Privacy Act 2020
The Privacy Act 2020 will come into effect on 1 December 2020. The changes are being made to make sure that the legislation is in line with new technology and the way that businesses now operate.
The changes include:
- mandatory reporting to the Privacy Commissioner and affected individuals of privacy breaches, where the breach has caused or is likely to cause serious harm. When considering if the breach is notifiable, consider the following:
- Is the information sensitive in nature?
- The nature of harm caused
- Who obtained or may obtain the information as result of the breach?
- Any action taken by the agency to reduce harm
- Whether the information is protected by security measures; and
- Any other relevant matters
- You must also advise the Office of the Privacy Commission as soon as practicable after becoming aware of a notifiable breach either by email, phone or using their online form
- If a business receives a request for personal information, the business cannot destroy the information in order to avoid providing it.
- Where NZ businesses use overseas service providers e.g. cloud storage, the NZ business is treated as holding the personal information stored with the overseas provider, which means the NZ business remains responsible for complying with the privacy principles in respect of that information.
- Agencies will be required to take into account the vulnerability of children and young people when collecting personal information from them. In an amendment to Privacy Principle 4 (which sets out how personal information should be collected).
Health professionals have to follow the rules in the Health Information Privacy Code 1994 dealing with how they collect people’s information and when they can release it to other people. This Privacy Code also specifically protects an individual’s rights to have access to their own health information. The HIPC overlaps with the privacy rights contained in the Privacy Act.
What you will need to do:
- Have a good understanding of the information you collect and how its used. Know what personal information is collected, where you get it from, how it is used and who you share it with. If any of your data is transferred overseas (e.g. cloud computing) you will need to include third parties that you cooperate with.
If the personal information is only stored or processed overseas on your behalf and isn’t used by the overseas agency, then this isn’t classified as a disclosure, and under the Bill you will remain legally responsible for how your provider treats that information including in relation to privacy breaches.
- Introduce a data breach policy – under the new legislation you will be required to notify the Privacy Commissioner and potentially affected individuals of certain privacy breaches, where the breach caused or is likely to cause serious harm. Failure to do so could result in fines of up to $10,000. Your privacy breach policy should include
- The requirement that breaches are reported immediately to the Privacy officer and management
- Determines the criteria for notification
- Lists the information the breach notice should contain, timeframes for investigation, notification and who will send the data breach notice
- The introduction of Information Privacy Principle 12 under the Bill requires businesses to ensure that personal information being disclosed outside on NZ is protected by privacy safeguards that are close or comparable to New Zealand’s. The simplest way to do this may be a written agreement that requires the recipient to protect personal information as though the overseas recipient was subject to NZ law.
- Undertake training with your staff about your process to follow in the event of a serious privacy breach
- Make sure that you and your staff are aware of how to respond to requests for personal information
- Make sure that all personal information is stored securely and disposed securely when you have finished with it.
- If you are using an overseas based agency e.g. IT service provider for cloud computing, ask them how they are meeting NZ privacy laws. A change to the Act means that you must have reasonable grounds to believe the person overseas complies with the Privacy Act or an equivalent law safeguarding privacy.
- Appoint a Privacy Officer , this is a requirement under the Privacy Act and ensure their training is up to date. Alternatively you can outsource or share this role with a specialist privacy consultant.
- Review your Privacy Statement are you sure that:
- You only collect identifiable personal information where it is necessary to do so?
- Your privacy statement is easily read and understood?
- Your privacy statement is clear and there is nothing within it that requires more prominence?
- If required use the Privacy Commission on-line learning
Remember the same principles apply to your employee’s information.
Other recent articles
9 December 2020
2020 will be a year that will be hard to forget. We acknowledge that it has been a very tough year for many of our subscribers and we hope that you will take the opportunity to find the time for rest and relaxation and look forward to a great 2021. We will be taking some time off and will have limited availability over the Christmas New Year period. Normal hours will resume from Tues 5th January but you can still email us at email@example.com over the holiday period or call 0800 800 627 during usual business hours. Our best wishes to you all for a safe, happy holiday season. Fiona, Chris, and Shaun
8 December 2020
You may be looking at recruitment pre-Christmas or in the New Year so with that in mind we look at the induction process for new staff. December is a busy month for practice managers as new staff are hired and introduced to the practice.
3 November 2020
When we talk about the impact of the COVID-19 pandemic, we tend to think about the health or economic impacts. Less well understood are the opportunities that have opened up for cyber crime, as major global economies looked to move online almost overnight.
Join other practices already using HealthyPractice.Register now