A quick-fire download with Privacy Commissioner John Edwards on the changes to the Privacy Act coming into effect on 1 December, and what it means for the retail industry
What do business owners need to know about the Privacy Act changes coming into effect, and how will it affect their organisations?
Business owners will need to be aware that if they experience a privacy breach – which means they lose control of personal information in a way that could cause some serious harm to someone – that they will be obliged to notify the individual and to notify my office, and a failure to notify a serious privacy breach could be prosecuted and punished with a fine of up to $10,000.
For business owners, how can getting privacy right in their business help them enhance their reputation and brand to their customers?
Our data from a recent UMR survey that we undertake every two years shows that consumers are very concerned about personal information and privacy, and are worried about businesses’ ability to preserve it. So it is probably more commonly expressed in the negative. If they get it wrong, they may lose customers, and their brand reputation may suffer. Increasingly, we are seeing businesses making a virtue out of their privacy practices and trying to entice customers with those sorts of assurances that their personal information is safe and not misused.
How will the Privacy Commissioner ensure that the personal information of New Zealanders is protected?
We will be taking a more active approach in our enforcement of the law and using new powers that Parliament have given us to raise the standard of compliance with the Act. We will be able to issue compliance notices to any business that we believe is not meeting its obligations under the Act and a compliance notice can require an agency to do something that it ought to be doing, or require that the agency stop doing something which it shouldn’t be doing.
A new principle, Principle 12, sets rules around sending personal information to organisations or people outside of New Zealand. What do businesses need to know about this?
Businesses will need to think about where they are sending information that’s going outside of New Zealand, and how it’s going to be used in that jurisdiction. If it’s going to be used by an agency for some purpose other than simply processing on behalf of the New Zealand Embassy, they’ll need to be satisfied that the information is protected by comparable privacy laws to New Zealand. So that means that they may have to make some enquiries about the laws that apply in that destination’s jurisdiction, or use standard contractual clauses which we have developed and make sure that those travel with the information so that New Zealanders’ information is protected, in that other jurisdiction.
If an organisation has a privacy breach that causes serious harm or is likely to do so, what must it do?
Under the law it will have to notify the affected individuals, and it will have to notify my office. But there are a number of other steps we would expect it to take, such as trying to understand what has happened, trying to mitigate the harm, trying to retrieve the information and prevent it from being misused.
There will be a maximum $10,000 fine for companies who do not comply with compliance orders or who destroy documents containing personal information if a request has been made for it. Is there anything else to be aware of?
There are new criminal offences as well, such as if somebody asks for their own information and the organisation responds to that request by destroying their information, that will be a criminal offence, and that will also be subject to fines of up to $10,000.
With the newly clarified Privacy Principle 4, how can organisations ensure the way they collect information from children and young people is fair?
They really just need to pay extra attention when they are collecting personal information from children or young people and ask themselves ‘is this a reasonable way to go about things, given the age of this child?’
Will businesses have to incur any costs in line with these changes?
We are hoping that these changes won’t add to the costs of business, and we have invested in training material which is available for free on our website. We have tools like a notification tool on our website that makes it easy for businesses to meet their obligations to notify breaches and we have commissioned model contract clauses for exporting personal information. They will be available without cost to the industry. So we’re really trying to ensure that New Zealanders get the benefit of these changes, without businesses having to incur unnecessary costs.
For more information, head to privacy.org.nz