Privacy laws apply to every organisation. They apply whenever personal information is collected, including when collected through an online presence (e.g. a website). If you get privacy wrong it can have a significant impact on your reputation.
In this article, we discuss how the new Privacy Bill will impact you and what you need to be doing now to be ready for when it becomes law. We also provide a more detailed commentary on the latest changes to the Bill if that is of interest to you.
Privacy Bill changes
How will it impact you?
In a nutshell, the Bill will:
- Make it mandatory to report a privacy breach that results or is likely to result in serious harm to the individual. It is vital every organisation understands this proposed new requirement well.
- Strengthen the Privacy Commissioner’s powers, including new powers to:
- Direct an organisation to provide an individual with access to their personal information; and
- Issue a notice requiring an organisation to comply with privacy laws.
- Introduce new fines of up to $10,000 for certain failures, such as not reporting a privacy breach.
This new law is proposed to come into effect on 1 March 2020.
What do you need to do?
There are four things that you will need to do to comply with the Bill’s proposals:
- Make sure you have an up-to-date privacy breach response plan that covers the new reporting requirement.
- Update your privacy policies and privacy statements (e.g. the ones on your website) to make sure they are compliant with the Bill.
- Understand what personal information you collect, store, use and disclose and make sure your processes comply with the Bill.
- Update your contracts with suppliers and other third parties who store or process personal information for you to make sure they have a clear understanding of the requirement to report a privacy breach to you. Under the Bill, you will be accountable for a privacy breach that happens at these suppliers and other third parties.
Get in touch with our privacy expert, Graeme Crombie, or your usual Lane Neave contact to find out more on what you will need to do when the Bill becomes law.
What else do you need to know about?
Under the Bill, you must:
- Not collect an individual’s identifying information if you do not need it;
- Take into account the vulnerability of children and young persons when collecting personal information from them;
- Take reasonable steps to minimise the risk of misuse of unique identifiers (e.g. truncate an account number on correspondence); and
- Make sure that any overseas organisation that you provide personal information to for their own use is subject to privacy obligations similar to those in New Zealand.
The Bill will also apply to anyone overseas who is doing business in New Zealand.
Privacy Bill – a recap
The Bill was initially introduced to Parliament on 20 March last year and we commented on it in a previous newsletter, which you can find here.
The Bill will replace the Privacy Act 1993 (Act) in its entirety. However, it is not a do over. The Bill retains much of the content of the current Act. What is different is the use of updated language, re-ordered provisions, and a strengthening of the compliance aspects of the privacy regime.
Commentary on Select Committee Report
On 13 March 2019 the Justice Select Committee reported back to Parliament on the Bill. Its report proposes a number of changes to the Bill, which we expect Parliament to accept. While there are still a few more stages for the Bill to go through in Parliament, we expect that it will likely pass through those stages without any fundamental changes.
We discuss the key changes to the Bill proposed by the Select Committee below, the most significant of which is in relation to the privacy breach reporting provisions of the Bill.
Mandatory reporting of privacy breaches
Summary of the requirement
The Bill as introduced had a low threshold for both what was a privacy breach and when notification was required. While the Select Committee has retained the low threshold for what is a privacy breach, it has moved the notification bar up to one of serious harm.
So, under the Bill as reported back, if it is reasonable to believe a breach of privacy has caused serious harm or is likely to do so (a notifiable privacy breach), an agency must notify both the affected individual (unless an exception applies), and the Privacy Commissioner. “Agency” is the term used by both the Act and the Bill to describe to whom the regime applies, which includes organisations (such as businesses, not for profits and Government departments) and individuals.
What is serious harm?
What amounts to serious harm is not defined. However, the Bill sets out a number of factors that an agency must consider in deciding if the breach has or is likely to cause serious harm (and so whether or not it is required to notify the privacy breach). These are:
- Any action taken by the agency to reduce the risk of harm following the breach;
- Whether the personal information is sensitive in nature;
- The nature of the harm that may be caused to affected individuals;
- The person or body that has obtained or may obtain personal information as a result of the breach (if known);
- Whether the personal information is protected by a security measure; and
- Any other relevant matters.
The serious harm concept is also used in Australia for data breach notification. So, the guidance the Office of the Australian Information Commissioner has issued on this may be useful to New Zealand agencies too.
However, as this term has not been specifically defined, if the Bill becomes law in this form, it may be prudent to report breaches unless an agency can clearly say the breach does not or will not result in serious harm. As the National Party have stated in the Select Committee report “there is still a risk of over-notification” with the current formulation.
Have an assessment process in place
Agencies will need to put in place a process to assess the serious harm question if a privacy breach occurs. This process will need to cover all types of privacy breach, remembering that the threshold for a privacy breach is low.
