The Privacy Act 2020
There are now 13 information privacy principles instead of the original 12 and even though most are recognisable from the old act, there have been some tweaks.
For example, while Principle 1 has always required that an agency can only collect personal information in relation to its legitimate purposes and not unrelated ones, it now also forbids collecting identifying information altogether where it is possible to provide a service without doing so. (In this context, the term “agency” means any person, business, government departments or organisation in the public or private sector.)
Similarly, Principle 4 which covers the manner of collecting personal information, requires specific consideration to be given on whether it is appropriate when collecting information from children or young people.
Principle 12 relates to sending information outside New Zealand. Due diligence is needed to ensure the information will be protected by similar standards as in New Zealand. The Government is expected to prescribe a list of countries with comparable protections and the OPC provides other tools such as model contractual terms with an overseas recipient.
Principle 12 does not apply when using, say, a cloud service to store data where the overseas service provider is not using the data for its own purposes.
In those conditions, the New Zealand agency remains responsible.
Overseas agencies doing business in New Zealand are also now subject to the Act, which ensures a level playing field.
Although some might question how the OPC can enforce the Act against the likes of Facebook, it is likely there will be increasing coordination with overseas privacy authorities.
This occurred, for instance, between Australia and Canada with the 2015 data breach investigation of online adult ‘discreet affair’ dating site, Ashley Madison.
The most important additions in the new Act are the duty to notify affected individuals of breaches when they may suffer serious harm and OPC’s power to issue compliance notices against agencies. These are underpinned by fines.
It is important to note, however, that failure to notify when required also provides individuals with recourse to complain and ultimately bring an action for monetary damages which can be up to a maximum of $350,000. Class actions are also now possible.
For more information about the new act, visit privacy.org.nz
The Unsolicited Electronic Messages Act
We are seeing this act being enforced in the last few months.
For Guardian Angel monitored clients, there is a renewed justification for paying for good monitoring services utilising API integrations.
We are the only company in NZ with API integrations with Blackline and Garmin meaning we get the alerts live from the overseas servers (see flowchart below)
We do get the SMS and email as back up, but we are more regularly seeing these not arrive.
It’s a major concern for any companies relying on in-house monitoring or monitoring providers without integrations.
For us, the API integrations have been in place since the start of our business, and any new devices or services we bring on, we don’t go live with until we have finalised the API work.
We are not prepared to accept any risk at all of us not being able to respond to a worker in need. This is the only way we can guarantee that.