Privacy Act – are you compliant?

;d;;Title: Privacy Act – Are You Compliant?  |  Posted: 15 MAY 2021  |  Author: Alex Cruden (TTL)  |  Category: Security, Risk, Compliance

Are You Aware of Privacy Act Obligations?

The Privacy Act 2020 introduced greater protections for individuals and some new obligations for businesses and organisations in relation to the capture and storage of personal information.

This applies to information stored on hardcopy or in electronic format.

The changes include the requirement to report serious privacy breaches to the Privacy Commissioner and to affected people.

New rules are in place that apply when sending personal information overseas.

The Privacy Commissioner has new powers to help people access their own information and to require businesses and organisations to comply with the law. There are increased fines for organisations that don’t comply.

Are you compliant?

Overview of Principles

The Privacy Act 2020 includes a set of thirteen Principles to guide organisations who store Personal Information.

Here’s a brief rundown of each.

Principle 1 – Purpose for collection of personal information

Organisations must only collect personal information if it is for a lawful purpose connected with their activities or functions. This means the information collected must be necessary for the organisation to carry out the purpose of collecting that information.

The message here is: don’t collect personal information if it is unnecessary.

Principle 2 – Source of personal information

Personal information should be collected directly from the person it is about. The best source of information about a person is usually the person themselves. Collecting information from the individual concerned means they know what is going on. They can also have some control over their information and how it is to be used.

Some exceptions:

• collection of their personal information from someone else has been authorised by the person concerned;
• the personal information is necessary to uphold or enforce law;
• the personal information is collected from a publicly available source;
• if collecting information from the person directly would undermine the purpose of collection.

Principle 3 – Collection of information from subject

Organisations should be open about why they are collecting personal information and what they will do with it.

The organisations should disclose why the personal information is collected; who will receive the personal information; whether it is compulsory or voluntary to provide the information; actions resulting from providing the personal information.

Principle 4 – Manner of collection of personal information

Personal information must not be collected by unlawful, unfair or unreasonably intrusive means. When an organisation collects information about a person, it has to do so in a way that is fair and legal.

What is reasonable also depends on the circumstances. This includes the purpose for collection, the degree to which the collection intrudes on privacy, and the time and place it was collected.

You need to take particular care when collecting information from children and young people. It may not be fair to collect information from children in the same manner as you would from a consenting adult.

Principle 5 – Storage and security of personal information

Organisations must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information.

There are a number of different aspects to consider, including:

• physical security;
• electronic security;
• operational security;
• security during transmission;
• security during destruction.

What steps are appropriate will depend entirely on the circumstances. Considerations should include:

• How sensitive is the personal information involved?
• What the the personal information is to be used for?
• Which security measures are available, and how will using these measures impact on your agency’s functions?
• What might the consequences be for the individual if the information is not kept secure?

Principle 6 – Access to personal information

People have a right to ask for access to their own personal information. Generally, an organisation must provide access to the personal information it holds about someone if the person in question asks to see it.

People can only ask for information about themselves. The Privacy Act does not allow anyone to request information about another person, unless they are acting on that person’s behalf and have written authorisation.

In some situations, an organisation may have good reasons to refuse a request for access to personal information. For example, the information may involve an unwarranted breach of someone else’s privacy. Or releasing it may pose a serious threat to someone’s safety.

Principle 7 – Correction of personal information

A person has a right to ask an organisation or business to correct information about them if they think it is wrong.

If an organisation does not agree that the information needs correcting, an individual can ask that an agency attach a statement of correction to its records. If reasonable, the agency should do so.

Anyone unsatisfied with how an agency has dealt with a correction request  can make a complaint to the Privacy Commissioner. Instances where the would apply could be:

• because it has failed to respond,
• hasn’t given reasons for refusing a request,
• has refused to attach a statement of correction.

Principle 8 – Accuracy of personal information

Organisations using personal information have a duty of care to ensure that information is accurate.

An organisation must check before using or disclosing personal information that it is accurate, up to date, complete, relevant and not misleading.

Principle 9 – Retention of personal information

An organisation should not keep personal information for longer than it is required for the purpose it may lawfully be used.

