What is Privacy Act 2020?
The Privacy Act 2020 is New Zealand’s data privacy law, in force since December 2020, aiming to provide “a framework for protecting an individual’s right to privacy of personal information, including the right of an individual to access their personal information. Similar to Australia’s Privacy Act 1988, the law takes an approach to the obligations set out for controllers based on what it calls ‘Information Privacy Principles,’ in contrast to other data protection laws.
What is Personal Information and what are other key definitions?
According to the text of the act, a data subject, here called an ‘individual’ is “a natural person, other than a deceased natural person.” There is no distinction between a data controller and a data processor, both being incorporated into the general term of ‘agency.’
When referring to ‘personal information’ the Act 2020 offers a definition, namely “means information about an identifiable individual which includes information relating to a death that is maintained by the Registrar-General under the Births, Deaths, Marriages, and Relation‐ ships Registration Act 2021 or any former Act (as defined in Schedule 1 of that Act).” However, in Part 7, Subpart 2, it also discusses ‘identity information’ which it defines “in relation to an individual” as “any information that identifies, or relates to the identity of, the individual, and includes (without limitation) the following information:
- the individual’s biographical details (for example, the individual’s name, address, date of birth, place of birth, and gender):
- the individual’s biometric information:
- a photograph or visual image of the individual:
- details of the individual’s (New Zealand travel document; or certificate of identity)
- details of any distinguishing features (including tattoos and birthmarks).”
Although Privacy Act 2020 does not mention specifically ‘sensitive personal information’ it does however require an agency to consider whether the data is sensitive when assessing the likelihood of harm caused by a data breach. The regulating authority, the OPC, published a guidance note on how the Act applies to this type of information to help agencies interpret the meaning and the application of the Act.
An individual is considered to be a resident of New Zealand if one of the following applies:
- “the person’s home is in New Zealand; or
- the person is residing in New Zealand with the intention of residing in New Zealand indefinitely; or
- having resided in New Zealand with the intention of establishing their home in New Zealand, or with the intention of residing in New Zealand indefinitely, the person is outside New Zealand but intends to return to establish their home in New Zealand or to reside in New Zealand indefinitely.”
Also, a ‘New Zealand agency’ means according to the law, one of the following:
- “an individual who is ordinarily resident in New Zealand; or
- a public sector agency; or
- a New Zealand private sector agency; or
- a court or tribunal, except in relation to its judicial functions;
but does not include—
- the Sovereign; or
- the Governor-General or the Administrator of the Government; or
- the House of Representatives; or
- a member of Parliament in their official capacity; or
- the Parliamentary Service Commission; or
- the Parliamentary Service, except in relation to personal informa‐ tion about any employee or former employee of the Parliamentary Service in their capacity as an employee; or
- an Ombudsman; or
- an inquiry; or
- a board of inquiry or court of inquiry appointed under any Act to inquire into a specified matter; or
- a news entity, to the extent that it is carrying on news activities.”
Act 2020 defines ‘biometric information’ as “one or more of the following kinds of personal information: a photograph of all or any part of the person’s head and shoulders, impressions of the person’s fingerprints, a scan of the person’s irises; or an electronic record of the personal information that is capable of being used for biometric matching.”
Last but not least, it offers a definition for ‘unique identifier’ as “an identifier other than the individual’s name that uniquely identifies the individual.” This definition will prove relevant for agencies wishing to correctly interpret IPP 13.
Who has to comply with Privacy Act 2020?
Privacy Act 2020 applies to:
- A New Zealand agency in relation to any action taken by the agency (whether it is present or not in the country) with respect to personal information that the agency collected or held;
- An overseas agency in relation to any action taken by the agency in the course of carrying on business in New Zealand with respect to personal information that the agency collected or held;
- An individual who is not ordinarily resident in New Zealand, in relation to any action taken by the individual with respect to personal information collected while present in New Zealand, regardless of where the information is subsequently held or where the individual to whom the information relates is, or was, located; or personal information held but not collected by the individual while present in New Zealand, regardless of where the individual to whom the information relates is, or was, located.
As far as agencies listed above are concerned, it does not matter where the personal information is, or was, collected by the agency; where the personal information is held by the agency; where the individual concerned is, or was, located. Additionally, in the case of overseas agencies, an agency may be treated as carrying on business in New Zealand without necessarily being a commercial operation; having a place of business in New Zealand; or receiving any monetary payment for the supply of goods or services; or intending to make a profit from its business in New Zealand.
Who is excluded from Privacy Act 2020 compliance?
