Understanding the New Zealand Privacy Act 2020 and Its Information Privacy Principles

What is New Zealand Privacy Act of 2020?

The New Zealand Privacy Act of 2020 is a legislation in New Zealand that governs the collection, use, storage, and disclosure of personal information. It replaced the previous Privacy Act 1993 and introduced several significant changes to strengthen privacy protections for individuals.

The 2020 Act introduced several changes compared to the 1993 Act. While the core principles remain similar, the 2020 Act strengthens individual privacy protections and brings regulations closer to international standards. Here are some of the key changes:

•  A significant addition is the requirement for organizations to report privacy breaches that could cause serious harm to individuals. This ensures transparency and allows for quicker intervention.
• The Privacy Act applies globally. Any organization doing business in New Zealand, regardless of location, must comply with the regulations for handling personal information of New Zealand residents.
• The Privacy Act strengthens individual rights, such as right to access and correct personal information, and object to its use or disclosure in specific situations.
• A new principle (number 12) emphasizes the importance of taking steps to avoid privacy risks before they occur. This promotes a more proactive approach to data security.
• The Commissioner has greater authority to investigate complaints, issue directions, and enforce compliance with the Privacy Act.

Is the NZ privacy law applicable to my business?

The Privacy Act applies very broadly.

In general, if your business collects personal information about individuals in New Zealand, then you likely need to comply with the Privacy Act.

There are limited exceptions for personal or domestic use, but for most businesses that handle customer or employee data, the Act is likely relevant.

Does your business collect personal information?

Personal information includes anything that can identify an individual, such as names, addresses, emails, phone numbers, and even opinions about them.

Do you deal with New Zealand residents?

This applies even if your business is not physically located in New Zealand. As long as you're collecting information from individuals in New Zealand, the Privacy Act may apply.

What is personal data under the New Zealand privacy law?

Under New Zealand's Privacy Act of 2020, personal data is any information that relates to an identifiable individual.

It's not just limited to things like names and addresses that directly identify someone. Even details that, when combined with other information, could pinpoint a specific person fall under the definition of personal data.

For instance, information about your eye color, purchase history, or even your browsing habits on a website could be considered personal data if it can be linked back to you as an individual. The law recognizes that seemingly impersonal data, in the right context, can still be used to identify a person.

This means that organizations operating in New Zealand or handling the data of New Zealand residents need to be mindful of this broad definition of personal data.  

In most cases, the Privacy Act does not apply to domestic affairs. This changes when the collection, use, or disclosure of personal information involved is highly offensive.

What are the New Zealand Privacy Act consumer rights?

The Privacy Act is all about giving people control over their personal information. As a business owner, understanding these consumer rights is crucial. Here's a breakdown of what website visitors have the right to under the Privacy Act:

1. Right to Know: Visitors have the right to be informed about how you collect, use, and disclose their personal information. This means having a clear and concise privacy policy on your website that explains: What information you collect (e.g., names, email addresses, browsing behavior) Why you collect it (e.g., to process orders, send newsletters, personalize the experience) Who you might share it with (e.g., third-party service providers) How long you retain it (e.g., until they unsubscribe or for a specific business purpose)
2. Right to Access: Visitors can request a copy of the personal information you hold about them. This allows them to verify the accuracy of the data and ensure you're not holding anything unnecessary. Be prepared to handle these requests efficiently, usually within 20 working days.
3. Right to Correct: If a visitor finds any errors in their personal information, they have the right to have it corrected. This could be typos in their name, outdated addresses, or anything else that's inaccurate. Make sure you have a clear process for them to submit correction requests.
4. Right to Object: Visitors can potentially object to how you're using their information. This might include opting out of marketing emails, targeted advertising, or any other use they don't consent to. Provide clear opt-out mechanisms on your website and respect their choices.
5. Right to Erasure (Right to Be Forgotten): In some situations, visitors can request that you delete their personal information altogether. This might apply if they no longer use your website, have withdrawn consent, or the information is no longer necessary. Be prepared to erase their data unless you have a legal obligation to retain it.

What is the Privacy Act request in New Zealand?

