A New Zealand Member of Parliament (MP) recently got in hot water for releasing to the media sensitive health information about COVID-19 patients. Just how the MP got access to this information is still unclear, but it’s fair to say New Zealand’s data protection and privacy laws have been in need of an overhaul for a while.
On 1 December 2020, a new data protection and privacy law, the Privacy Act 2020, came into effect in New Zealand. Here I set out:
-Parts of the privacy law that remain the same;
-The changes in the new Act;
-What impact this should have on organizational data hygiene practices, including preparation for Discovery proceedings.
The new Act contains a range of amendments to old legislation. In common with prior legislation (and similar to the Australia’s Privacy Act 1988), the new Act sets out key principles that apply to “agencies” (a range of eligible New Zealand businesses, public sector, and non-profit organizations) holding personal information including:
-Collection for a lawful purpose;
-Rules relating to the source of information;
-Notification to be given where information is to be collection from subject;
-Manner of collection of personal information;
-Storage and security of personal information;
-Access to personal information;
-Correction of personal information;
-Accuracy of personal information to be checked before use;
-Agency not to keep personal information for longer than necessary;
-Limits on use of personal information;
-Limits on disclosure of personal information;
-Rules on the use of Unique identifiers.
While the principles stay, there are a range of changes that give the principles more legal ‘bite’:
-Mandatory notification to the authorities of privacy breaches (this reflects similar provisions in Australia and the European Union’s General Data Protection Regulation (‘GDPR’);
-Compliance notices can be issues requiring agencies to act as directed;
-Strengthened cross-border protections: If personal information is sent overseas, agencies will need to take reasonable steps to make sure that comparable protections are in place overseas;
-New criminal offences: It will be a crime to destroy documents containing personal information if a request has been made for it;
-Penalties for non-compliance increased.
Corporations in New Zealand will need to have data protection processes in place to account for the new law. Note that while the privacy principles, generally allow for the use or disclosure of personal information as a requirement of court proceedings (i.e. including Discovery activities):
-Data destruction and recovery standards within organizations will need to account for both the possibility of court Discovery proceedings, and the new restriction on destroying personal information;
-Overseas corporations dealing with New Zealand personal information (such as SaaS providers based in the US) will need to make sure that they operate in accordance with the New Zealand privacy principles, while adhering to any requirements of Discovery proceedings.
New Zealand’s new Privacy Act 2020 is an important wake-up call for any eligible New Zealand business, or overseas business dealing with New Zealand personal information, to ensure that it is compliant with the requirements in this Act, as well as any potential legal proceedings.