A sweeping update to our privacy laws comes into effect on December 1 - and Privacy Commissioner John Edwards is encouraging organisations to prepare for its tighter rules ASAP.
The commissioner's office is also offering online tools and backgrounders to help grapple with the new legislation.
A key provision of the new Privacy Act 2020 is mandatory data breach disclosure.
From December 1, any organisation that suffers a data breach that could cause serious harm is required to report it to Edwards' office - or face a fine of up to $10,000.
The commissioner wants people to take a deep breath before picking up the phone.
"If your kindergarten accidentally sends a message to all that reveals your child is gluten-intolerant, I don't want to hear about it," Edwards says.
But what does constitute potential "serious harm"? The Privacy Commissioner has just released a new online tool, NotifyUs, which guides you through a self-assessment Q&A then, if necessary, the online process to report a breach.
Another change from December 1: Principle 12 of the new Privacy Act says New Zealanders should expect comparable privacy protections to those they enjoy under New Zealand's Privacy Act when their information is disclosed and used in a foreign jurisdiction (offshore cloud computing services are not counted as a foreign jurisdiction).
A practical way for businesses and organisations to comply with the new principle is to adopt contractual safeguards, Edwards says.
"We recommend that you consider using the model contract clauses developed by my office. The model contract clauses are designed to assist agencies to comply with principle 12 and to reduce the compliance burden for agencies."
The model contract clauses are tailored to the requirements of the Privacy Act 2020 and to make it easier to comply with principle 12 – particularly for small and medium-sized businesses. Organisations can modify them to suit their needs or use their own form of contract clauses, so long as the key privacy protections are included.
Privacy Act key reforms
• Mandatory notification of harmful privacy breaches. If organisations or businesses have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties. This change brings New Zealand in line with international best practice.
• Introduction of compliance orders. The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result a fine of up to $10,000.
• Binding access determinations. If an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.
• Controls on the disclosure of information overseas. Before disclosing New Zealanders' personal information overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.
• New criminal offences. It will be an offence to mislead an organisation or business in a way that affects someone's personal information or to destroy personal information if a request has been made for it. The maximum fine for these offences is $10,000.
• Explicit application to businesses whether or not they have a legal or physical presence in New Zealand. If an international digital platform is carrying on business in New Zealand, with the New Zealanders' personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they, or their servers are based.
The act comes into effect on December 1.