The Privacy Act NZ & GDPR adoption in New Zealand

Given advances in technology, enthusiastic adoption of social media and the ability to store unlimited data – including sensitive information – it’s not surprising that privacy laws in New Zealand are being refreshed 27 years after they were first enacted.

What does The Privacy Act mean for New Zealand?

A new Privacy Act will take effect from 1 December 2020 and replaces the Privacy Act from 1993. The Act strengthens privacy protections, breaches notification to the Office of the Privacy Commissioner as well as its ability to issue compliance notices to businesses or organizations to require them to do something, or stop doing something, to comply with the Privacy Act.

Privacy is respected through a series of flexible principles, a significant majority of which correlates reasonably well with Articles in the EU GDPR. Besides, many New Zealand organizations need to comply with the GDPR (which came into effect in May 2018), given the extra-territorial nature of the GDPR in relation to the processing of personal information.

What would be special in The Privacy Act 2020?

The intent of the new Privacy Act 2020 is designed to promote the free flow of information across borders and the privacy of individual’s personal information while  bringing NZ in line with international best practice.

Sensitive information can be, for example, about someone's health, political or religious beliefs, or financial information

Effective on  December 1 2020, the new act includes important changes that businesses and organisations should be preparing for to ensure that they are securing the sensitive data they hold and importantly in the event of a breach, that they are in a position to remediate.

What are the key reforms?

Privacy Breaches

Mandatory notification to the Privacy Commissioner of harmful privacy breaches? That is, breaches that pose a risk of serious harm. Before reporting any breach to the privacy commissioner it is strongly recommended that they navigate online to the Privacy Commissioner’s website and take a quick 5 min assessment using their anonymous NotifyUs self-assessment tool.

If a business has already determined that the breach has caused or is likely to cause serious harm then they are required under the new law to report the breach to the privacy commissioner and notify the affected persons as soon as possible.

Data sent internationally

The new Act strengthens cross-border protection requiring that NZ organisations sending sensitive data overseas have taken reasonable steps to confirm that similar privacy laws are in place or that they have this covered by a contractual obligation. Offshore cloud computing services are not (usually) counted as a foreign jurisdiction.

To assist with Privacy Principle 12 and to remove some of the burden from agencies the Privacy Commissioner recommends that organisations adopt model contract clauses as provided by the commissioner.

Compliance Orders & Criminal Offences

The commissioner will have the ability to issue compliance notices to businesses requiring compliance with the Act and failure to follow them may result in fines of up to $10000.

The privacy commissioner may demand the release of personal information and it would be a criminal offence and fines may be imposed if documents containing requested personal information are destroyed.

Child Information

The privacy law in relation to the way data is collected from children will also change and Privacy Principle 4 requires that the method is fair and does not unreasonably intrude on their personal affairs.

GDPR and The Privacy Act matchup for data centers & cloud.

Storage & security of personal information are one of the most important principles of both laws

The Privacy Act requires companies holding personal data to ensure the information is protected by such security safeguards. It is reasonable to take in the circumstances against loss, access, use, modification, unauthorized disclosure and other misuses.

The GDPR similarly requires (in Article 32) the data controller and processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These are: pseudonymization and encryption of personal data; ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services; restoring the availability and access to personal data in the event of a physical or technical incident; and having a process for regularly evaluating the effectiveness of security measures.

Another important aspect is mandatory data breach notification

In the Privacy Act 1993, there are currently no mandatory data breach notification requirements in New Zealand. However, that’s going to change with the reform of the Privacy Act coming in December. The Privacy Act 2020 introduces a privacy breach notification regime. If a business, organization, or agency has a privacy breach that it believes has caused (or is likely to cause) serious harm, it will need to notify the Office of the Privacy Commissioner and affected individuals as soon as possible.

In contrast, the GDPR contains more specific data breach notification requirements. The GDPR requires that in the case of a personal data breach, the controller shall within 72 hours of becoming aware of it, notify the breach to the supervisory authority. Such notification should provide the nature of the personal data breach, the number of people concerned, the contact details of the data protection officer, the presumed consequences of the data breach, and any measures (to be) taken to address the breach and mitigate any adverse effects.

Additionally, both the Privacy Act 2020 and GDPR clearly states that they have an extraterritorial effect. This means that an overseas business or organization that is ‘carrying on business’ in New Zealand (or in the EU for the GDPR) will be subject to the Privacy Act’s privacy obligations, even if it does not have a physical presence here.

How is the new Privacy Act different to the EU’s GDPR?

In NZ data subjects do not have ‘the right to be forgotten’ or ‘the right for data portability’.

Key actions businesses and organisations can take?

• Get familiar with the principles of the new act and educate employees who are collecting, handling, controlling and distributing personal information.
• Understand where personal information is stored, who is in control of it and who has access to it. 
• Adopt reasonable security measures to protect personal information and remediate in the event of a breach
• Introduce procedures of continuous control over personal information processing.
• Establish processes which will allow you to take action before any personal data of your prospects will be at risk.

How Ingram Micro & Runecast can help New Zealand?

Earlier this year Ingram Micro New Zealand secured initial sole distribution rights for Runecast Analyzer artificial intelligence technology that accelerates the performance of and helps to secure virtual environments.

Runecast Analyzer provides predictive analytics and automated security compliance analysis for VMware and Amazon Web Services, reducing administrative overhead while enabling management. How does Runecast do the automated checks for GDPR on AWS?

Adam Saunders, Ingram Micro NZ's business manager for enterprise software, said Runecast Analyzer addressed known gaps in management frameworks. “The solution is complementary to VMware and a natural fit in our portfolio," he said. "Resellers looking to boost the value they add to end customers will find ready markets for Runecast Analyzer because it is easily implemented and demonstrates rapid value.”

It only takes 30 minutes for partners to understand the technology, hear about the compelling use cases and they take notice and get excited about the opportunity once they see a demo for themselves.