Important Privacy law changes that have an impact on you

Changes have been made to the Privacy Act . If you collect, store or use personal information about your employees and/or customers, you will have new obligations.

The new Privacy Act took effect on 1 December 2020. The Privacy Act 2020 replaces the Privacy Act 1993.

The key change for most organisations under the new regime will be the requirement to report on serious privacy breaches. This measure means that if organisations have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties.

The key changes include:

  • Requirements to report privacy breaches: If an agency has a privacy breach that causes serious harm or is likely to do so, it must notify the people affected and the Commissioner.
  • Compliance notices: The Commissioner will be able to issue compliance notices to require an agency to do something, or stop doing something.
  • Decisions on access requests: The Commissioner will make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal.  The Commissioner’s decisions can be appealed to the Tribunal.
  • Strengthening cross-border protections: New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by comparable privacy standards. The Act also clarifies that when a New Zealand agency engages an overseas service provider, it will have to comply with New Zealand privacy laws.
  • Class actions: The Act permits class actions in the Human Rights Review Tribunal by persons other than the Director of Human Rights Proceedings.
  • New criminal offences: It will be an offence to mislead an agency in a way that affects someone else’s information, and to destroy documents containing personal information if a request has been made for it. The penalty will be a fine of up to $10,000.
  • Strengthening the Privacy Commissioner’s information gathering power: The Commissioner will be able to shorten the timeframe in which an agency must comply with investigations and the penalty for non-compliance will be increased from $2,000 to 10,000.

For further information visit the website

This new law further reinforces the criticality of having tight up to date cyber protection measures in place.

Read our recent “Your Business is at Risk” article or call Greg to discuss our Security Assessment.