Hospitality Business Magazine

The New Zealand Privacy Act is changing

New Zealand’s 27-year-old Privacy Act changes on 1 December. The new Privacy Act 2020 will update our privacy environment and make some important changes to how organisations and businesses need to manage personal information.

Privacy should be at the heart of how a business handles personal information. If privacy is managed well, there will be few or no complaints, apologies and in some cases, compensation for harm caused. Instead, a business would be able to highlight how it preserves privacy as an important part of its brand or reputation.

Hospitality businesses collect a lot of personal information, in the form of customer information, but also in the form of employee information.

Recently, we’ve seen privacy issues arise with customer contact tracing details on Covid-19 contact tracing registers. Some of these cases were serious privacy breaches which resulted from poor safeguards around the register. In other cases, some businesses were using contact tracing information collected from customers to add them to their marketing mailing list.

The new Privacy Act introduces new obligations for businesses, a financial penalty of up to $10,000 for some types of privacy breaches and gives the Privacy Commissioner more enforcement powers to make a business comply with the Act.

Mandatory privacy breach notification

Up to now, there’s been no obligation to report a serious privacy breach to the Office
of the Privacy Commissioner (OPC). That is about to change. If your business has
a privacy breach that has caused, or is likely to cause, serious harm, you will need
to tell OPC and the affected individuals as soon as possible. It will be an offence to fail to inform the Privacy Commissioner – and a business can be liable for a criminal offence and face a fine of up to $10,000.

But not all privacy breaches will need to be reported. The threshold for a notifiable breach is whether it has caused or is likely to cause ‘serious harm’. The OPC’s NotifyUs tool can help you determine whether a privacy breach meets that threshold of seriousness.

Compliance notices

The Privacy Commissioner will be able to issue compliance notices to businesses which will require them to comply with the Privacy Act by doing, or to stop doing something. Compliance notices will set out the steps that the Commissioner considers are required to fix a situation and will specify a date by which the changes must be made.

Enforceable access directions

An important privacy right is the right to ask for any information about yourself. While this right is unchanged under the new law, the Privacy Commissioner will be able to direct businesses to give people access to their information. Up to now, individuals have had to take their cases to the Human Rights Review Tribunal, a lengthy and sometimes costly process.

Get prepared

These are just some of the changes in the Privacy Act 2020.

This is the perfect time for you to do a ‘health check’ of your existing privacy practices. This could be as simple as reviewing whether the policies and procedures you currently use are working as they should, or if they need updating.

There are good practices that your business should already have. Did you know that it is a legal requirement for every organisation in New Zealand to have a privacy officer? Now is a good time to check who your privacy officer is and to make sure they understand their responsibilities.

Other tips include reviewing and updating your business’ privacy policy and, if there’s a privacy breach, that you have a privacy breach plan.

The new Privacy Act 2020 is also a useful opportunity to upskill your staff on their privacy obligations. Try the OPC’s free e-learning modules.

If you have a situation for which you may need advice, you are encouraged
to contact the OPC, either by emailing enquiries@privacy.org.nz or by calling
0800 803 909.