Instead of being afraid of the new Privacy Act 2020 in New Zealand, we should see it as an opportunity to protect businesses and organisations. The implications of new Act should also not be just limited to New Zealand - it also serves as a reminder to be compliant for international markets as well.
Privacy regulations worldwide are all based on the same ideal of collecting and securing appropriate personal and sensitive data correctly. This means, for a little extra effort, you can also become compliant with regulation in other territories, such as:
- General Data Protection Regulation (GDPR). This European data privacy and security law applies to a market of 446 million people. In the first 20 months of the law, non-compliance costs hundreds of companies more than €114 million in fines.
- Health Insurance Portability and Accountability Act (HIPAA). This US standard is designed to protect sensitive patient data in a market of 328 million people. Non-compliance costs companies an average penalty of US$1.2 million per violation.
- California Consumer Privacy Act of 2018 (CCPA). Another US-centric law that protects the rights of consumers personal data. Penalties can range from $2,500 for a non-intentional violation to $7,500 for an intentional one.
All the above could be addressed when making your company compliant with the new NZ Privacy Act.
The new Act came into effect on 1 December 2020, and some changes it introduced include:
- New privacy breach notification regime. If a privacy breach has caused (or is likely to cause) serious harm, the company must notify the Office of the Privacy Commissioner and affected individuals as soon as possible.
- Compliant notices. The Privacy Commissioner can issue compliance notices to organisations to require them to do or stop doing something.
- Enforceable access directions. Privacy Commissioner can direct organisations to provide individuals access to their personal information in line with principle 6.
- Disclosing information overseas. New principle 12 to regulate the way personal information can be sent overseas.
- The extraterritorial effect. Any overseas organisation that is “carrying on business” in New Zealand will be subject to the Act’s privacy obligations.
- New criminal offenses. Up to $10,000 fine for a person impersonating or misleading someone to access the information they are not entitled to see, or an organisation destroying data after a request is made to access it.
- Principle 1 Change. Organisations can now only collect identifying information if it is necessary.
As you can see, the new act has more enforceable actions and fines. This means organisations need to review their current privacy policies and data collection processes to ensure compliance.
What you should be doing now
Although the new Act provides some worthwhile guidelines to follow, there are some good privacy practices you could be doing because they are the right thing to do:
People and organisations own their data!
It is important to remember you are just a custodian of private information. It is not yours to sell or pass on without explicit permission from the person or organisation.
What personal information are you holding?
Part 3, Principle 1 of the Privacy Act clearly states you can only collect personal information for a lawful purpose where that data is needed to fulfill that purpose. Collecting or holding personal or organisational data that is not required is not allowed.
Data classification, storage, and access control
To keep data safe, you must classify all data to ensure correct handling and storage.
ISC2 have four classes types of data:
Class |
Governmental classification |
Non-Governmental Classification |
Potential Damage |
-
|
Top Secret |
Confidential / Proprietary |
Exceptionally Grave Damage |
-
|
Secret
|
Private |
Serious Damage |
-
|
Confidential |
Sensitive |
Damage |
-
|
Public |
Public |
No Damage |
For each data classification above there should be a policy for:
- Where data can be stored. Given a lot of data is in the Cloud, do you have to host it in New Zealand? Or can it be anywhere in the world?
- Where it is used?
- Security and access controls. Who can see the data?
- Are audit trails needed for those who accessed the data from where and when?
By classifying the data making policy on each class, you can protect your organisation from unintended breaches of the Privacy Act.
What data do you not retain?
There is a difference in what you need to have to onboard a customer versus maintaining a relationship with them. Some considerations are:
- Do you need to retain ID documents and other sensitive data to identify the person/organisation and onboard them?
- Do you need to keep personal or sensitive data related to maintenance of the relationship?
- Do you need to retain data for past customers and employees?
If you do not need it, then the best practice is to purge it.
Retention period of data
As per the point above, all personal and other organisations' data need to have a prescribed retention period. When you assess and classify the data that you hold, a good practice is to set a retention period based on how long you need it. Holding any data longer than needed makes any event of a breach worse than it needs to be.
Act upon your privacy
As the above GDPR and HIPAA examples demonstrate, ignorance is not a defense in the view of the law. Regulators are not shy of using their powers and available enforcement options to ensure compliance.
With the new Privacy Act enacted, the time to act is now. If you are not sure where to start, begin by going through your datasets and identifying anything that might be in non-compliant with the new Privacy Act.
Good housekeeping practices, however, are no substitute for professional guidance and advice. Find out how our security expertise can help you prepare for the new Privacy Act and any other new regulation that may come along.