What all businesses need to know about the updated Privacy Act

PRIVACYBUSINESS LAW
Written By Apogee Legal

Dec 18, 2020

Anyone who collects, uses and stores personal information must follow new and existing rules under the Privacy Act 2020. The Act applies to every type of business, including freelancers and sole traders.

The Act has recently been updated to ensure it keeps up to date with technology and the changing ways we’re doing business.

First, let’s take a look at your existing Privacy Act obligations:

Under the Act you need to:

  • Only collect personal information needed for business reasons (we recommend reading this short article by MBIE for a definition of what personal information is).

  • Tell people what you collect, including if you use cookies on your website.

  • Store personal information safely and securely.

  • Only keep information while you need it or are legally allowed to keep it.

  • Respond to someone’s request for personal information within 20 working days.

  • Update or correct personal information as required.

What’s changing:

From Dec 1, 2020 businesses must also ensure they:

  • Do not destroy personal information if someone asks for information held about them.

  • Report serious privacy breaches.

  • Check that the personal information shared with overseas companies has similar protection to New Zealand (This does not apply to offshore cloud-based providers - so long as the agent or cloud provider is not using that information for any of their own purposes). The Office of the Privacy Commissioner has more in-depth information here.

The updated Act also gives the Privacy Commissioner greater powers. These include:

  • Ordering a business to give a person their personal information, and

  • Issuing a compliance notice if a business fails to comply with the Act.

 

Your Privacy Act checklist:

  • Decide who in your business will take the lead on privacy related matters. There are free online training modules in the Privacy Commissioner’s website.

  • Consider how you store personal information, how secure it is and whether you would be able to respond to an information request within 20 working days.

  • Talk with your staff about what to do if there is a serious privacy breach and what steps should be taken. Remember, serious breaches MUST be reported to the Privacy Commissioner.

  • Check your website’s Privacy Statement is up to date – this should tell people how you collect and use personal information. If you don’t have one, you can use this free online Privacy Statement Generator provided by the Privacy Commissioner.

To make enquiries about your specific circumstances, you can contact the Office of the Privacy Commissioner.

The information in this article is provided to summarise this topic and is of a general nature. If you have any questions, please get in touch.

Apogee Legal
Previous

Is this the post you’ve been waiting for?
Next

Are you ready for the changes to Trust Law?