Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
What happened?
On 1 December 2020, the long anticipated Privacy Act 2020 (Privacy Act) came into force in New Zealand. The Privacy Act significantly enhances New Zealand's privacy regime and sees the introduction of additional privacy obligations and compliance requirements. The extraterritorial scope of the Privacy Act is an issue relevant for all organisations operating in New Zealand, regardless of where they are headquartered.
What's new?
Key changes include the following:
What is considered to be a data breach in New Zealand and how does it compare to other jurisdictions?
Similar to the existing Australian and EU privacy regimes, the Privacy Act introduces an obligation on organisations to notify the OPC and affected individuals if a privacy breach has caused (or is likely to cause) serious harm to those individuals.
The difference, however, that makes this new scheme in New Zealand stand out from the rest, is the way that the Act defines a "privacy breach".
The existing Australian and EU counterparts generally refer to unauthorised access, disclosure or loss of personal information. However, the Privacy Act goes one step further to include an action that prevents the agency from "accessing the information on either a temporary or permanent basis". This will automatically bring ransomware incidents within the definition of "privacy breach" where under the existing Australian and EU regimes, further investigation is required to assess whether there has been access to or exfiltration of personal information as a result of that ransomware event.
These changes are a big shift from the previous voluntary reporting scheme that operated in New Zealand. Organisations will need to consider what steps and expertise it has in place in order to identify, respond and manage data breaches. Our specialist cyber team (see contact details below) are available to have a chat with you to discuss these steps, or to advise on any breach (or potential breach) more generally.
The Privacy Act compared
To summarise the similarities and key differences between the Australian, EU and New Zealand privacy regimes, below is a comparative snapshot of some of the key elements of each regime.
New Zealand – Privacy Act 2020
Australia – Privacy Act 1988 (Cth)
European Union – General Data Protection Regulation (GDPR)
Who regulates these laws?
The Office of the Privacy Commissioner.
The Office of the Australian Information Commissioner.
The application of the GDPR is monitored by the relevant "supervisory authority" in each EU (and European Economic Area) member state. For example, the United Kingdom's Information Commissioner's Office.
Who do these laws apply to?
Agencies, being any public or private sector organisation. Some exceptions exist, including for news media while gathering and reporting news.
APP entities, being agencies or an organisation with an annual turnover of more than AUD 3 million, or which fall under the Privacy Act because of the type of services provided (e.g. health services).
Data controllers, being any natural or legal person, public authority, agency or other body which determines the purposes and means of processing personal data; and
Data processors, which process personal data on behalf of the controller.
Do these laws apply outside the country or jurisdiction's borders?
What rights do individuals have?
Individuals rights generally include the right to:
What amounts to a reportable data breach?
A notifiable privacy breach occurs when there is an:
Reporting timeline
Agencies must notify the Privacy Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred.
APP entities have up to 30 days to carry out a reasonable and expeditious assessment (subject to some exceptions).
Once an organisation determines that the breach is notifiable, the entity must notify the OAIC and individuals as soon as practicable (this is separate to the obligation to complete the assessment within the 30 days).
Controllers must notify the relevant supervising authority without undue delay and where feasible within 72 hours from awareness of the personal data breach.
While there is no prescribed timeline for notifying individuals (in high risk cases). However, the notification must be made without undue delay.
Maximum penalty
NZD$10,000.
AUD$2.1 million (this is currently under review).
What do you need to do?
Organisations currently operating in New Zealand (or with plans to enter the market) must have an understanding of the Privacy Act and the impact that its obligations may have on their operations.
This includes mapping key data assets and implementing processes to maintain compliance and respond to a security incident or a privacy breach.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research