The commissioner wants people to take a deep breath before picking up the phone.
"If your kindergarten accidentally sends a message to all that reveals your child is gluten-intolerant, I don't want to hear about it," Edwards says.
But what does constitute potential "serious harm"? The Privacy Commissioner has just released a new online tool, NotifyUs, which guides you through a self-assessment Q&A then, if necessary, the online process to report a breach.
Another change from December 1: Principle 12 of the new Privacy Act says New Zealanders should expect comparable privacy protections to those they enjoy under New Zealand's Privacy Act when their information is disclosed and used in a foreign jurisdiction (offshore cloud computing services are not counted as a foreign jurisdiction).
A practical way for businesses and organisations to comply with the new principle is to adopt contractual safeguards, Edwards says.
"We recommend that you consider using the model contract clauses developed by my office. The model contract clauses are designed to assist agencies to comply with principle 12 and to reduce the compliance burden for agencies."
The model contract clauses are tailored to the requirements of the Privacy Act 2020 and to make it easier to comply with principle 12 – particularly for small and medium-sized businesses. Organisations can modify them to suit their needs or use their own form of contract clauses, so long as the key privacy protections are included.
Download the model contract here for cross-border information transfer here, a step-by-step guide to principle 12 here and the Commissioner's guide to the broader act here.
Privacy Act key reforms
• Mandatory notification of harmful privacy breaches. If organisations or businesses have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties. This change brings New Zealand in line with international best practice.
• Introduction of compliance orders. The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result a fine of up to $10,000.
• Binding access determinations. If an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.
• Controls on the disclosure of information overseas. Before disclosing New Zealanders' personal information overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.
• New criminal offences. It will be an offence to mislead an organisation or business in a way that affects someone's personal information or to destroy personal information if a request has been made for it. The maximum fine for these offences is $10,000.
• Explicit application to businesses whether or not they have a legal or physical presence in New Zealand. If an international digital platform is carrying on business in New Zealand, with the New Zealanders' personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they, or their servers are based.
The act comes into effect on December 1.