Members Area News Getting Ready for the Changes to the Privacy Act 2020

Getting Ready for the Changes to the Privacy Act 2020

22 October 2020

You will all be aware that the Privacy Act is changing, and the new law comes into force on 1 December 2020. 

Clubs should take the time to ensure they understand the changes to the act and how they will impact your club and how you store and handle membership information.  We also encourage clubs that haven't done so already to review the updated policy templates and application form templates that Clubs New Zealand has released over the last couple of months.

What are the major changes?

The Office for the Privacy Commissioner has released easy to read information sheets which cover the major changes coming into force,  these include:

Information sheet 1: Privacy Act 2020 changes
Information sheet 2: Breach notifications
Information sheet 3: Cross-border disclosure
Information sheet 4: Enforcement powers
Information sheet 5: Updated privacy principles
Information sheet 6: Access directions

Breach Notifications

If a business or organisation has a privacy breach that has caused serious harm to someone (or is likely to do so), it will need to notify the Office of the Privacy Commissioner as soon as possible. It is an offence to fail to notify the Privacy Commissioner of a notifiable privacy breach. Failure to notify could incur a fine of up to $10,000.

To support this new requirement the Office for the Privacy Commissioner has launched a new online tool NotifyUs enabling businesses and organisations to easily assess whether a privacy breach is notifiable.

The Office for the Privacy Commissioner has recommended that businesses take the time to look at NotifyUs prior to the act coming into force in order to become familiar with the process and the requirements.

https://privacy.org.nz/privacy-for-agencies/privacy-breaches/notify-us/

What is serious harm?

The unwanted sharing, exposure or loss of access to people’s personal information may cause individuals or groups serious harm. Some information is more sensitive than others and therefore more likely to cause people serious harm.

Examples of serious harm include:

  • Physical harm or intimidation 
  • Financial fraud including unauthorised credit card transactions or credit fraud 
  • Family violence
  • Psychological, or emotional harm

Find out more about serious harm.

Cross Border Disclosure

The Privacy Act 2020 contains a new information privacy principle, principle 12, which sets rules around sending personal information to organisations or people outside of New Zealand. 

Principle 12 aims to ensure that personal information sent overseas is subject to privacy safeguards that are similar to those in New Zealand.

A business of organisation may send information to an overseas organisation to hold or process on their behalf as their “agent” (cloud storage).  This will not be treated as a disclosure under the privacy act.

A typical example of this is an overseas company providing cloud-based services for a New Zealand organisation. The New Zealand organisation will be responsible for ensuring that their agent – the overseas company – handles the information in accordance with the New Zealand Privacy Act.

Enforcement Powers

The Privacy Act 2020 gives the Privacy Commissioner greater powers to ensure businesses and organisations comply with their obligations. The two key new powers in the Act are access directions and compliance notices. The Act also introduces new offences and greater potential fines for those who commit them.

Access Directions: Principle 6 gives people the right to access their personal information. If a business or organisation refuses or fails to provide access to personal information in response to a principle 6 request without a proper basis, the Commissioner may now compel the agency to give this information to the individual concerned.

Compliance Notices: The Privacy Act 2020 allows the Commissioner to issue compliance notices to agencies that are not meeting their obligations under the Act. A compliance notice will require an agency to do something, or stop doing something, in order to comply with the Privacy Act.

Training

The Office of the Privacy Commissioner offers free online privacy education. Their e-learning modules can be accessed at elearning.privacy.org.nz

There is also useful information in the short YouTube video which can be viewed by clicking the image below;

For more information visit the Office of the Privacy Commissioner website https://www.privacy.org.nz/

Get your hands on the future

With the Clubs New Zealand App

Find out more