A guide to the updated Privacy Act and the workplace
25 November 2020
In 1993, we used the internet to communicate only one per cent of all the data flowing through our telecommunication systems. Today, vast amounts of data, including our personal information, are shared across digital networks. Can you imagine lasting a day without going online to use, access, or share information? It’s fair to say, a lot has changed since 1993. But one thing that hadn’t changed was New Zealand’s privacy laws – until now.
On 1 December 2020, the Privacy Act 2020 (the Act) will come into force. The Act aims to protect personal information in line with the modern and technology-driven ways that we live and work and replaces the existing Privacy Act 1993. Here, we point out the fundamental privacy law changes that will impact the workplace, and what you can do as an employer to protect your people from the risk of a privacy breach.
The Privacy Act 2020 and the workplace
The new Act will introduce a new principle, compulsory reporting of privacy breaches, and the possibility of new penalties. These changes highlight the importance of workplace compliance with privacy laws, especially when collecting, storing and using employees’ personal information or data belonging to the people you do business with. Some of the most significant changes to be aware of as a business owner or manager are summarised below:
- If your organisation has a serious privacy breach, you must notify the Privacy Commissioner and all affected parties as soon as possible.
- The Privacy Commissioner can issue compliance notices that require your business to act or to stop acting, in a particular way.
- The Privacy Commissioner can now make a formal decision on complaints relating to access to information, which will speed up the dispute process.
- It’s now a criminal offence to mislead an organisation to obtain information by impersonating someone or pretending to have their authority to gain access to information, for example. You can also be convicted under the privacy law if you destroy someone’s information when they have requested this from you.
- A New Zealand business may only disclose information to an overseas agency if that agency has a similar level of information protection to NZ, or, if the individual fully understands and authorises the release of that information.
- The New Zealand Privacy Act now applies overseas; meaning that overseas entities must know about and comply with New Zealand privacy laws when dealing with New Zealand information, including businesses such as Facebook, Google, and LinkedIn.
- There are greater protections in place when collecting information from young people who may not fully understand how you might use their data.
Getting your workplace ready for the new privacy laws
There are several actions you can take to get your business up to speed with the Act and reduce the risk of a privacy breach in your workplace, including:
1. Get in touch with your cloud-based service providers
A new privacy principle has been added to the law to regulate the disclosure of information overseas. Your business needs to ensure that any overseas person, entity or service provider you share private information with is meeting the expectations set out for overseas disclosure and handling of data. Importantly, sending personal details to a cloud-based service provider isn’t treated as a “disclosure”, however, you should ensure your service provider handles personal data in compliance with New Zealand’s current privacy laws.
There are at least three key questions you should be asking:
- Where (physically) are the servers (and backups) of the organisation holding the data?
- What security protocols and backups are in place?
- What are the privacy laws of that country and the privacy standards of that organisation?
2. Check how your business collects personal data
Ensure that any personal information you collect is needed and provided voluntarily. Ask yourself questions like: “Why is this information being collected?”, “Who is it for?”. Suppose you require an employee to provide information during an investigation. In this case, your employee needs to voluntarily provide this to you with a full understanding of why, who will see it, and the consequences of not providing it.
3. Educate your people on the changes
A powerful way to reduce the risk of a privacy breach or non-compliance with the Act is by talking to your people about the new privacy obligations. You can educate your people on the new expectations around handling personal information to help ensure consistent compliance across your business. You can equip your people to report any serious privacy breach quickly and protect your business by working through different problems and scenarios.
4. Make sure employee documentation is secure, and accessible only to those with permission.
Now is a great time to review your record-keeping and document management systems to ensure that all personal information you collect is securely stored. Only people who can access it are the people who need to be able to access it – this includes the owner of the information (when they request it).
5. Designate a staff member to the role of the privacy officer
A privacy offer is someone in your business who knows the law and can be the first point of contact in the event of any potential privacy issue.
6. Refresh your workplace privacy policies
enableHR contains all the up-to-date HR policy templates your business needs to comply with current employment laws, including the upcoming Privacy Act 2020. If you’re already a client, make sure you jump into your account and update these before 1 December 2020.
At enableHR, we know that keeping up with changing legislation can be a challenge – especially when you’re trying to manage and grow your business. We hope this guide on the Privacy Act 2020 has helped make getting your workplace ready for the new laws easier. If you have any questions about the information in this article, please contact the enableHR team.
New legal template: COVID-19 vaccination policy