New Zealand’s new Privacy Bill seeks to upgrade the protection of private and personal information held by businesses.
As New Zealand considers a new Privacy Bill, ANZ businesses can expect some policy changes that are intended to strengthen the protection of private and personal information. The Bill is intended to update prior laws on the topic, modernise privacy regulations and align more closely with the European General Data Protection Regulation (GDPR) act.
When: The Privacy Bill is under consideration by the Parliament and is likely to become official law in 2020.
What: Privacy changes include the following:
- Businesses will be required to report any serious privacy breaches, especially those that carry a significant risk of harm (e.g leaked personal information that can be used for identity theft or published online). The affected parties and the Office of the Privacy Commissioner must be notified of the breach.
- NZ businesses that use overseas service providers, like cloud software services, will need to make sure their providers comply with New Zealand privacy laws.
- If someone requests personal information held by a business, the business is not allowed to delete or destroy the information in order to avoid providing it.
Why: The Government is revising New Zealand’s Privacy Act 1993 to make sure personal information is safeguarded in line with new technologies and modern business operations.
Who: All businesses that collect, store and use personal information about their employees and/or customers will need to ensure they comply with the updated privacy laws.
Among other amendments to the Bill, the Privacy Commissioner will be granted more authority, including the ability to issue compliance notices to organisations—as well as private employers—to take specific steps to comply with privacy law. They will also have the authority to approve or deny requests for access to personal information.
Nick’s perspective - What the proposed Privacy Bill means for businesses in NZ
The Bill will have a fair bit of an impact on data-driven companies in New Zealand. Here’s how those changes could affect your NZ company and your data policies:
- Overseas companies will need to comply with NZ law
The Bill intends to replicate some of the GDPR’s hefty reporting requirements and address some of the gaps that arise when working with international entities and platforms. CIO New Zealand noted that big tech companies have argued that they do not have to comply with New Zealand laws, especially when it comes to privacy. In May 2018, Facebook refused to co-operate with an investigation by the Commissioner after they pointed out that Facebook had breached the existing Privacy Act. Google declined to comply with New Zealand court-mandated suppression orders in May 2018, claiming that while Google New Zealand was bound by New Zealand laws, Google LLC was not because it is based in the US. The new Bill makes it very clear that offshore companies can no longer claim that New Zealand privacy laws do not apply to them.
- You need to know when a breach is serious enough to require reporting
The original wording of the Bill only required notification of a privacy breach to the Commissioner and affected individuals where it had caused, or was likely to cause, “harm”. Many argued that this threshold was too low, risking endless notifications of minor breaches and “notification fatigue”. It has since then recommended a new, more clearly defined threshold for what constitutes “serious harm”.
- You are liable for personal information stored in the cloud
If you use a cloud service provider, you’ll be accountable for all personal information stored or held on its servers, regardless of its actual location. Though that’s only if the provider does nothing more than store or process personal information. If they use or disclose that information for their own purposes, then they will also be accountable. It’s probably a good idea to check with your service providers if they are allowed to use or disclose the personal information you are storing with them for their own purposes, especially if they are based overseas.
- You must notify individuals about a privacy breach
Even if you’re using an overseas service provider, you would still be responsible for informing individuals of a notifiable privacy breach - regardless of who actually caused the breach.
Garth’s perspective - What data-driven organisations can do to comply with NZ’s new privacy laws
From a technology standpoint, the new Bill means NZ companies would need to thoroughly review their systems and policies to make sure they’re compliant. Depending on the size and complexity of the business, this can be a massive task. But it can be made somewhat manageable if they approach it with a plan in mind. Here’s what I would recommend:
- Conduct a content inventory
The first step is to fully understand what kind of data and content you have. What repositories does your company manage, what is the business purpose of the data, how long is it retained for, what controls govern its access and security and who consumes and utilises this data? On the surface, this appears to be a very simple exercise, but when working with organisations of every size, there are bound to be surprises!
- Leverage e-discovery practices and technologies already in place
Data security and privacy use cases including GDPR share a few similarities with e-discovery, where there is a need to identify relevant content, often relating to a specific individual or transaction, the scope of which can be difficult to judge. Refining search results, culling down to the essentials and reviewing are all part of the equation.
- Develop a plan for data minimisation
There are many reasons to follow strong retention management practices. Keeping everything forever is a strategy, but increasingly, not a good one. Data privacy laws are going to really make organisations question why they retain information and for what purpose. The larger the surface area, the greater the risk of a breach and the larger the opportunity for discoverable data during any investigations. Be systematic with your retention policies. Collaborate as necessary to create them, make sure they are consistently applied, and choose the right archive technology to enforce them.