Amendments to the Privacy Act

Information is a key aspect to ensure a successful and functional employment relationship. Obligations are placed on the employer to collect, preserve and interpret copious amounts of information within and around the employment relationship. There are compliance requirements that come with this, and some of these are about to change.

Maintenance and disclosure of such information is where legislation plays a more directive roll. Due to the increased amount of information gathered and/or available, the transformation to digital storage/access of information and the increased use of international/foreign service providers to store information the Minister of Justice introduced a Bill amending the current Privacy Act (1993) on 20 March 2018 set to be introduced in March 2020. The Privacy Commissioner states that “the Bill contains measures to ensure the law addresses some of the most pressing aspects of the modern digital economy”.

Some points which will affect employers from the Amendment Bill include;

• Data minimisation, limiting employers to only gather information that is needed. (Specifically focused on identification information);
• The threshold of notification of a breach to change from "harm" to "serious harm";
• Employers need to report any "serious harm" privacy breaches and are required to notify the people possibly affected as well as the Office of the Privacy Commissioner;
• Failure to notify a privacy breach can incur a maximum penalty of $10,000;
• If an employee (current or former) requests personal information held by a business it must be provided within reasonable time;
• Employers liability increases regarding using foreign service providers. Employers will carry the obligation to ensure their providers are meeting New Zealand privacy laws.
• Human Rights Review Tribunal powers to hold closed hearings to increase;
• The Committee has recommended broadening the “news activity” exemption to include Radio NZ and TVNZ, as well as less traditional publications like blogs and books, provided they are subject to the oversight of an appropriate regulator.

• Educate your staff about the legislation, obligations and consequences;
• Review and/or implement a privacy statement/policy;
• Ensure sufficient/reasonable access to information for employees and/or customers;
• Ensure safe and secure storage and disposal of personal information;
• If you use an overseas-based service provider, like cloud software, ask the provider how they’re meeting New Zealand privacy laws;
• Appoint a privacy officer. Every business should have a privacy officer, according to the Privacy Act. This is someone who has a general understanding of the Act and can deal with privacy issues when they arise.