By Vaughan Granier

On 1 December, the Privacy Act 2020 (the Act) will come into force. The Government has amended the law to provide greater protections for the personal information that is free-flowing globally, in our increasingly online world.

The new privacy laws will introduce a new privacy principle, criminal convictions, fines and a compulsory obligation for organisations to report privacy breaches. These changes have placed a sharp focus on workplace compliance with privacy regulations; namely on how employers manage employees’ personal information. As an employer, you have an increased responsibility under the new law to take good care of the information your business holds. Let’s look at what some of those responsibilities will be, and what you can do to protect your people from the risk of a privacy breach.

What’s new in the Privacy Act 2020?

At the core of the Act are a set of 13 privacy principles, based on international standards for handling peoples’ personal information. The Government has modernised three of these in the new law and added a new one to the list. These updated principles below can be applied to the way your business collects, stores and uses personal information of workers and the people you do business with. The updated principles are:

Principle 1 – purpose for collection of information

The Government has updated this principle to make it clear that organisations can only collect information if it’s necessary. If you don’t need someone’s personal information, you don’t need to collect it.

Principle 4 – the manner of collection

This updated principle expands on what is legal and reasonable when collecting personal data, including the circumstance in which you may obtain it. This includes what is fair when you’re gathering information from young people, who may not fully understand how their information could be used. In this example, it could be deemed unlawful to request personal information from youths in the same way you ask for the same data from adults.

Principle 12 – disclosure of personal information outside of New Zealand

Number 12 is a new principle that intends to protect data shared overseas.  Under this principle, private information may only be disclosed to an overseas entity when that entity has similar privacy protections to those contained in New Zealand privacy laws. Importantly, sending personal details to a cloud-based service provider isn’t treated as a “disclosure”, however, you should ensure your service provider handles personal data in compliance with New Zealand’s current privacy laws.

Principle 13 – unique identifiers

Previously known as principle 12, the last direction aims to minimise the risk of ID theft. This final principle outlines the reasonable steps you can take to protect unique identifiers from being misused, such as Health Index numbers, IRD numbers, and Payroll ID numbers.

Asides from the privacy principles, several other major changes will come into force with the new Act that may directly, or indirectly impact your business, including:

  • If your organisation has a major privacy breach, you must notify the Privacy Commissioner and all affected parties as soon as possible;
  • The Privacy Commissioner can issue compliance notices that require your business to act, or to stop acting, in a particular way;
  • The Privacy Commissioner can now make a formal decision on complaints relating to access to information, which will speed up the dispute process;
  • It’s now a criminal offence to mislead an organisation to obtain information such as: impersonating someone or pretending to have their authority to gain access to information. You can also be convicted under the privacy law if you destroy any information when someone has requested this from you.

What are the penalties for non-compliance with the Privacy Act 2020?

From 1 December 2020 you can face up to a $10,000 fee for the following breaches:

  • Misleading an entity to gain access to information;
  • Destroying information that someone has requested;
  • Failing to comply with a compliance notice; and
  • Failing to notify the Commissioner of a breach.

How to avoid a privacy breach under the new law?

As an employer, there are several actions you can take to get your business up to speed with the Act and reduce the risk of a privacy breach in your workplace, including:

Do your due diligence

Under principle 12, as an employer, you need to ensure that any overseas person, entity or cloud-based service provider you share private information with is meeting the expectations set out for overseas disclosure and handling of data. Do your due diligence by getting answers to at least three questions:

  1. Where (physically) are the servers (and backups) of the organisation holding the data?
  2. What security protocols and backups are in place?
  3. What are the privacy laws of that country and the privacy standards of that organisation?

Privacy and the safeguarding of our clients’ data are paramount at HR Assured. Our privacy policy details how personal information is handled in HRA Cloud in line with the requirements of New Zealand privacy law.

Review your information collection processes

To get your business ready for the new laws, you should ensure that any personal information you collect is needed and provided voluntarily. Ask yourself questions like: “Why is this information being collected?”, and, “Who is it for?”. Suppose you require an employee to provide information during an investigation. In this case, your employee needs to voluntarily provide this to you with a full understanding of why, who will see it, and the consequences of not providing it.

Train your staff

A powerful way to reduce the risk of a privacy breach or non-compliance with the Act is by talking to your people. You can develop consistent compliance across your business by educating staff on the new expectations around handling personal information. And by working through different scenarios for reporting a severe privacy breach with your teams, you can ensure that any worker is able to report a serious event effectively.

Access to employee documentation

Now is a great time to review your record-keeping and document management systems to ensure that all personal information you collect is securely stored. Only people who need to access private records should be able to access them –  this includes the owner of the information if they request it.

Appoint a privacy officer

A privacy offer is someone in your business who knows the law and can be the first point of contact in the event of any potential privacy issue.

Update your workplace policies

Dig out any of your workplace policies that touch on the handling of personal information; from your privacy policy and statement to your employee handbook. You’ll need to update these to reflect the legislative changes ahead. If you need any help, reach out to the team at HR Assured.

The HRA Cloud contains all the up-to-date HR policy templates your business needs to comply with current employment laws, including the upcoming Privacy Act 2020. If you’re already a client, make sure you jump into your HRA Cloud and update these policies when they go live on 1 December 2020.

We hope this information provides some clarity around the Privacy Act 2020 and steps you can take to ensure your workplace is compliant. Please feel free to contact HR Assured with any further questions.

Vaughan Granier is the National Workplace Relations Manager for HR Assured NZ. He has over 24 years’ experience in international human resources, health and safety, and workplace relations management. With over 10 years working in New Zealand and Australian companies, he provides in-depth support to leadership teams across all areas of HR, Health and Safety, and employee management.