Whether you work for a company or are a client, businesses collect and store personal data about employees and customers on a daily basis for various reasons. The Privacy Act covers which data can be collected, how it is stored and for how long to avoid serious misconduct.
Because technology has advanced rapidly over the last few decades and international privacy laws differ from country to country, the New Zealand Privacy Act is currently being overhauled. Changes become effective 1st December 2020, including how to deal with overseas service providers and how to respond if someone requests personal information.
What you need to know
Every business that collects, stores and uses personal information of their staff and customers is bound by the Privacy Act 1993. This also includes freelancers, sole traders and contractors as well as overseas businesses operating in New Zealand. Personal information is anything that can make a person identifiable, including their name and contact details, financial, health and purchase records. Data can be found in emails and letters, recordings, photos, marketing and advertising material and on social media.
Breaching the Privacy Act such as leaking information to third parties or using it in any way other than what was agreed to with the individual will have severe consequences for you and your company. Under the new law, the Privacy Commissioner will now be able to issue notices of compliance and force a business to release personal information upon request. Whether accidentally or as a consequence to a cyber-attack, you are responsible for any information you collect.
Under the law change, businesses are no longer allowed to destroy personal information if someone asks to have their personal data released. Serious privacy breaches need to be reported to the Privacy Commissioner as soon as they are identified, and overseas companies are only allowed to collect, store and use personal data if they can prove that they also adhere to the new Privacy Act.
What you need to do
There are several steps you and your business can take in order to ensure you are complying with the new law.
To avoid unnecessary trouble in the future, only ask your employees or customers for personal information you actually need. Stick to what is relevant in any given situation and explain exactly why, how and for how long you are collecting, storing and using that data. This includes cookies when anyone visits your website. Ensure you have the means to store data safely and dispose of it in the same manner when it is no longer needed.
Being transparent also means explaining to people what happens if they do not share their details. In addition, work out a plan to check that information you hold is correct and give each individual the chance to update or correct their data.
Almost two thirds of all complaints to the Privacy Commissioner are because businesses deny people the right to look up data stored about them. If someone requests to see their personal information, you have to follow up on each request within 20 working days without being given a reason. You are under no circumstances allowed to destroy data in order to avoid disclosing it.
In general, sharing personal information with third parties is a definite no go! However, there are certain circumstances in which disclosing information is necessary. Usually this is the case if the individual concerned has given their permission or data is shared in a way that a person cannot be identified. It also covers reporting to law enforcement if data poses a risk or a threat to another person or the public.
When using overseas-based companies or service providers, get them to show you how they meet New Zealand privacy laws prior to sharing any data with them. If they cannot prove that they comply, do not hand over personal details. However, this does not apply to overseas cloud-based services.
A security breach does not only have legal consequences, it usually results in losing the trust of your staff and customers and it can damage your reputation long-term. Anyone can report a breach to the Privacy Commissioner by filing a complaint. Under the new Privacy Act you are also legally obligated to report security breaches as soon as possible. One way to significantly reduce the risk of a data breach is to keep your website as well as any programs, apps and general software up to date.
Disclaimer: We are not lawyers and cannot offer legal advice regarding the Privacy Act. If you have any questions about securing your website, please contact us at Energise Web today.