Changes to the Privacy Act & reporting serious privacy breaches
Privacy Act changes come into effect on the 1st of December 2020, and under the new Act, businesses will need to report serious privacy breaches.
A privacy breach is any unauthorised or accidental access to, disclosure, alteration, loss, or destruction of personal information, or an action that prevents the holder from accessing the information.
Not all breaches will need to be reported, only those that cause serious harm. Determining if a breach has or might cause serious harm will be a case-by-case assessment, taking into account things like disclosure of very sensitive information, or whether it is to a large number of recipients, and the nature of the harm that might result.
If a business has a privacy breach that it believes has or could cause serious harm, it will need to notify the Office of the Privacy Commissioner and the affected person or people as soon as possible (Data breaches (external link)). Failure to inform the Privacy Commissioner about a notifiable privacy breach will be an offence.
Time for a review!
Now is the time to get ready for the new Act, ahead of 1 December 2020.
Talk to your staff about what to do in the event of a serious data breach. Work through various scenarios together so everyone is aware of the steps they should take.
60 per cent of complaints to the Office of the Privacy Commissioner are from people denied access to their information. If a customer or employee requests their information, you are required to respond to that request within 20 working days. Make sure you have a process in place to handle customer requests for information held about them if, and when, they are made.
Here are 7 practical things you can start doing to get ready now:
- Review and update your privacy policies to make sure they align with the new Act, clearly telling clients and customers what personal information you will obtain and how it will be used. Use this link – Priv-o-matic (external link) — Office of the Privacy Commissioner
- Appoint a privacy officer. Every business should have a privacy officer, according to the Privacy Act. This is someone who has a general understanding of the Act and can deal with privacy issues when they arise.
- Start training staff now, and make sure you have a few key people who are really up to speed on the changes (including your privacy officer/s). eLearning (external link) —The Office of the Privacy Commissioner has online learning modules that you and your staff can go through to become more familiar with your legal privacy responsibilities. The Privacy ABC and Privacy 101 modules are quick and easy introductions to the Privacy Act.
- Make sure everybody knows who to approach about privacy issues – within each office, and/or at a regional or national level.
- Make sure your procedures for detecting, reporting, and investigating privacy breaches are robust – how will you know if a breach occurs, and, if it does, what will you do?
- Make sure you hold and use personal information in a safe and secure way and dispose of it securely when you have finished with it
- If you use an overseas-based service provider, like cloud software, ask the provider how they’re meeting New Zealand privacy laws.
We are ready to help you, for advice & help with compliance, contact Steve Newby at email firstname.lastname@example.org or call 0212621035.