Sentry Page Protection
Financial Business Advisor Support Advice Resource New Zealand Compliance,Legislation,Tax,Employment,Finance

Articles

Keep up to date with our business articles

PRIVACY LAW UPDATE: Three things you need to know about the Privacy Bill before it becomes Law.

About the Author:

Dan Winfield

Partner at Duncan Cotterill
Dan co-leads the firm’s intellectual property (IP) practice as an IP and consumer law specialist. He helps clients make commercially sensible decisions around IP protection and in IP disputes.

New Zealand’s privacy law is currently undergoing a major revamp, with the 1993 Act expected to be replaced by mid-2020. Here, Dan Winfield of Duncan Cotterill discusses the three things you need to know.

1. Mostly, it's steady as she goes.

 The Government has shied away from major renovations and the Privacy Bill looks largely like the principles-based Privacy Act you're familiar with. You are unlikely to need to make wholesale changes to your privacy practices.

2. You need a privacy breach procedure

The Bill requires notification of affected individuals and the Privacy Commissioner as soon as practicable after a notifiable breach happens. Increased penalties apply for failure to notify. A privacy breach is any unauthorised or accidental access to, disclosure, alteration, loss, or destruction of personal information, or an action that prevents the holder from accessing the information.

A notifiable privacy breach is a privacy breach that it is reasonable to believe has caused or is likely to cause serious harm to an affected individual.

In considering the serious harm question, the agency must consider the actions taken to reduce the risk of harm, whether the information disclosed is sensitive, the nature of harm that might flow, the person or body who has received the information, whether the information is protected by a security measure and "any other relevant matters."

Which means you will need to have a process which:

a. Enables an assessment against the serious harm standard.

b. Functions to raise an internal notification where a breach has occurred.

c. Causes notification in the right circumstances.

You'll need to train relevant staff to interpret the standard in light of the relevant facts.

3 Where are you sending that information?

Prudent organisations will consider their information transfer practices and which third parties they're using to process information before the Bill comes into force.

New in the Bill is a requirement that an agency only disclose personal information to a foreign person or entity (think: Salesforce/MYOB) where the individual concerned authorises the disclosure after being expressly informed that the recipient may not be required to protect the information in an equivalent way.

The use of "expressly informed" suggests a much stricter requirement than tucking a notice into your privacy policy.

There will be carve outs to the "expressly informed" requirement, notably for "prescribed countries" approved by (yet to be drafted) regulations, where the recipient is carrying on business in New Zealand (think: Microsoft/ Google), or where the discloser reasonably thinks that the recipient is subject to privacy laws that, overall, provide comparable safeguards.

But every business which collects information here and then stores, processes or otherwise transfers it overseas will need to turn their mind to this issue.

Dan Winfield  

Partner
Duncan Cotterill
04 499 3280

www.duncancotterill.com

Related Articles

Articles
SCAM ALERT: Tips to avoid scams
Martin Cocker | Netsafe
SCAM ALERT: Tips to avoid scams
Martin Cocker | Netsafe

Computer security is back in the spotlight. Smaller businesses are more likely to be the target of scams, however, than attacks of the nature that shut down our stock exchange last month.

Martin Cocker | Netsafe
Dan Winfield.jpg
Dan Winfield | Duncan Cotterill
PRIVACY LAW UPDATE: Three things you need to know about the Privacy Bill before it becomes Law.
Dan Winfield | Duncan Cotterill

New Zealand’s privacy law is currently undergoing a major revamp, with the 1993 Act expected to be replaced by mid-2020. Here, Dan Winfield of Duncan Cotterill discusses the three things you need to know.

Dan Winfield | Duncan Cotterill
FBA Logo-test.png
Editor | FBA
Preparing For The New Privacy Legislation
Editor | FBA

Here's what we recommend…

Editor | FBA
Philip Whitmore.JPG
Philip Whitmore | KPMG
Don't get Hooked by Phishing Attacks
Philip Whitmore | KPMG

With phishing attacks on the rise, and stories of New Zealand organisations loosing hundreds of thousands of dollars due to cyber security breaches becoming increasingly common, never has it been more important to ensure that your security is sufficiently effective to prevent you becoming a victim. 

Philip Whitmore | KPMG
Jess Collett.JPG
Jess Collett | Norris Ward McKinnon
 Website Privacy Falling Short
Jess Collett | Norris Ward McKinnon

Your business website is a powerful tool for engaging potential and existing customers, and for collecting useful data. Where information collected is personal information, however, you have obligations under the Privacy Act 1993.

Jess Collett | Norris Ward McKinnon
Rob McEwan.JPG
Rob McEwan | Daryl Webb | Staples Rodway
More Tips to Avoid Imminent Cyber Attacks Within Your Business
Rob McEwan | Daryl Webb | Staples Rodway

Cyber Security continues to be a top concern of clients given the recent high-profile Ransomware attacks and data breaches. There is almost always more you can do to reduce the likelihood or impact of an attack on your business.

Rob McEwan | Daryl Webb | Staples Rodway
Legal, BusinessDan Winfield | Duncan CotterillDan Winfield, Business Compliance, TechnologyComment
Member Login
Welcome, (First Name)!
Forgot? Show
Log In
Enter Member Area
My Profile Not a member? Sign up. Log Out