to investigations and the like.
Most of these new requirements should be easy enough for businesses and other agencies to get right provided they know what is required of them. In this respect the Office of the Privacy Commissioner provides a range of free and well put together training videos and courses at the website https://www.privacy.org.nz/tools/online-privacy-training-free/ Your lawyer available to assist also, if you would like.
A good example of common, obvious, and also very easy to fix non-compliance would be the use of a COVID-19 register or other visitor registers at the entry point to businesses without the inclusion of an appropriate privacy statement consistent with the requirements of the Act.
Fines for non-compliance with the Act can extend to $10,000 per incident and damages payable to the victim for serious breaches have been known to exceed $100,000. Putting the pure legal and financial ramifications to one side, it doesn’t seem like many months go by without the media running a significant story on a breach of privacy – usually doing untold reputational damage to the subject of the story. Given these potential repercussions of failing to comply with the new Act, if you haven’t already done so, now is the time to get yourself familiar with the requirements and ensure that you are compliant.