Per the definition for ‘agency’ listed above, certain types of entities are excluded from the definition and as such from coverage by the Act, such as members of Parliament, or “a news entity, to the extent that it is carrying on news activities.” In addition to this, Part 3, Sections 25 through 30 list all the exceptions and exemptions from compliance with the IPPs, such as when the Privacy Commissioner may authorize “collection, use, storage, or disclosure of personal information otherwise in breach of IPP 2 or IPPs 9 to 12.”
How can I keep my organization compliant with Privacy Act 2020?
As stated, Privacy Act 2020 lists 13 Information Privacy Principles (IPPs) that agencies have to observe for compliance.
Information privacy principle 1 - Purpose of collection of personal information
Personal information must not be collected by an agency unless:
- the information is collected for a lawful purpose connected with a function or an activity of the agency; and
- the collection of the information is necessary for that purpose.
Information privacy principle 2 - Source of personal information
If an agency collects personal information, the information must be collected from the individual concerned. However, if the agency has reasonable grounds to believe that any one of the exceptions outlined in the law applies, it is not necessary to comply with this principle.
Information privacy principle 3 - Collection of information from subject
If an agency collects personal information from the individual concerned, unless exceptions outlined in the law apply, the agency must take any steps that are, in the circumstances, reasonable to ensure that the individual concerned is aware of
- the fact that the information is being collected;
- the purpose for which the information is being collected;
- the intended recipients of the information;
- the name and address of the agency that is collecting the information and of the agency that will hold the information;
- if the collection of the information is authorized or required by or under law,
- the particular law by or under which the collection of the information is authorized or required; and
- whether the supply of the information by that individual is voluntary or mandatory; and
- the consequences (if any) for that individual if all or any part of the requested information is not provided; and
- the rights of access to, and correction of, information provided by the IPPs.
Information privacy principle 4 - Manner of collection of personal information
An agency may collect personal information only
- by a lawful means; and
- by a means that, in the circumstances of the case (particularly in circumstances where personal information is being collected from children or young persons),—
- is fair; and
- does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.
Information privacy principle 5 - Storage and security of personal information
An agency that holds personal information must ensure that the information is protected, by such security safeguards as are reasonable in the circumstances to take, against loss access, use, modification, or disclosure that is not authorized by the agency, other misuse, and that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorized use or disclosure of the information.
Information privacy principle 6 - Access to personal information
An individual is entitled to receive from an agency upon request confirmation of whether the agency holds any personal information about them and access to their personal information.
Information privacy principle 7 - Correction of personal information
- An individual whose personal information is held by an agency is entitled to request the agency to correct the information.
- An agency that holds personal information must, on request or on its own initiative, take such steps (if any) that are reasonable in the circumstances to ensure that, having regard to the purposes for which the information may lawfully be used, the information is accurate, up to date, complete, and not misleading.
Information privacy principle 8 - Accuracy, etc, of personal information to be checked before use or disclosure
An agency that holds personal information must not use or disclose that information without taking any steps that are, in the circumstances, reasonable to ensure that the information is accurate, up to date, complete, relevant, and not misleading.
Information privacy principle 9 - Agency not to keep personal information for longer than necessary
An agency that holds personal information must not keep that information for longer than is required for the purposes for which the information may lawfully be used.
Information privacy principle 10 - Limits on use of personal information
- An agency that holds personal information that was obtained in connection with one purpose may not use the information for any other purpose unless the agency believes that any one of the exceptions outlined in the law apply.
- In addition to the uses authorized, an intelligence and security agency that holds personal information that was obtained in connection with one purpose may use the information for any other purpose (a secondary purpose) if the agency believes on reasonable grounds that the use of the information for the secondary purpose is necessary to enable the agency to perform any of its functions.
Information privacy principle 11 - Limits on disclosure of personal information
An agency that holds personal information must not disclose the information to any other agency or to any person unless the agency believes that any one of the exceptions outlined in the law apply.
Information privacy principle 12 - Disclosure of personal information outside New Zealand
An agency may disclose personal information to a foreign person or entity in reliance on IPP 11 only if one of the following apply:
- the individual concerned authorizes the disclosure after being expressly informed that the receiving agency may not be required to protect the information in a way that, overall, provides comparable safeguards to those in this Act;
- the receiving agency is carrying on business in New Zealand and, in relation to the information, A believes on reasonable grounds that B is subject to this Act;
- the agency disclosing the data has reasonable grounds to believe that the receiving agency is subject to privacy laws that, overall, provide comparable safeguards to those in this Act;
- the agency disclosing the data has reasonable grounds to believe that the receiving agency is a participant in a prescribed binding scheme, or is subject to privacy laws of a prescribed country;
- the agency disclosing the data has reasonable grounds to believe that the receiving agency is required to protect the information in a way that, overall, provides comparable safeguards to those in this Act (for example, pursuant to an agreement entered into between the two agencies).
