Privacy Act 2020

A lot has changed since the Privacy Act first came into effect in 1993, including the evolving use of the internet and data storage. A new Privacy Act 2020 will come into effect on 1 December. If you have questions or concerns about your privacy, contact our friendly legal team today.

A lot has changed since the Privacy Act first came into effect in 1993, including the evolving use of the internet and data storage. A new Privacy Act 2020 (“the Act”) will come into effect on 1 December.

Whilst the Act retains the 12 key privacy principles found in the Privacy Act 1993, the additional changes reflect the major developments that have occurred over the last three decades.

The new Act brings New Zealand in line with international privacy and data protection laws.

Key changes:

  1. Notifiable privacy breaches – If a business or organisation has a privacy breach that it believes has caused, or likely to cause serious harm, it must notify the Privacy Commissioner and the affected individuals.
    The Privacy Commissioner will provide an online privacy breach notification tool to give guidance to assist businesses and organisations with this new obligation.
  2. Compliance notices – The Privacy Commissioner can issue compliance notices to businesses or organisations for a privacy breach. The notice will set out steps required to remedy non-compliance with the Act and will specify a date for making the necessary changes.
  3. Enforceable access directions – The Privacy Commissioner can direct businesses or organisations to provide individuals access to their personal information. Access directions will be enforceable in the Human Rights Review Tribunal.
  4. Disclosure of information overseas – If your business is based overseas, but you deal with individuals in New Zealand, you might be caught by the new Act even if you do not have a physical presence in New Zealand.  The change introduces regulations on the disclosure of personal information. Under the new Act, New Zealand business or organisations will need to ensure overseas agencies have similar levels of privacy protection as those in New Zealand.
    If the overseas service provider does not offer similar protections to those in New Zealand, the individual concerned must be fully informed that their information may not be adequately protected.
  5. New criminal offences – There are two new criminal offences under the new Act. It will now be an offence to:
    1. Mislead an agency to obtain someone else’s personal information; and
    2. Destroy documents that contain personal information knowing it has been requested.

The maximum penalty will be a fine of up to of $10,000.

With the new Act coming into effect in less than 3 months, now is the opportune time to review your existing practices and check that your privacy policies are up to date and will comply with the new Act.