New Privacy Bill
General / 25 June 2018
The Privacy Act 1993 (Act) establishes information privacy principles setting out how agencies may collect, store, use and disclose personal information. Employers are “agents” under the Act and must meet its requirements in dealing with employees’ “personal information”.
Parliament is considering a new Privacy Bill (Bill) which proposes to impose more substantive fines, greater power for the Privacy Commissioner (Commissioner) and a requirement to report any privacy breaches.
Summary of key changes
The key changes include:
mandatory reporting of privacy breaches, to the Commissioner and to affected individuals, if the breach risks causing, or has caused, harm;
the Commissioner will be able to issue enforceable compliance notices requiring agencies to comply with the Act;
further controls on cross border data flow, including requiring agencies to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. This will apply, for example, where an agency holds data offshore, or discloses data to related entities based outside of New Zealand;
the introduction of offences under the Act for failure to comply with notification requirements, or a range of other obligations , including for example knowingly destroying documents containing personal information requested;
ability for Commissioner to decide whether access requests should be granted; strengthening the Commissioner’s information gathering power, with shorter timeframes for compliance and increased penalties for non-compliance.
What does this mean for employers?
Disclaimer: We remind you that while this article provides commentary on employment law and health and safety topics, it should not be used as a substitute for legal or professional advice for specific situations. Please seek legal advice from your lawyer for any questions specific to your workplace.