Preparing Your Organization for New Zealand’s Privacy Act 2020

New Zealand’s new data privacy law, known as the Privacy Act 2020, came into effect on December 1, 2020, officially replacing the country’s 1993 Privacy Act. This new legislation puts New Zealand’s privacy law on par with those from a variety of countries around the world, such as Australia, China, Singapore, and the EU. 

Specifically, New Zealand’s Privacy Act 2020 aims to tighten protections around consumer data by establishing 13 information privacy principles that govern how organizations can collect, store, use, and share data and by introducing clear rules for notifying individuals about data breaches. The law also strengthens enforcement mechanisms and increases penalties for non-compliance. As a result, every organization that operates in New Zealand must understand what’s required to maintain compliance.

Who is Subject to New Zealand’s Privacy Act 2020?

Any organization that collects, stores, or handles personal information about New Zealand residents is subject to the Privacy Act 2020. Importantly, the law has an extraterritorial scope, meaning it does not matter where the personal information is collected or held or where the individual is located if the subject of the data is a New Zealand resident.

Personal information is defined as any information about an identifiable individual, including information about them or information that might identify who they are.

The law defines two categories of organizations as well as a set of individuals who are subject to compliance:

• New Zealand agencies: Any organization based in New Zealand must comply with the Privacy Act 2020 in all instances.
• Overseas agencies: Any organization not based in New Zealand must comply with the Privacy Act 2020 when carrying on business in the country. Organizations can be considered as carrying on business in New Zealand even if they don’t have a physical presence in the country, don’t receive any monetary payment for goods or services, or don’t intend to make a profit from doing business in the country.
• Individuals: Any individual who is not a resident in New Zealand that collects or stores personal information while in the country (regardless of where the individual who is the subject of that information is located) must comply with the Privacy Act 2020. However there are some exemptions in the law (e.g. in the case of a notifiable privacy breach) for individuals holding information for personal or domestic purposes.

The law does grant several exceptions for compliance for the following groups:

• New Zealand government agencies, including the Governor-General, the House of Representatives, members of Parliament acting in their official capacity, and the Parliamentary Service Commission
• Ombudsman
• News entities carrying on news activities
• Overseas governments performing government functions

Finally, the Privacy Act 2020 only allows organizations to transfer personal information to another country if that country’s privacy laws are comparable to New Zealand’s. To determine whether or not data can be transferred, the law requires organizations to consider (1) whether or not the transfer is likely to affect individuals, (2) the general desirability of allowing for a flow of information between New Zealand and the other country, and (3) any existing or developing guidelines, such as the OECD or GDPR.

How Does New Zealand Enforce the Privacy Act 2020?

The Office of the Privacy Commissioner is responsible for enforcing the Privacy Act 2020. The Commissioner can investigate any instances of potential non-compliance, either following a complaint made to the Commissioner or on the Commissioner’s own initiative. The Commissioner can refer a complaint to another office (e.g. the Health and Disability Commissioner) if they believe it is better suited for that office’s jurisdiction.

Following an investigation, the Commissioner can issue a compliance notice that requires an organization to take action or stop doing certain activities in order to be in compliance with the Privacy Act 2020. The Commissioner can make these compliance notices public.

Instances of non-compliance, including not responding to requests for information from individuals and failing to notify the Commissioner about a serious privacy breach, are considered criminal offenses and can lead to fines of up to $10,000 NZD. Individuals affected by privacy breaches can also issue complaints to the Human Rights Review Tribunal, which can order the offending organization to pay damages to those individuals.

Finally, the Commissioner can provide advice to the New Zealand government and any organizations on the application of the Privacy Act 2020.

What Incident Response is Required Under the Privacy Act 2020?

The Privacy Act 2020 requires organizations to issue data breach notifications if they experience a privacy breach that is likely to cause serious harm to individuals.

What is a privacy breach?

New Zealand’s law defines as a privacy breach as any:

• Unauthorized or accidental access to personal information
• Disclosure, alteration, loss, or destruction of personal information
• Action that prevents an organization from accessing information either on a temporary or a permanent basis

What is the standard for serious harm?

To determine if a privacy breach is likely to cause serious harm (and therefore meets the requirement for issuing a notification), organizations should consider:

• If personal information is involved
• Whether or not the personal information is sensitive in nature (examples of sensitive information include details about someone’s health, religious or political beliefs, and financial information)
• Who has obtained or may obtain the information as a result of the breach
• The nature of the harm that may be caused to affected individuals (e.g. reputational, discriminatory, physical, financial, emotional)
• Any action taken by the organization to reduce the risk of harm following the breach 
• Whether or not the personal information is protected by a security measure, such as encryption or multi-factor authentication

The Commissioner offers an online survey to help organizations assess whether or not a privacy breach meets the standard for serious harm and requires notification under the Privacy Act 2020.

