According to a survey by Digital Identity New Zealand (DINZ) in 2019, 79 percent of New Zealanders were concerned about the protection of their identity and use of personal data by organisations. The updated Privacy Act 2020 comes into force in December, but do you know what it means for you and your business?
Aotearoa New Zealand has had a Privacy Act since 1993. It was introduced to promote and protect individual privacy; to establish principles on collection, use, and disclosure of information relating to individuals; and access by individuals to information held about them.
In the 27 years since the Act became law we have seen an explosion in the use of technology in the workplace and in the home, and with it the amount of information being requested by agencies to allow us to sign up to services and transact online.
Advances in technology means that data can be stored in one part of the world and accessed from anywhere else on the planet provided you have a simple device and access to the internet.
Data is the new currency
Your data has huge value to organisations across the globe and people pay a lot of money to get access to it. Government is one of the biggest producers of data (and one of the few major producers that deliver data to the public free of charge).
Most major companies use the data they collect from their users to drive the insights that improve their services; or they take that data and sell it to a third party as advertising revenue (remember: always read the Terms and Conditions before signing up).
With this proliferation of data reservoirs across the world, countries have been putting measures into place to try to bring ownership and control of this data back to individuals. In 2018 the European Union introduced the General Data Protection Regulation (GDPR) and, closer to home, Australia’s privacy act was introduced in 1988 with significant amendments in 2013 and 2017.
The change in our own legislation this year is bringing us into line and making organisations, both here and overseas, more accountable for protecting your data, making it accessible to you upon request, only recording the information about you they need, and being transparent when there are data breaches that affect you and others.
The new act has clarified that businesses and organisations can only collect identifying information if it is necessary – if you don’t need it, don’t collect it.
“The new act has clarified that businesses and organisations can only collect identifying information if it is necessary – if you don’t need it, don’t collect it.”
Mandatory breach notifications have been introduced. Hacking attempts and cyber attacks are now commonplace, and there are a number of notable examples where organisations or businesses have accidentally lost customer information.
Under the new Act if you have a serious privacy breach you must inform The Privacy Commissioner and those individuals affected by the breach. Failure to do so may result in some hefty penalties.
The new act is also more explicit around overseas organisations that conduct business in New Zealand. Think Facebook, Google, Apple, Microsoft etc.
If you are using a cloud-based provider to store your data, and there is a breach, they could be accountable under the new Privacy Act; however it would be up to the individual to notify the Privacy Commissioner.
It is imperative for organisations that are collecting and keeping data on individuals to be safe and secure. If a breach occurs, it is up to the organisation to prove that they took all steps practicable to prevent the breach and to show what it is doing to prevent repeat occurrences.
This does not just relate to the technology breaches: if you have someone in your place of work and you have another person’s details up on the screen or on your desk or open to public view – this can be considered a breach.
Compliance steps
As a business, if you are holding data, it would pay to jump on to the Office of Privacy Commissioner website https://elearning.privacy.org.nz/ where you will find a range of educational tools about the Privacy Act 2020. As a nation we have returned time and again to the touchpoint of identity as taonga, recognising that personal information is to be treasured and treated with dignity and respect.
Organisations which genuinely promote and respect individual and community information will be the success stories of the future. Speak to your legal and tech advisers to ensure that you understand all the implications and are ready to implement and be part of this digital change with minimal disruption to your business.