Privacy concerns all of us in everyday life. Whether it be the songs you sing to in the shower, how any times you have looked at an ex’s Facebook profile, or how much money you spent online shopping over lockdown. However, that is not the type of privacy the law is generally concerned with.
The new Privacy Act, enacted in late 2020, has been put in place to protect your rights and information in a world where technology is advancing rapidly and globalisation means the ability to connect our data exponentially.
The previous legislation was contained in the Privacy Act 1993. That Act was introduced at a time where the internet was relatively new and generally less accessible, money transfers were most commonly carried out in person, and if you had a cellphone, it probably looked like a walkie-talkie.
We put more personal information out into the world now than we ever have before.
That can, for instance, be through the personal information we provide to dozens of companies online, and information we have disclosed or have held about us by agencies such as health providers, clubs or Government agencies.
The new law aims to better strengthen privacy protection. The key principals in the Act are summarised here.
Agencies must now have good reason for obtaining personal information. They can only collect and store personal information about individuals if it is for a lawful purpose and the information is necessary for that purpose.
Further, agencies must not keep information for longer than is necessary. The less identifying information agencies have, the smaller the chance a breach of privacy will cause you serious harm.
The new Act enforces that agencies should tell the person involved why the information is being obtained, who will receive it and, if disclosing the information is voluntary or not.
So, the next time you are filling out forms for private agencies, have a think… does my supermarket need to know my date of birth? Should I save my bank details to my ASOS account? Also, if you are a business owner, you may need to review your policies on collecting and holding information about clients.
Before the 2020 Act, it was not mandatory for breaches of privacy to be notified by the person responsible – it was merely encouraged. Not knowing that your privacy has been breached could expose you to potential harm.
You could be vulnerable personally if your health records, credit card details or personal identifying information are in the wrong hands.
Now the Privacy Commissioner and affected people need to be told about a breach that could cause serious harm.
The requirement to inform is designed to assist those whose privacy has been breached to take steps to protect their information, such as through changing passwords or trying to contain the information from spreading.
If your business is responsible for a breach of privacy relating to personal information, you need to do the following. Assess the level of potential harm. If the breach could cause serious harm to the individual involved, let the affected person and the Privacy Commissioner know as soon as possible.
Do everything you can to get that information back in cases where information may have been mistakenly sent to the wrong person, or made publicly available. Sending notification to the unintended recipient can help to get the information back with no consequences to the person affected.
Serious harm should be assessed by the sensitivity of the information, the nature of the potential harm, the recipient and any other relevant matters as defined in the Act. Fines of up to $10,000 can be issued for breaches that are not remedied correctly.
The bottom line for a business is that you should only obtain and keep necessary information for the purpose that you obtained it for. You must not store it for longer than necessary, and if you need to share information with others, consent needs to be granted by the individual involved.
You are entitled to access personal information held about you by an agency unless that information can harm you or someone else, such as a personal file also holding sensitive information about another individual. If an agency refuses to give this information, a complaint can be made to the Privacy Commissioner.
The standard for sending information overseas has also changed. If sending personal information overseas, an agency must ensure the information is only sent to countries with comparable laws, unless the consent of the individual concerned is first obtained. Additionally, overseas agencies that carry out business in New Zealand are subject to our privacy law.
The recent changes in our privacy law should give the public greater confidence that personal information shared will be securely held, without concern about potential misuse or harm arising.