Who needs to be notified and when should the notification be issued?

Any organization that experiences a notifiable privacy breach must notify the Privacy Commissioner as well as the affected individuals. Organizations must issue these notifications as soon as practicable after becoming aware that the breach occurred.

How should organizations notify the Privacy Commissioner?

Organizations can notify the Privacy Commissioner about a data breach using the Commissioner’s “NotifyUs” tool, found here. The Commissioner also offers a checklist of what information is required.

These notifications must include:

• Contact details for the organization and the person issuing the notification
• Timeline details about the breach, including when it occurred and when the organization discovered it
• Details about the breach, including how many people were affected, the type of personal information involved, and who might be in possession of the information
• Details about the harm that may be caused to affected individuals as a result of the breach
• Steps the organization has taken or intends to take to notify individuals
• Whether or not any other organizations were affected by the breach
• Whether or not the organization has notified any other agencies about the breach

How should organizations notify affected individuals?

Organizations must notify affected individuals directly by phone, letter, email, or in person if possible. 

If notifying individuals directly could cause further harm, is too expensive, or is not possible due to a lack of contact information, then organizations can issue an indirect notice through information on their website, posted notices, or through the media.

These notifications must include:

• Details about the breach, including when it happened, the personal information involved, and who might be in possession of the information (however it can not include any particulars that could identify that person or agency, unless the organization believes that identification is necessary to prevent or lessen a serious threat to the life or health of individuals)
• Steps the organization has taken or intends to take in response to the breach
• Steps that affected individuals can take to mitigate or avoid potential harm
• A confirmation that the organization has notified the Commissioner of the breach
• A note that affected individuals have the right to make a complaint to the Commissioner
• Contact details for a person within the organization who can field inquiries

Importantly, notifications to affected individuals can not include any particulars about any other affected individuals. To avoid delaying these notifications, organizations can share information with individuals in increments if it is not all available immediately.

What are the exceptions to issuing a notification?

There are certain exceptions that allow organizations to skip notifying individuals about a privacy breach or to delay issuing the notification. 

Organizations are not required to notify affected individuals or give public notice if:

• They believe the notification would prejudice the security or defense of New Zealand, international relations of the New Zealand government, or the maintenance of the law (e.g. an ongoing investigation or the right to a fair trial)
• They believe the notification would endanger the safety of any person or reveal a trade secret
• The affected individual is under the age of 16, and they believe the notification would be contrary to their interests
• They consulted with the individual’s health practitioner (where practicable), and they believe the notification would be likely to prejudice the individual’s health

Organizations can delay notifying affected individuals or giving public notice if they believe the risks of issuing the notification may outweigh the benefits of informing affected individuals. 

What Types of Incidents Require Notification Under the Privacy Act 2020?

Any privacy breach that meets the standard of creating serious risk for the individuals whose data is involved requires a notification under the Privacy Act 2020. Common examples of privacy breaches that can trigger a notification include:

Man in the Middle Attack

A man in the middle attack is a type of privacy breach in which a hacker intercepts a digital conversation by sitting in between the two parties involved. These types of attacks typically occur when one of the parties is communicating through an insecure public wifi connection. Regardless of how the hacker gains access, if they can sit in the middle of the conversation and gain access to the information being shared, they create a privacy breach that may lead to serious harm depending on the information involved.

Lost or Stolen Data

Any case in which the personal information an organization stores gets lost or stolen, regardless of whether or not the incident was an accident, could create a situation that qualifies as a notifiable privacy breach. In these cases, organizations will need to assess what data was involved and who might have access to the data, among other factors, to determine if there is a potential for serious harm to the individuals whose data is involved.

Exfiltration

Exfiltration is involved in most cyber attacks, as it describes techniques that allow hackers to gain unauthorized access to data and then move that data to their own servers or devices. This theft can create serious harm depending on the personal information involved, which would create a notifiable privacy breach under the Privacy Act 2020.

How Can Organizations Prepare for Compliance with the Privacy Act 2020?

New Zealand’s Privacy Act 2020 requires organizations to appoint a privacy officer responsible for monitoring compliance with the law’s 13 information privacy principles, fielding requests made under the law, and working with the Commissioner on any investigations. Organizations can appoint someone internally or from an external partner to take on this role.

Proactively preparing for incident response is another important responsibility for an organization’s privacy officer. Delivering on this goal requires visibility into the organization’s practices for data collection and storage as well as the associated security measures, assigning responsibility for different parts of the security and incident response programs, and planning for what the organization will do when an incident occurs.

