A lot has changed since 1993.
Back then, people actually remembered their friends’ phone numbers and if they wanted to find the answer to a question they would look in an encyclopedia, not on Google.
But we live in a different age now. Not only is the way we store and access information vastly different from than in the pre-internet era, but we also live far more of our lives online.
Despite the new digital landscape, however, New Zealand’s privacy laws have not been updated since they were passed 27 years ago.
But all that is changing on December 1 when the Privacy Act 2020 comes into effect.
The new regulations repeal and replace the Privacy Act of 1993, bringing stronger protections to personal information in the digital age.
The updated rules mean businesses and organisations will have new obligations for keeping personal information safe – including that of customers, clients and employees.
Although the new Act includes various important changes, "the most significant one that will affect business is mandatory breach notification," Privacy Commissioner John Edwards told Newshub.
"So if an organisation has a privacy breach – loses control of personal information and that could cause or has caused serious harm to that individual – they’ll have to let those people know and they’ll also have to notify my office."
Not only will such cases have to be reported to the Office of the Privacy Commissioner, but under the updated law Edwards and his team will also have more "enforcement tools" they can use to make sure organisations are behaving as they should be.
"Whereas in the past we mostly relied on individuals to make complaints and then show they’ve suffered some harm as a result, under the new law I will be able to issue compliance notices if I see organisations just not meeting their obligations under the Act, and I can enforce those in the Human Rights Review Tribunal," Edwards says.
Such compliance notices will lay out the steps that must be taken by the organisation or business as well as a deadline for doing so.
"And if they don’t comply, or if they don’t do what I’ve asked them to or stop doing what I’ve asked them to stop doing, they can be fined up to $10,000," says Edwards.
The Privacy Commissioner will also be able to order agencies to give people access to the personal information held on them.
Another major update is that a number of criminal offences will be introduced, giving the Act a few more "teeth", says Edwards.
Under the new law it will be illegal to mislead an agency in order to access someone else’s personal information, and it will also be a criminal offence for a business or organisation to destroy personal information knowing that a request has been made to access it.
The penalty for any of these offences is a fine of up to $10,000.
In a reflection of the fact that more and more business and online activity is taking place across borders, the Act will also bring in a number of safeguards to control when and how data can be shared overseas.
It makes it clear exactly what organisations should check and be sure of so our personal information is protected before sending data overseas. Under the new rules, information can only be shared overseas if the agency that receives it is subject to similar safeguards as those in New Zealand’s Privacy Act. If information is being sent somewhere lacking this protection, the person whose information is being sent must be fully informed of that fact and give their permission.
Any foreign business or organisation operating in New Zealand will also have to abide by the rules set out in the Act, even if they have no physical presence here – this will apply to companies such as Google and Facebook.
In an age where information is key, protecting personal information is not just legally required, it is also being demanded by consumers.
And though you may be forgiven for thinking the new Act will only apply to big corporations, Edwards says the updated regulations will affect virtually all businesses and organisations throughout the country.
"It’s a law that applies right across the economy, to every organisation that holds personal information – so pretty much everyone from the corner store to the music teacher to the insurance company," says Edwards, adding that companies that "really need to sit up and take notice" are those that have personal information as a core part of their business model.
Because of the increased expectation that our personal information will be securely looked after, Edwards says it’s in companies’ best interests commercially, as well as legally, to make sure they get things right.
"People entrust them [businesses] with their personal information and they are entitled to expect that it is treated safely. If they don’t then we are seeing punishments in the marketplace – we’re seeing reputational and brand harm."
The flip side of this, says Edwards, is that taking the protection of personal information seriously can go a long way towards enhancing the trustworthiness and reputation of a business.
"Now is the time to take the opportunity to make sure that your staff and your colleagues understand their obligations," he says.
The new Act comes into effect on December 1. Anyone wanting to learn more about the updated laws can do so on the Privacy Commissioner’s website.
This article was created for The Office of the Privacy Commissioner.