On 17 March the Justice Minister (Andrew Little) tabled a Supplementary Order Paper for the Privacy Bill, which states that the new Privacy Bill will come into force on 1 November 2020. This provides helpful clarity for agencies about when the new provisions in the Privacy Bill (as we have summarised previously) will begin to apply.
What to do now
Agencies have a little over six months to prepare for the application of the new legislation. In terms of the more material changes in the Privacy Bill, agencies may now want to start considering (to the extent they have not done so already):
- Whether they are subject to the Privacy Bill. To recap our earlier bulletin, the Privacy Bill applies to agencies located off-shore where those agencies are 'carrying on business in New Zealand', regardless of where the relevant information is collected or held and whether or not the agency has a physical presence in New Zealand, charges monetary payment, or makes a profit from its business in New Zealand. This is a very broad scope and is likely to capture a number of agencies that may not previously have been subject to the Privacy Act 1993.
- Whether they have processes and practices in place to identify and report notifiable privacy breaches to the Privacy Commissioner and affected individuals. Under the Privacy Bill, a breach will be notifiable if it is reasonable to believe that breach has caused serious harm to an affected individual(s) or is likely to do so. In determining whether a breach is likely to cause serious harm, agencies must consider any action taken by the agency to reduce the risk of harm following the breach, whether the personal information is sensitive in nature (for example, health records), the nature of harm that may be caused to affected individuals, the person or body that has obtained or may obtain personal information as a result of the breach, whether the information is protected by a security measure (such as encryption) and any other relevant matter.
- If any disclosures they make of personal information to third parties outside of New Zealand are consistent with the new Information Privacy Principle 12. In summary of Information Privacy Principle 12, agencies can now only disclose personal information to a foreign person or entity if that person or entity has been authorised by the relevant individual or the agency otherwise believes on reasonable grounds that the foreign person or entity is subject to the Privacy Bill or privacy laws that, overall, provide comparable safeguards to those in the Privacy Bill.
The Privacy Bill is due to be debated before the Committee of the Whole House. It will then move on to its third reading, followed by Royal Assent. At this stage, we do not anticipate that material changes will be made to the current text of the Privacy Bill.