Tough new measures aimed at uncovering serious privacy breaches have come into force - at the same time as a survey reveals up to three-quarters of New Zealanders are concerned about how businesses handle their personal information.
The Privacy Act 2020 - which comes into force on December 1 - tightens scrutiny on businesses and other organisations by requiring them to report breaches that could cause people serious harm. It also gives the Office of the Privacy Commissioner greater powers to enforce compliance.
Failure to report a breach can attract fines of up to $10,000 and offenders may be liable for criminal charges.
The Privacy Commissioner, John Edwards, says the Act will go a long way towards encouraging businesses to take a closer look at privacy: "It will give them pause to consider their reputations in a competitive market; if they are cavalier in their approach (to privacy) customers can easily switch providers or services."
Edwards says the Act has come at a time when new research shows New Zealanders are becoming more concerned about the security of their personal information.
A survey conducted for the Commissioner by UMR Research earlier this year found 56 per cent of respondents are concerned about personal privacy, while 75 per cent are worried about the sharing of personal information with businesses without permission.
Theft of banking details and security of personal information online were also high on the list of worries while only 15 per cent said they were not concerned about the protection of their personal information.
The survey, which was conducted online and questioned 1398 New Zealanders aged over 18 between March 31 and April 13, found just 18 per cent felt in control of how their personal information is used by business, with 65 per cent saying they want more government regulation.
Edwards says the new law creates an obligation for companies to notify both his office and the individual people who may be affected by a breach if the loss of data has caused serious harm or is likely to do so.
He says this could include the risk of physical harm, identity theft or fraud, humiliation, loss of dignity or damage to a person's reputation - especially if the information contained mental health, medical or disciplinary records – and the risk of the loss of employment or business opportunities.
The Act also requires businesses to take reasonable steps to ensure that personal information being sent overseas will have similar protections to New Zealand. And, unlike the 1993 Privacy Act, it gives the Commissioner power to enforce the law.
The Commissioner will be able to issue compliance notices and to make binding decisions on complaints about access to information. The decisions can be appealed to the Human rights Review Tribunal.
In an address to TechFest 2020 earlier this year Edwards said organisations that had not managed to keep their end of the bargain and keep personal information safe, need to put control back in the hands of the people who are at risk.
In a New Zealand Channel Life report (an online technology news channel) on his TechFest speech, Edwards was quoted as saying: "Privacy is not dead, it is not going anywhere. (It) is not about what you can't tell someone – it's about telling people what you're collecting and what you're going to do with it. It's also about protecting that information."
He urges businesses to get up to speed with the new Act and understand what is happening to personal information they are collecting - especially in cases where companies are innovating: "Business operators need to know how to manage customer and employee information."
He says his office has a considerable range of resources available to help people understand the new Act. This includes e-learning modules, a short animation, fortnightly newsletter, one-page information sheets, podcasts and blog posts. An extensive media and social media campaign has also been launched.
To learn more about the Act and the resources available go to: https://privacy.org.nz/privacy-act-2020/resources/