NEW ZEALAND: Privacy Law Update: New collection, rejection, and correction requirements – are you ready?

Disputes, Liabilities, Case Law
  • James MeagerSimpson Grierson
  • Matthew AustinSimpson Grierson

This is the last of four briefings to help you and your organisation prepare.

A major overhaul of New Zealand’s privacy laws is underway and you need to be ready when it comes into force (currently expected to be in mid-2020).

This is the last of four briefings to help you and your organisation prepare.

Policy compliance checklist

Are you reform ready – have you got the right policies to deal with all changes big and small?

Our previous briefings in this series have highlighted what we see are the major updates to New Zealand’s privacy laws: mandatory reporting requirementscross-border data exchange, and new powers to issue compliance notice. As well as these major changes, the Bill will introduce a range of other new provisions which are still important to be aware of and complied with.

Matters to think about

  • The new Act will discourage collection unless it is needed for a lawful purpose. Is it absolutely necessary to require individuals to provide all of the identifying information you currently collect?
  • There is a new emphasis on protection for children and young persons – when collecting personal information from children and young persons, you will be required to take into account their vulnerability. Will this require a modification to your practices?
  • The new Act expressly provides that an agency’s privacy officer can be someone external to the agency. If you do not have the internal resources or skills to fill this role, it may be helpful to appoint an external expert to meet the Act’s requirements, or to support your internal privacy person – the Act contemplates an agency having more than one privacy officer. You may benefit from an individual who has a degree of separation from your core business and who offers a fresh pair of eyes on issues of privacy.
  • There will be new criminal offences relating to misleading an agency to obtain access to another person’s personal information and destroying documents knowing they are subject to an information privacy request. These offences carry convictions and fines of up to $10,000. Do your internal policies make it clear that your personnel do not do anything that might result in one of these offences?

Some of the above will be able to be accommodated by refreshing your existing privacy policies, but some may require a change to your organisation’s practices. For example:

  • Website interfaces which collect extraneous customer information may need to be modified.
  • You may need to apply different collection thresholds depending on the age of an individual.
  • Smaller organisations might benefit from pooling resources and appointing an external privacy officer who can be responsible for a number of organisations.

Being aware of and prepared for the incoming changes, big and small, will be important as non-compliance with the new requirements may be costly, both financially, and to your organisation’s reputation. The prospect of increased fines, new criminal offences and reputational damage makes it vital for you to take a proactive approach to your organisation’s stance on privacy compliance.

Get in touch / Upcoming workshops

Reviewing and implementing new privacy policies can be a complex and confusing process. Please contact our privacy law specialists if your organisation needs help to get ahead of the new Act’s commencement. Simpson Grierson are also running workshops in both Auckland and Wellington in early 2020 to help organisations get to grips with the new privacy regime. Email us here if you are interested in attending.

Privacy Bill progress update

The second reading of the Privacy Bill indicated a commencement date of 1 March 2020, however we anticipate a six-month transition period from when the Act is passed to allow organisations to adjust their administrative systems and business processes. At this point in time, the earliest possible commencement date is July 2020. See also the latest comment from the Office of the Privacy Commissioner on the likely timing of enactment: https://www.privacy.org.nz/blog/privacy-act-2-0-series/.