It’s been a long time coming, but New Zealand’s new privacy laws are almost here. The Privacy Bill which amends the Privacy Act 1993 passed through Parliament and received Royal Assent on 30 June 2020.
But the momentum behind the new Privacy Act 2020 has been in train for much longer.
New privacy laws for a new world
The reforms take effect on 1 December 2020 and aim to align the Privacy Act with best practices in privacy and data protection worldwide, most notably the EU’s General Data Protection Regulation (GDPR) scheme.
By emphasising the importance of early intervention and risk management, the new laws keep good company with other legislative instruments abroad, particularly in how they impose obligations on organisations that suffer data breaches to notify affected parties.
More broadly, the new laws and the international context from which they arise demonstrate a general awareness that privacy and data protection compliance is very much a global issue. They are a response to the fact that, just as the technology for handling personal information has become more widespread and complex over the years, so too are the means by which criminals achieve unauthorised access to data.
Laws such as the GDPR, the Australian Privacy Act 2018, the California Consumer Privacy Act 2020 and now the New Zealand Privacy Act 2020 (along with similar changes proposed for the Singapore Personal Data Protection Act 2012) signal a concerted effort to make privacy and data protection measures more robust in light of developing technologies and complex global interactions, such as international transfers of data.
Case study: an online data breach with savings fund provider Generate
A case in point took place in February 2020, when the Auckland-based savings scheme provider Generate reported a data breach that affected 26,000 customers. The company, which provides savings funds under the banner of the government-run KiwiSaver scheme, disclosed that a third party had gained unauthorised access to its online application system. The application page requests a range of personal information, including a full name, address, tax identification number and passport or driver’s licence.
Generate promptly notified the Privacy Commissioner and signalled that it was working with cybersecurity experts to strengthen its security systems, so that further breaches may be prevented from taking place in future.
What is changing?
The reforms place important new glosses on the Information Privacy Principles. Their ramifications will be broad-ranging, from new penalties and offences to new powers for the Privacy Commissioner to issue compliance notices that require agencies (the name used for organisations and people that handle personal information) to undertake or stop specific actions.
Among the new breach of Privacy Act penalties is a new offence for any misleading conduct that affects someone else’s personal information. For example, under the new laws an agency will incur a penalty of up to $10,000 if it destroys a document containing someone’s personal information after that person has sought access to it.
But arguably the most significant areas of reform that will attract attention relate to the following:
- The extraterritorial scope of the laws
- International transfers of data (or ‘cross-border data flows’)
- Assessments of data breaches and obligations to notify affected parties
Extraterritoriality: do the new laws apply to you?
Under the new privacy laws, agencies may still be held liable for data breaches even if they do not have a physical presence in New Zealand. It doesn’t matter where they collect and store personal information or where the person this information relates to is based. If overseas organisations conduct business in New Zealand, they will be considered subject to New Zealand’s Privacy Act.
International transfers of data
The new laws aim to strengthen cross-border protections, by compelling agencies to take the necessary steps to protect any personal information sent overseas. The chief mechanism for placing restrictions on the disclosure of personal information is to ensure that any recipient of this information is subject to privacy standards that are similar to New Zealand’s laws.
Before sending personal information to an overseas recipient, an agency must make a reasonable effort to ensure that the recipient is held to comparable privacy or data protection “safeguards”. These safeguards could take the form of either contractual obligations imposed on the recipient by the agency, or by laws and regulations enforced from within the recipient’s own jurisdiction.
But not all transfers of data abroad will be considered an overseas disclosure under New Zealand’s laws. For example, sending data to a cloud hosting provider or some other offshore data processor is exempted from these restrictions. This is an important consideration, given that some of the world’s major public cloud services do not yet have operational data centres functioning in New Zealand.
Notifiable data breaches
If an agency suffers a data breach that causes serious harm or is likely to cause serious harm to affected parties, it will need to notify the Privacy Commissioner and the affected parties.
The potential for serious harm, even if that harm does not arise, is important here, as the Generate case demonstrates. Generate notified the Privacy Commissioner about a third party gaining unauthorised access to its online application system, even though there was no evidence that the third party had committed fraud as a result of the breach. What matters is that the unauthorised access had been obtained and that customers were duly notified of how that access could affect them. The company made a special effort to encourage customers to check whether their own accounts had been accessed. It outlined steps that customers should take to respond to this incident.
The new laws provide a framework for assessing the definition of ‘serious harm’, the likelihood of it occurring and whether any relevant personal information might be considered sensitive in nature.
The laws also contain important exceptions as to when it may not be necessary to notify individuals that their data has been breached, or when notifications should be delayed. For example, in situations in which a data breach has shown an agency’s security systems to be vulnerable to further potential breaches, it may be more prudent to hold off from notifying affected parties until the vulnerabilities are addressed.
Training in prevention and minimisation
The new Privacy Act does not exist in a vacuum. On the contrary, it is the product and continuation of sweeping global efforts to regulate the fraught, changing world in which our personal information moves. Not only does it echo and reinforce these global privacy and data protection efforts; it also complements growing awareness of the need for organisations to bolster the security – particularly the cyber security – of their systems.
While it may seem defeatist for regulatory reforms to fixate on what relevant organisations and people should do if a data breach occurs, another perspective is that the new laws are simply being realistic about the scale and nature of the challenges posed by the handling of personal information today.
Online compliance training is more important than ever in alerting our workforce to their privacy, data protection and cyber security obligations. Training can help learners understand how to prevent data breaches from occurring as well as what their role is in minimising the consequences if a breach occurs.
Even if people in general are becoming more aware of how their own personal information is being handled by other organisations, they still need to learn what they are required to do when it comes to handling someone else’s information. The use of practical scenarios can help to bring hypothetical dangers to life. Tips and tricks can steer learners towards taking practical actions.
Privacy and data protection training helps to make the challenges involved in handling personal information more transparent to a wide audience. Above all, training can show that, if data breaches are a common problem, so are our obligations to address them.
GRC Solutions’ revamped New Zealand Privacy course captures the latest legal reforms and best practices. Talk to us today about our range of privacy, data protection and cyber security courses for different jurisdictions.
For more information on other GRC Solutions’ privacy training resources:
Privacy – Covering the Privacy Act and the Australian Privacy Principles
Australia – Financial Services
Financial Services Privacy Training – covering the Privacy Act and the Australian Privacy Principles
Credit Reporting – covering the Credit Reporting Act
General Data Protection Regulation – covering the GDPR – which has global implications
Data Protection Singapore – covering the Personal Data Protection Act 2012 and also the implications of the GDPR
Data Protection Malaysia – covering the Personal Data Protection Act 2010 and also the implications of the GDPR