What are the key changes in the new Privacy Act?

The Privacy Act 2020 came into force on 1 December 2020. Changes to the law will enhance the role of the Privacy Commissioner. The key features are:

• Requirements to report privacy breaches: If organisations have a privacy breach that poses a risk of serious harm, it must notify the Commissioner and the people affected (unless an exception applies).
• Compliance notices: The Commissioner can issue compliance notices to require an organisation to do something, or stop doing something, to comply with the Privacy Act.
• Decisions on access requests: The Commissioner can make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions can be appealed to the Tribunal.
• Strengthening cross-border protections: New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by acceptable privacy standards. 
• New criminal offences: It will be an offence to mislead an organisation in a way that affects someone else’s personal information, and to destroy documents containing personal information if a request has been made for it. The penalty is a fine up to $10,000. It will be an offence to fail to notify the Commissioner of a serious privacy breach, or to fail to comply with an enforceable compliance notice.
• Extraterritoriality: An overseas agency will be treated as “carrying on business in New Zealand” even if it does not have a physical place of business here (for instance, if it charges any monetary payment for goods or services or makes a profit from its business in New Zealand).

Find out more about the Privacy Act 2020 here.