By John Edwards

In December of this year a significant set of reforms to the Privacy Act will come into force – the first major reforms since Parliament passed the Act in 1993. These reforms modernise the Act in response to the major technological progress that society has made between 1993 and today.

The fundamentals of the Act will largely remain the same. The Act will still be based on information privacy principles that set broad standards around how agencies can collect, use, store and share information. With just a few exceptions, these are the same as they have been since 1993.

But there will be significant changes to the enforcement side of the Privacy Act. In short, the Act will have more ‘teeth’. The Office of the Privacy Commissioner will have more powers to compel agencies to comply with the Act, there will be new criminal offences for not complying with the Act, there will be fines, and some behaviours that are currently optional will become mandatory.

With that in mind, this article works through the main changes that lawyers should know about – and what you and your clients can do now to prepare for these changes.

Compliance notices

Our office will have the power to issue compliance notices to any agency not complying with the Act. These notices can compel agencies to do something or stop doing something in order to comply with the Act.

Agencies will be given the opportunity to comment on compliance notices before they are finalised, and once they are finalised, agencies can appeal to the Human Rights Review Tribunal. But agencies that lose their appeal and do not comply, or do not comply and do not appeal, can be fined up to $10,000.

New criminal offences

The Privacy Act will create four new criminal offences. Agencies that commit these offences can face fines of up to $10,000. This means lawyers and their clients will have more financial risk when dealing with personal information.

The offences are:

• failing to comply with a compliance order from the Privacy Commissioner;
• misleading an agency to get someone else’s personal information;
• destroying someone’s personal information when they ask for it; and
• failing to alert the Commissioner about a serious privacy breach.

To prepare for this, lawyers should educate clients about these offences, and explain how they raise the financial stakes for agencies handling personal information.

Access determinations

The most common type of privacy complaint is when someone asks to see information an agency holds about themselves, and the agency refuses to give it to them. This is called an access request.

Under the new Act, we will be able to require agencies to give people their personal information, rather than go through the process of referring complaints to the Director of Human Rights Proceedings.

This means that some individuals and agencies can expect faster resolution of privacy complaints that involve access to information. This is particularly relevant if you have clients seeking information about themselves in order to support other cases or complaints, because it can make the process faster and more efficient.

Breach notification is mandatory

Mandatory breach notification creates new obligations for both you and your clients.

Right now, we encourage agencies to report privacy breaches to our office, and to the affected individuals, but it is not mandatory. This will change in December and reporting serious breaches will become mandatory. Any breaches that cause serious harm, or could possibly cause serious harm, need to be reported to our office and the affected individual. Agencies that fail to notify these privacy breaches can be fined up to $10,000.

To prepare for this, you and your clients should set clear internal definitions around ‘serious harm,’ so you know which breaches to notify in the future.

To make it as easy as possible, our NotifyUs tool will soon be available on our website. It will guide agencies through the criteria of a breach’s seriousness, and help you determine whether you should report it to our office.

New safeguards for information sent overseas

Agencies that send information overseas will only be able to do so if that information is adequately protected. This means it must meet one (or more) of these criteria:

• the receiving agency does business in New Zealand, and is subject to the Privacy Act;
• the receiving agency is subject to privacy safeguards that are comparable to the New Zealand Privacy Act;
• the receiving agency is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand government; and
• the transfer of an individual’s personal information has been authorised by that individual.

You can send information to overseas agencies that do not meet these requirements by getting them to agree to protect information in a way that is consistent with the Privacy Act. We are in the process of developing model contract clauses that you can use in these situations.

To prepare for this, lawyers and clients should review any information being sent overseas. Are you sending it to agencies that meet the above criteria? If not, you’ll need to either change agencies, or put together a new contract for your existing overseas agency.

There is one notable exception to this: it generally does not apply to cloud-based businesses. If you are sending information to an agency to hold or process on your behalf, then it will not be treated as a disclosure under principle 12 of the new Privacy Act.

Where to from here?

With the new Act coming into force on 1 December, the next few months are an opportunity to get up to speed with the changes. Here’s what you can do today:

• Audit your client list to see who will be most affected by the changes. Keep an eye out for agencies that handle significant amounts of personal information, have poor or informal information management practices, or both. These are the businesses that will be most affected by the new Act.
• Review your own information management practices. For example, could you give someone their personal information in a timely manner?
• Start drafting processes around new aspects of the Privacy Act, such as mandatory breach notification.
• And to facilitate this, here are two things you can do today:
• Visit our website and sign up for our newsletter at www.privacy.org.nz. We’ll be in touch as we release detailed guidance and resources.
• Sign up for our short Privacy 2.0 online training module.

John Edwards is the Privacy Commissioner