by John Martin, CISSP, Senior Security Architect, IBM New Zealand

Are you ready for the New Zealand Privacy Act 2020 to come into effect on 1st December 2020? There’s a lot to consider as the clock ticks down and your organisation’s ability to comply is critical if you want to avoid some of the hefty fines involved.

As you align your security strategy with your business, here are some key areas to consider as you prepare:

Reporting privacy breaches immediately

It will be mandatory for businesses to immediately report serious privacy breaches, particularly where a data breach poses a risk of harm; for example, when leaked personal information is used in identity theft or accidentally published online.

The cost of a data breach and the speed at which the breach is identified and contained can be mitigated with a combination of risk assessment, the right security solutions and processes, and partnership with a security provider that can reduce complexity.

If you’re unsure a breach has been committed by your organisation, The Office of the Privacy Commissioner (OPC) has launched NotifyUs . This online tool enables businesses and organisations to assess whether notification of a breach is required.

Who does the new Privacy Act affect?

The new Act will affect all organisations that collect, store and use personal information about their employees and/or customers. This means if someone requests personal information held by a business, the business cannot destroy the information to avoid providing it. The Privacy Commissioner can issue compliance notices to require an organisation to do something or stop doing something. The penalty for not doing so may range from NZ $2,000 to $10,000. 

Complaints to the Human Rights Tribunal

An NZ $10,000 fine could on the face of it appear relatively low, but there is a sting in the tail. The Office of the Privacy Commissioner can make an official complaint to the Human Rights Tribunal, which may take a bit longer to go to court and be heard. But this has a maximum penalty of NZ $230,000 and all the publicity that will go with it.

Overseas organisations

Overseas organisations are also affected if they do business within New Zealand, so if you’re using service providers based overseas, it is your responsibility to ensure they are meeting the New Zealand Privacy laws. This includes businesses such as Microsoft, AWS, Google and many others. This is similar to the European Union’s General Data Processing Regulations or GDPR.

Appointing a privacy officer

You will need to appoint at least one privacy officer, who is required to have a general understanding of the Act and deal with issues as they arise. The Privacy Commissioner outlines the role requirements as:

• “be familiar with the privacy principles in the Privacy Act
• work to make sure the organisation complies with the Privacy Act
• deal with any complaints from the organisation’s clients about possible privacy breaches
• deal with requests for access to personal information, or correction of personal information
• act as the organisation’s liaison with the Office of the Privacy Commissioner.”

Data versus information

There are some interesting aspects within this new Privacy Act; for instance, they do not talk about “data” they refer to “information”. There was an interesting High Court case in New Zealand, which stated that information is not confined to the written word, but embraces any knowledge however gained or held and, in some circumstances, can extend to the information contained in the mind of an individual .

It will also be an offence to mislead an agency in a way that affects someone else’s information and to destroy documents containing personal information if a request has been made for it.

Make sure you’re prepared

Remember the Privacy Act affects all organisations that collect, store and use personal information about their employees and/or customers. 

My advice for those who are not sure how to comply with the New Zealand Privacy Act 2020, is to make sure you:

• enroll in the Privacy Commissioner’s website and check your current knowledge by using the available pre-quiz
• enroll in the Privacy Act 101 course
• enroll in the Privacy 2020 course and the associated quizzes, which go with them
• enroll on the (ISC)² The Privacy Regulation Roadmap express learning course

It pays to be prepared.

Building a custom security plan that is both industry-specific and aligned to your security maturity demands a partner with the expertise and resources to help you as you navigate the new privacy act.

You must put in place appropriate controls to protect your data, wherever it exists and all the information that you use to run your organisation.

References:

[1] https://www.privacy.org.nz/

[2] https://www.privacy.org.nz/further-resources/online-privacy-training-free/

[3] https://www.privacy.org.nz/privacy-act-2020/resources/

[4] https://www.isc2.org/Development/Express-Learning-Courses/The-Privacy-Regulation-Roadmap