The important thing is for an agency to have a clear policy on how long it will retain the different types of personal information collected, and to apply this consistently.

Principle 10 – Use of personal information

Organisations can generally only use personal information for the purpose it was collected.

Sometimes other uses will be allowed, such as if the new use is directly related to the original purpose, or if the person in question gives their permission for their information to be used in a different way.

Principle 11 – Disclosure of personal information

An organisation may only disclose personal information in limited circumstances.

For instance, an organisation may disclose personal information when:

• disclosure is one of the purposes for which the organisation acquired the information;
• the person concerned authorises the disclosure;
• the information is to be used in a way that does not identify the person concerned;
• disclosure is necessary to avoid endangering someone’s health or safety;
• disclosure is necessary to uphold or enforce the law.

Principle 12 – Cross-border disclosure

There are new rules around sending personal information to organisations or people outside New Zealand (cross-border disclosure).

A business or organisation may only disclose personal information to another organisation outside New Zealand if the receiving organisation:

• is subject to the Privacy Act because they do business in New Zealand;
• is subject to privacy laws in their own country that provide comparable safeguards to the NZ Privacy Act;
• agrees to adequately protect the information, e.g. by using model contract clauses between the organisation providing the information and the receiving organisation;
• is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government.

If none of the above criteria apply, a business or organisation may only make a cross-border disclosure with the permission of the person concerned. The person must be expressly informed that their information may not be given the same protection as provided by the New Zealand Privacy Act.

Principle 13 – Unique identifiers

An organisation can only use unique identifiers when it is necessary.

Unique identifiers are individual numbers, references, or other forms of identification allocated to people by organisations. These include:

• driver’s licence numbers;
• passport numbers;
• IRD numbers;
• National Health Index numbers.

An organisation cannot assign a unique identifier to a person if that unique identifier has already been given to that person by another organisation.

Organisations must take reasonable steps to protect unique identifiers from misuse.

Privacy Commissioner Material

The Office of the Privacy Commissioner has an excellent website with all the information you need to understand the Privacy Act 2020. An overview can be found on the ‘Privacy is Precious’ campaign section of the Privacy Org website:

https://privacy.org.nz/privacy-act-2020/campaign/

Several key sections of the website provide information on all of the above topics.

The full Privacy Act, in all its glory, can be found on the Privacy Org website:

https://privacy.org.nz/privacy-act-2020/privacy-act-2020/

In addition, details for each of the thirteen privacy principles can be accessed via the following link:

https://privacy.org.nz/privacy-act-2020/privacy-principles/

There is also a nice set of Privacy Act information sheets, each covering one of the main changes in the new 2020 Act, available on:

https://privacy.org.nz/publications/guidance-resources/pa2020-infosheets/

Next Steps

To ensure you are and remain compliant with the Privacy Act, you need to consider a number of activities for areas of your business that are handling personal information. How complex an exercise this is will depend on your business sector/area of operation, what type of information you store as part of your business operations and your level of maturity in security practices.

Here’s where you should start:

• Audit systems to understand the type of personal information being stored, what it is being used for and who has access to that information.
• Review current security and protective measures to ensure personal information is adequately protected, to satisfy obligations outlined in the Privacy Act.

Depending on the output from these tasks, you may need some remedial action:

• Eliminate any inappropriate access to personal information.
• Modify or destroy any unnecessary personal information.
• Create/modify your Security framework to ensure valid personal information is appropriately protected.

If you don’t already have these, the following tasks may also be necessary:

• Prepare a Privacy Policy in relation to information stored by your organisation.
• Build mechanisms for responding to requests to provide details of what personal information is stored.
• Build processes to correct and/or destroy any personal information when requested to do so.

Finally, to ensure ongoing awareness of obligations you will need to build an education programme for your organisation:

• Construct relevant training material on Privacy Act obligations, including examples that are particularly important for your organisation.
• Build a schedule of education sessions for employees, including periodic refresher training for front-line staff handling personal information on a regular basis. Consider whether to include a questionnaire to measure effectiveness of training.