The threshold includes what you would expect (i.e. unauthorised loss or disclosure), but also some things you may not expect (i.e. accidental access to personal information or an action that prevents the agency from accessing information on a temporary basis). Some examples of things that fall into this latter category likely include personnel inadvertently seeing information and the unavailability of computer systems.
Notification requirements
Under the Bill, notifications will be required as soon as practicable after an agency becomes aware of a notifiable privacy breach. However, the Select Committee have recommended an ability to delay notification to an affected individual (but not the Privacy Commissioner) if notification may have security risks and not notifying outweighs the benefits of notification.
The Bill sets out what is required in the notifications, which includes stating the steps taken in response and steps an individual may wish to take. Public notice can be given if individual notice is not reasonably practicable.
Many agencies use third parties to store or process personal information on their behalf (e.g. an IT provider). The Select Committee have now made it clear that a privacy breach at the third party is the responsibility of the collecting agency. This means agencies will need to ensure contracts they have with third parties that store or process any personal information on their behalf require the third party to notify the agency of any privacy breach that occurs at the third party.
Implications of a failure to notify
The Select Committee has not altered the proposed penalties for failing to report notifiable privacy breaches to the Privacy Commissioner. This remains a fine of up to $10,000. This is at a low level when compared internationally.
The Select Committee have also introduced a defence to a charge of failure to notify if the agency did not consider the privacy breach to be a notifiable privacy breach. But, it will only be a defence if it was reasonable for the agency to reach that view in all the circumstances. One way this defence could manifest is through the obtaining of legal advice from an appropriate legal expert. Thus, once this Bill becomes law it will be important to have a legal privacy expert available to help with this assessment.
A failure to notify the individual will also be deemed to be an interference with the individual’s privacy, so the individual can complain to the Privacy Commissioner and claim damages in the Human Rights Tribunal. As a class action can be brought in the Human Rights Tribunal, such an action may have more teeth than a fine if the breaches were significant and widespread.
Other points of note
Other key changes to be aware of are:
- Scope – The Select Committee has introduced a new scope section to outline the organisations to which the Bill applies, being:
- New Zealand organisations, in respect of personal information collected both in New Zealand and offshore; and
- overseas organisations, but only in respect of personal information collected in the course of carrying on business in New Zealand.
- Compliance notices – The Select Committee have proposed that the Privacy Commissioner publish the name of any agency that is issued a compliance notice.
- News activity – The Select Committee has extended the existing news exceptions for news agencies to blogs and other services provided over the Internet.
- Cross-border data flow protections – The Bill introduced a new prohibition on disclosing personal information to an overseas organisation (or person) that is not subject to the regime, unless the individual consented, the information was protected by comparable privacy safeguards, or an exception applied. The Select Committee has now enshrined these provisions in a separate privacy principle (a new principle 12, with the old principle 12 becoming a new principle 13).
- Public registers – The Select Committee have removed the public register provisions in the Act from the Bill (so all personal information will be subject to the 13 privacy principles).
The Bill has also clarified that where an agency is using a third party provider for processing or storage it remains the collecting agency that is responsible for ensuring compliance with the privacy regime. So, the collecting agency should ensure the contract it has in place with the third party provider enables it to comply with the privacy regime.
Overseas comparison
Aside from the introduction of mandatory data breach notification requirements, the Bill does not tackle the issues that are addressed by new requirements that came into force last year in the EU. Please refer to our earlier newsletter on what those new requirements are. Click here for a link.
There are also a number of other issues that the Bill does not address, such as dealing with re-identification of previously de-identified personal information.
We expect that these will be matters that the Government will likely consult on in the future. So, watch this space.
Want to know more?
Get in touch with privacy expert, Graeme Crombie, or your usual Lane Neave contact to find out more on what you will need to do when the Bill becomes law. We will also be hosting some seminars to explore and discuss the implications of the Bill for businesses. Keep an eye out for your invitation in the coming weeks.
Business Law team
If you need any assistance do not hesitate to get in touch with the Business Law team at Lane Neave.
Gerard Dale, Claire Evans, Graeme Crombie, Evelyn Jones, Anna Ryan, Joelle Grace, Peter Orpin, Ellen Sewell, Matt Tolan, Carlo Wan, Kristina Sutherland, Jacob Nutt, Whitney Moore, Alex Stone, Ben Cooper, Lisa Catto
Also in this edition:
Business Law Newsletter:
- Banking and finance: consumer credit law update ››
- Failure to obtain consent a costly mistake – FTG Securities Limited v Bank of New Zealand ››
Click here for other Corporate Law articles.