New Zealand's Privacy Act empowers individuals with the right to access and control their personal information held by organizations. A Privacy Act request is the formal process for an individual to exercise this right. They can submit a request to an organization to:

• Confirm whether the organization holds their personal data.
• Gain access to a copy of the information.
• Have any inaccuracies in the data corrected.
• Object to the way the information is being used or disclosed, under certain circumstances.

This ensures transparency and allows individuals to verify the information held about them, rectify any mistakes, and potentially limit how it's used.

What are the Information Privacy Principles?

New Zealand's Privacy Act of 2020 outlines 13 Information Privacy Principles (IPP) that govern how organizations collect, use, and disclose personal information. These principles are designed to protect individual privacy and ensure responsible information handling.

We'll go through each principle and what it means for you.

Principle 1: Purpose for collection

You should make sure any personal information you collect is for a legitimate reason and absolutely necessary to achieve that goal. Don't ask for identifying details if they aren't essential for your purpose.

Principle 2: Source of information - collection from the individual

In most cases, it's best to collect personal information directly from the person it belongs to. This ensures they know what information you have and how you're using it. However, there are some situations where this might not be possible. Here's when it's okay to collect personal information from other sources:

• If the person you're collecting information about gives you the go-ahead to get it from someone else
• As long as collecting the information indirectly doesn't negatively impact the person's interests
• If getting the information directly would reveal the purpose of collecting it before you're ready
• Information that's already publicly available is fair to use, as long as it falls within the scope of public records

Principle 3: What to tell the individual about collection

When you collect personal information from your customers, you're responsible for making sure they understand what's happening to their data.

• The reason for collection: Be upfront about why you need their information. Are you processing orders, sending newsletters, or personalizing their experience?
• Who will receive it: Will you share the information with third-party service providers? Explain who has access and for what purpose.
• Voluntary vs. Compulsory: Is providing the information mandatory to use your service, or can they choose not to give it?
• The consequences of not providing information: Let users know what functionalities or services they might miss out on if they choose not to share their data.

There might be rare situations where informing users about data collection could be impractical or defeat the purpose. However, in most cases, transparency is key.

Principle 4: Manner of collection

Remember, you can only collect personal information from users in ways that are lawful, fair, and don't feel excessively intrusive. Be especially mindful when collecting information from children or young people.

Principle 5: Storage and security of information

The responsibility falls on you to ensure there are strong security measures in place to prevent any loss, misuse, or unauthorized disclosure of personal information. This includes limiting employee access to information they don't need for their job duties.

Principle 6: Providing people access to their information

You should be aware that people have the right to access their personal information with you.

While you usually need to provide it promptly, there are some exceptions. Valid reasons to refuse might include risk of harm to someone's safety, potential for serious harassment, hindering crime investigation, or breaching another's privacy.

If you are unsure, consult a lawyer.

Principle 7: Correction of personal information

Remember, individuals have the right to request corrections to their personal information if they believe it's inaccurate.

Even if you disagree with the requested change, you still have a responsibility. You must take reasonable steps to attach a statement of correction to the information.

This ensures their perspective is documented alongside the disputed data.

Principle 8: Ensure accuracy before using information

Using or disclosing personal information requires some legwork on your end. You need to make sure the information is accurate, complete, relevant, current, and doesn't create a false impression. In simpler terms, double-check the data before you use it.

Principle 9: Limits on retention of personal information

Don't hold onto personal information longer than you need it. Once it's served its purpose, you should dispose of it securely.

Principle 10: Use of personal information

Personal information shouldn't be used for a different purpose than why you collected it in the first place.

There are some exceptions, though. You can use it for a reason directly related to the original purpose, or if the person gives you their explicit permission.

There are also some limited situations where it might be allowed, but it's best to consult with a lawyer if unsure.

Principle 11: Disclosing personal information

 Sharing personal information has limitations. You can only disclose it in certain situations. Here are some examples:

• It was one of the reasons you collected the information in the first place.
• The person directly gives you permission to share it.
• The information will be used anonymously, so the person can't be identified.
• Disclosing it's necessary to protect someone's health or safety.
• It's essential to prevent a legal issue.

