What to expect when you're collecting: Privacy Act 2020

Dentons
Contact

Dentons

After much anticipation, the Privacy Bill has passed its third and final reading and is set to be signed into law, with a commencement date for most provisions of 1 December 2020.

We’ve published numerous articles on the Bill’s journey and the general outlook for privacy law in New Zealand, including information about what businesses will need to know to prepare for the new Act coming into force. You can read those articles here, here, and here.

Now that the new Act is set to come into force, it’s time for businesses to get prepared for its commencement, including as set out below:

  • Create a data breach plan: From 1 December 2020, your business will be expected to comply with the notifiable privacy breach regime. That regime will apply to a broad range of ‘breaches’, from information on physical files and accidental breaches, to an inability to access information. But while breaches can be difficult to predict, your response shouldn’t be. Now is the time to create a plan about how your business will assess, contain, and respond to breaches in a way that complies with the new Act. Chances are doing so will also bring to light some vulnerabilities in the way that your business handles personal information.
  • Check your cloud service provider agreements: The new Act explicitly clarifies that businesses that use cloud service providers to host personal information – including providers based offshore – will remain responsible for that personal information. As such, businesses should make sure that their service providers don’t inadvertently cause them to breach the new Act. A good place to start is to review the agreements your business has in place with such providers, to identify any gaps, and to implement robust diligence procedures to vet the technical and organisational measures any service provider has in place to protect the personal information which you entrust to them.
  • Sending information offshore?: If your business discloses information offshore for other businesses to use for their own purposes, from 1 December 2020 you’ll need to have a legal basis for doing so, even if the entity you are disclosing the information to is part of the same ‘group’ as your business. There are a number of grounds that you might be able to rely on, including grounds that are due to be clarified further by regulations. Now is the time to establish whether your business will need a legal basis for making a disclosure offshore, and you what might need to change.
  • Doing business in NZ: If your business is based overseas, but you deal with individuals in New Zealand, from 1 December 2020, you might be caught by the new Act – even if you don’t have a physical presence here. Now is the time to check whether you might be required to comply, and what that looks like practically for your business.
  • Time for a refresh?: While the new Act doesn’t introduce changes to what needs to be included in a privacy statement, now is an opportune time to review your existing practices. For many, it will have been some time since you checked that your statements align with the reality of the way your business collects, uses, stores, and discloses information. And with the Privacy Commissioner’s increased investigatory and enforcement powers introduced by the new Act, it makes sense to make sure your privacy policies are up to date, transparent, and accurate, and your staff have all had appropriate training.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:

Dentons
Contact
more
less

Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.