If you collect, store or use personal information about employees and/or customers, it’s important to:
check your business meets existing privacy requirements
get ready for the law change.
Here’s what you need to know and do to keep people’s information safe and secure.
When: From 1 December 2020 What: Changes to the Privacy Act mean businesses must:
not destroy personal information if someone asks for information held about them
report serious privacy breaches
check personal information shared with overseas companies will have similar protection to New Zealand.
Overseas businesses operating in New Zealand must meet privacy requirements, including multi-nationals offering services like cloud software or social media. The revamped Act gives the Privacy Commissioner greater powers. This includes:
ordering a business to give a person their personal information
issuing a compliance notice if a business fails to comply with the Privacy Act.
So it’s a good idea to appoint a privacy officer, eg add privacy duties to a trusted employee’s existing role.
Why: The Privacy Act aims to keep people’s personal information safe and secure. The law updates reflect changes in technology and the ways business is done online and offline.
Privacy Act 2020 — Office of the Privacy Commissioner
What you need to do
Anyone who collects, uses and stores personal information must follow new and existing rules in the Privacy Act. This applies to all business types, including sole traders and freelancers/contractors. Common examples of personal information collected by businesses include:
photos of workers or customers used for marketing, eg flyers or social media posts.
To meet new requirements in the Privacy Act, here are some of your key responsibilities.
Decide who in your business will take the lead on privacy matters. This could be you, an office manager, or another trusted worker. This person will be your privacy officer, in addition to their current tasks.
This role involves:
a general understanding of how the Privacy Act relates to your business
checking personal information is collected responsibly and stored safely
making sure any issues or requests for personal information are handled promptly
handling privacy complaints made to your business, including working with the Office of the Privacy Commissioner (OPC) on any escalated complaints.
Learn about privacy requirements with free online training on the Privacy Commissioner website. Modules include:
Employment and privacy
Reporting privacy breaches
Privacy Act 2020
e-Learning — Office of the Privacy Commissioner
Requests for personal information
If someone asks for their personal information held by your business, you must respond within 20 working days. Most complaints to the Privacy Commissioner are from people denied access to their personal information.
You and/or your privacy officer should think about how the business stores and handles information:
Could you respond to a request within the time limit?
How do you store personal information?
How secure is it?
You must not delete personal information to avoid the request. This will be illegal in the revamped Privacy Act.
Talk with your staff about what to do if there’s a serious privacy breach. Work through various scenarios together, eg accidentally losing personal information vs cyber attack. This helps everyone knows the steps they should take.
An important new step is to report serious breaches to the Privacy Commissioner by phone, email or using the online tool Notify Us:
Enquiry form — Office of the Privacy Commissioner
Notify Us — Office of the Privacy Commissioner
Sharing information with overseas companies
Under the new Privacy Act, you may only share personal information with an overseas business if they meet New Zealand’s privacy requirements. This does not apply to overseas cloud-based services.
More guidance is being developed to help you understand these requirements.
In the meantime visit the Privacy Commissioner’s website for current guidance, and for contact information if you have questions.