Information privacy principle 13 - Unique identifiers
- An agency may assign a unique identifier to an individual for use in its operations only if that identifier is necessary to enable the agency to carry out one or more of its functions efficiently.
- An individual may not be assigned a unique identifier if, to the agency’s knowledge, the same unique identifier has been assigned to the individual by another agency. The exception to this is when the two agencies are associated as defined in subpart YB of the Income Tax Act 2007, or the unique identifier is used for statistical or research purposes and no other purpose.
- The same unique identifier may not be assigned to an individual by another agency for the purpose of communication between two agencies that use the same unique identifier for the individual.
- An agency must take any reasonable steps necessary to ensure that a unique identifier is assigned only to an individual whose identity is clearly established; and the risk of misuse of a unique identifier by any person is minimized (for example, by showing truncated account numbers on receipts or in correspondence).
- An agency may not require an individual to disclose any unique identifier assigned to that individual unless the disclosure is for one of the purposes in connection with which that unique identifier was assigned or is for a purpose that is directly related to one of those purposes.
In the event of a data breach Act 2020 mandates that the agency has an obligation to “notify the Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred” and also “must notify an affected individual as soon as practicable after becoming aware that a notifiable privacy breach has occurred,” unless exceptions in Part 6, Section 116 apply. However, “if it is not reasonably practicable to notify an affected individual or each member of a group of affected individuals, the agency must instead give public notice of the privacy breach.”
Another obligation of agencies is outlined by Part 9, Section 201 where it states that “an agency must appoint as privacy officers for the agency one or more individuals (within or outside the agency) whose responsibilities include:
- encouraging the agency to comply with the IPPs;
- dealing with requests made to the agency under this Act;
- working with the Commissioner in relation to investigations conducted under Part 5 in relation to the agency
- ensuring that the agency complies with the provisions of this Act.”
What data access rights does Privacy Act 2020 grant?
Individuals are granted several data access rights as follows:
- The Right to Access, based on IPP 6;
- The Right to Correct, based on IPP 7.
Under New Zealand’s privacy law, there is no Right to Delete, Right to Data Portability, the Right to Object, or the Right to not be subject to automated decision-making.
How should organizations address data subject access requests under Privacy Act 2020?
The Act does not offer many specifics on how requests have to be handled. The two requests it does discuss are the request for access and the request to correct. In both cases the following have to be observed:
- the request “may be made only by the individual concerned or that individual’s representative”;
- a requestor may ask that their request be treated as urgent, but they must state the reason why it should be treated as such;
- if the agency receives an urgent request it must consider it as well as the reason stated for its urgency when determining the priority to be given to responding to it;
- in the case of a normal request, the agency must, as soon as it has decided to grant the request, and as soon as is reasonably practicable, and in any case not later than 20 working days after the day on which the request is received, respond to the request;
- an agency is allowed to extend the deadline for answering a request if the request is of such a nature that it cannot be reasonably answered to within the original timeframe. However, any extension “must be for a reasonable period of time having regard to the circumstances.”
Charges may be imposed by agencies, but these have to be reasonable and take into account the cost of the labor and materials involved or any costs involved in answering an urgent type of request for access or correction.
Enforcement and penalties
The Office of the Privacy Commissioner (OPC) ensures compliance with the law, handles and investigates complaints, advises New Zealand’s government on matters of data privacy.
According to one of the articles on the OPC’s website, in the Knowledge Base section, when investigating a complaint the OPC will try to facilitate resolution and only where this is not possible will they refer the matter to the Director of Human Rights Proceedings (the Director) so they can bring the case to the Human Rights Review Tribunal (the Tribunal). The Tribunal will then decide whether compensation is awarded or not and the appropriate range of compensation for violations of Act 2020.
As regards penalties, violations are considered criminal offenses and are sanctionable by a fine not exceeding NZD 10,000 (approx. $ 6,000). However, according to the same article, “the Tribunal has said that cases at the less serious end of the spectrum will range up to NZD 10,000 (approx. $ 6,000), more serious cases can range from NZD 10,000 (approx. $ 6,000) to around NZD 50,000 (approx. $ 29,900), and the most serious cases will range from NZD 50,000 (approx. $ 29,900) upwards. The most the HRRT has awarded so far for a privacy matter is just over NZD 168,000 (approx. $ 100,400).”
Data Subject Rights - GDPR vs. Privacy Act 2020
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
PRIVACY ACT 2020
- Right to be informed
- Right to Access
- Right to Correct
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.