Specifically, organizations should prepare for three critical phases of incident response:

Readiness

Privacy incidents are inevitable in today’s world, and that means organization’s must be ready to respond when one occurs. This readiness includes developing a clear incident response plan so organizations can meet New Zealand’s standard of responding to a privacy breach as soon as practicable. To do so, organizations must:

• Review what’s required by the Privacy Act 2020, other relevant laws, and contracts
• Formally document an incident response plan that meets those requirements

Response

Having a plan in place should enable organizations to respond immediately when an incident does occur. This quick response not only enables organizations to meet the timing requirements laid out in the Privacy Act 2020, but it can also help mitigate the costs associated with the incident. When an organization goes into response mode, they need to:

• Investigate the incident, including when and how it occurred, what data was affected, and whether or not the breach creates a risk of serious harm and therefore qualifies as a notifiable privacy breach in New Zealand
• Take action to reduce any risk for affected individuals and to correct any security issues that allowed the privacy breach to occur in the first place
• Notify the Commissioner and affected individuals (if required by the Privacy Act 2020) and issue any other notifications required by global privacy laws and contracts

Ongoing Management

Privacy incident response can not be a set-it-and-forget-it activity. Rather, it requires ongoing attention to make sure that the program evolves alongside changing laws and emerging security threats. This type of ongoing management requires organizations to:

• Establish a single source of truth for all monitoring, reporting, and incident response plans through a centralized, easily accessible dashboard
• Maintain alignment from stakeholders on incident response plans to ensure everyone knows their responsibilities and is ready to take action when an incident occurs

How Does New Zealand’s Privacy Act 2020 Compare to the Australian Privacy Act?

The Privacy Act 2020 brings significant changes to data privacy in New Zealand. Nearby, Australia’s long-standing privacy law, the Australian Privacy Act, has recently gone through several amendments. Here’s a look at how the latest versions of the two laws compare:

Similarities

• Introduction of privacy principles: Both the Australian Privacy Act and New Zealand’s Privacy Act 2020 introduce privacy principles that govern how organizations can collect, use, and store personal information and that grant certain rights to individuals. While there are some differences (for example, Australia restricts the use of personal information in direct marketing, while New Zealand does not), there is significant overlap in what’s covered in each country’s privacy principles.
• Notifiable privacy breaches: A 2017 amendment to the Australian Privacy Act and New Zealand’s Privacy Act 2020 both establish the concept of notifiable breaches. While there are slight differences between the two in terms of what qualifies as a notifiable breach, both laws invoke the standard of “serious harm.” Additionally, both laws require any organization that experiences a breach that meets this standard to notify the governing body overseeing enforcement of the privacy law and affected individuals by sharing specific information about the incident. Failure to do so in both countries can result in a fine for non-compliance.
• Extraterritorial scope: Both the Australian Privacy Act and New Zealand’s Privacy Act 2020 have an extraterritorial scope, meaning their reach extends beyond the country’s borders in specified instances. While New Zealand’s extraterritorial scope is broader than Australia’s, it’s important for every organization that does business in both countries to understand this application of each law.

Differences

• Distinction for sensitive information: The Australian Privacy Act distinguishes “sensitive information” as a special class of “personal information” with additional protections. It defines sensitive information as any data about race or ethnicity, political or religious beliefs, sexual orientation, criminal history, and health, genetic, and biometric information. New Zealand’s Privacy Act 2020 does not create a special class of data in this way.
• Treatment of employee records: The Australian Privacy Act does not cover employee records, even if they include personal information. New Zealand’s law makes no such exception, meaning that companies must adhere to the same guidelines for collecting, storing, and sharing their employee data as they do for their customer data.
• Penalties for non-compliance: The Australian Privacy Act carries penalties of up to AU$450,000 for individuals and AU$2.1 million for companies found not to be in compliance with the law. New Zealand’s law carries a much lower penalty, with a maximum of $10,000 NZD per violation. However, individuals in New Zealand can also bring a suit through the Human Rights Review Tribunal, which can then award additional damages to those individuals – something that is not an option in Australia.

Making Proactive Incident Response a Priority

New Zealand’s Privacy Act 2020 is one of many examples of new privacy laws popping up around the world. Ongoing guidance from New Zealand’s Privacy Commissioner, continued changes to laws around the world, and the overall inevitability of privacy breaches make it essential for organizations to prioritize proactive incident response.

Making proactive incident response a priority can not only help organizations stay compliant with laws like New Zealand’s Privacy Act, but it can also enable them to respond faster and more confidently to any incidents that occur. In turn, this type of response can help reduce potential penalties and maintain customer trust.

Realizing this goal requires staying up to date on global regulations like New Zealand’s Privacy Act 2020, assigning responsibility for security and response efforts, establishing clear incident response plans that can be put into action at a moment’s notice, and regularly revisiting those plans as regulations, security threats, and contracts evolve.