A raft of new privacy laws come into force today to better protect New Zealanders and their information.
Under the Privacy Act 2020 businesses and organisations must handle personal information more carefully and the Privacy Commissioner now has greater powers to ensure they are following the rules.
Privacy Commissioner John Edwards told Morning Report it might surprise people that previously he previously did not have effective ability to enforce the Act.
"If they lose control of personal information in a way that could cause serious harm, they will be under a legal duty to notify the affected individuals and to notify my office.
"A failure to do so is a criminal offence and is punishable by a fine of up to $10,000."
"It's going to take a little bit of getting used to" - Privacy Commissioner John Edwards
The commissioner can also issue compliance notices to require information holders to do something, or make them stop doing it in accordance with the Privacy Act.
"Those notices if not observed can be enforced through the Human Rights Tribunal, and again with a penalty of up to $10,000 for a failure to comply."
Key changes in the Act include:
- reporting immediately to the office of the commissioner and affected individuals as soon as a privacy breach that may cause serious harm has occurred
- New criminal offences that can result in a fine of up to $10,000 for misleading individuals to access information or destroying information while knowing it has a request for access
- Compliance notices can be issued to require information holders to do something, or make them stop to comply with the Act
- Under a new privacy principle, an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Privacy Act 2020
- The Privacy Commissioner will be able to direct an organisation or business to confirm whether they hold personal information about an individual and to provide the individual with access to that information
- An overseas business or organisation that is 'carrying on business' in New Zealand will be subject to the Act's obligations, even if it does not have a physical presence here
Edwards said businesses would not notice a difference if they were already good stewards of personal information, but resources were available on the privacy commission's website to help people understand their obligations.
"It's going to take a little bit of getting used to and particularly learning that threshold - how do you know if your information causes or could cause serious harm [if privacy is breached]?
"We'll be focusing on education, helping agencies to understand their obligations. We built a tool on our website, it's called NotifyUs, and that should help agencies make that judgement about how serious that thing is and whether they need to notify us."
He said New Zealand sat around in the middle range among privacy regulations in the world.
"This setting that we've got now was recommended by the law commission back in 2011.
"They thought about giving the commissioner powers to issue significant fines like my colleagues in Europe have, and thought 'well we'll see what he can do with compliance notices first'. So we'll make the best of these regulatory measures and assess that in a couple of years and see whether it's changed the behaviour out there in the economy."
The pandemic had also ramped up collection of personal information, Edwards said.