Remember, if you're unsure whether you can disclose information, it's always best to consult with a lawyer.

Principle 12: Disclosure outside New Zealand

You can only send personal information to someone overseas if the information will be adequately protected. Generally, it's okay if:

• The receiving person already follows New Zealand privacy rules because they do business in NZ
• Privacy in the other country is just as strong, and they have similar privacy laws
• The receiving person has agreed to adequately protect the information

Otherwise, you'll need the person's direct permission to send their data overseas. 

Principle 13: Unique identifiers

Unique identifiers, like driver's license numbers, need special handling. You can only create your own unique identifier system for a specific business need. In general, avoid using the same identifier assigned by another organization.

Most importantly, if you do use unique identifiers, you must take steps to minimize the risk of misuse, such as identity theft. This could involve strong security measures and limiting access to the information.

How does the New Zealand Privacy Act of 2020 affect my privacy policy? 

The Privacy Act strengthens privacy controls by requiring organizations to be upfront about how they handle personal information. This means you'll need to clearly explain in your privacy policy:

• Why you collect data: Be transparent about the purpose behind collecting personal information.
• Data sharing: Inform users if their data is shared with third parties.
• Individual rights: Outline the rights individuals have under the law, such as accessing and correcting their information.

If your business operates in New Zealand, revising your privacy policy to reflect these requirements is crucial.

What opt-out methods are required?

Interestingly, the Privacy Act itself doesn't explicitly mandate specific opt-out methods for organizations.

The Privacy Act prioritizes transparency by requiring organizations to inform individuals about how their data is used and shared. Instead of requiring specific opt-out methods, the Act grants individuals the right to object to their information being used for direct marketing.

However, organizations should still provide reasonable ways for users to opt out of receiving unwanted communications. This aligns with the spirit of the Act and best practices.

Here are some common opt-out methods that comply with the Act's principles:

• Unsubscribe Links: Include clear unsubscribe links in email marketing messages.
• Preference Centers: Allow users to manage their communication preferences through a user account or preference center.
• Contact Information: Provide clear contact information (email address, phone number) for users to request removal from mailing lists.

Remember, the key is to make it easy for individuals to understand their rights and exercise them.

Do we need a Data Protection Officer?

Yes, the New Zealand Privacy Act of 2020 requires all agencies to appoint a privacy officer. This can be someone within the organization or someone hired specifically for the role.

There are no specific qualifications mandated by the Act, but the officer should have a good understanding of the Act's privacy principles.

Do we need to conduct Data Protection Assessments?

The New Zealand Privacy Act itself doesn't explicitly require Data Protection Assessments (DPAs) for all situations. However, it emphasizes the importance of taking steps to protect personal information. So, while there might not be a mandatory requirement, DPAs can be a valuable tool.

Does the New Zealand privacy law have rules for data transfers?

Yes, the New Zealand Privacy Act 2020 has specific rules for organizations transferring personal information overseas. 

You can't simply send personal information anywhere. The Act aims to ensure it goes to places with similar privacy protections as New Zealand.

Also, the receiving organization needs to have measures in place to keep your information secure.

The Privacy Commissioner also has the authority to block transfers if they believe the receiving country lacks adequate safeguards.

How is the New Zealand Privacy Act 2020 enforced?

The Office of the Privacy Commissioner (OPC) enforces New Zealand's Privacy Act. They guide both individuals and organizations on their rights and obligations. You can file complaints with them if you suspect mishandling of your information. The OPC also monitors compliance through audits and actively advocates for stronger privacy protections. In serious cases, they can issue fines or enforce access to information.

What happens if you breach the Privacy Act NZ?

A data breach can lead to a range of consequences, depending on the severity of the breach.

The Act allows fines of up to NZD 10,000 for failing to notify the Privacy Commissioner about a serious privacy breach. Additionally, individuals affected by the breach may sue the organization for compensation.

The Privacy Commissioner can also issue compliance notices requiring organizations to take specific actions to address the breach and improve their privacy practices.