New Zealand Privacy Act 2020
Sep 23, 2024

New Zealand Privacy Act 2020

New privacy laws are in force across New Zealand. They affect all organisations, including those based overseas that are doing business in the country. If you’re in charge of your organisation’s data, find out about the changes and how you can safeguard personal information compliantly.

Background

In 2020, the New Zealand Government strengthened citizens’ privacy protections by introducing the Privacy Act 2020, which repealed and replaced the Privacy Act 1993. The purpose of the new Act is:

“to promote and protect individual privacy by—

“(a)   providing a framework for protecting an individual’s right to privacy of personal  information, including the right of an individual to access their personal information, while recognising that other rights and interests may at times also need to be taken into account; and
“(b)   giving effect to internationally recognised privacy obligations and standards in relation to the privacy of personal information, including the OECD Guidelines and the International Covenant on Civil and Political Rights.”

What the Act means for businesses

It’s now more important than ever to protect personal information. Businesses must report serious privacy breaches immediately, both to individuals affected and to the Privacy Commissioner. A serious breach is one that causes, or is likely to cause, serious harm to those individuals – for example, when personal information is leaked and used in an identity theft or is published online by accident.

It’s an offence not to report a serious breach, and you can be fined up to $10,000. While that might not seem like much, be warned: the Office of the Privacy Commissioner can lodge an official complaint to the Human Rights Tribunal, with your organisation needing to pay a maximum penalty of $230,000 and suffering negative publicity that could impact your reputation.

Who the Act affects

The new rules apply to any New Zealand-based organisations that collect, store and use personal information about their employees and/or customers. The Act also affects overseas organisations that conduct business or collect data relating to New Zealand citizens, including Google, Microsoft, AWS, and other cloud computing providers.

Suffered a breach?

If your business experiences a data breach, check whether or not you need to inform The Office of the Privacy Commissioner (OPC) here: NotifyUs.

How to ensure compliance

It’s important for your organisation to have:

  • A privacy policy
  • A privacy officer
  • A way to assess a breach and decide whether it’s serious enough for individuals affected and the Privacy Commissioner to be informed
  • A plan for dealing with privacy breaches that includes responsibilities and that lists steps to be taken to investigate, contain, publicly respond to and remedy breaches.

Your privacy officer should know what data your organisation collects, how it’s used, and which third parties (e.g. cloud service providers) hold it and where.

Most important, though, is to ensure the personal information of your employees, customers and suppliers is stored securely, in a way that complies with the Privacy Act.

Importance of compliant email archiving

Emails contain employee data, ranging from CVs and contact details to performance reviews, plus customer and supplier correspondence including personal details.  Your business probably has a number of years’ worth of email containing a lot of personal information.

So, it’s crucial to make sure your archiving solution can store this data securely.

This is where Cryoserver can help. Our email archiving solution, which is used by many businesses in New Zealand, is designed to meet any standard of privacy compliance in the world (as our parent company’s name promises: Forensic & Compliance Systems).

We already keep organisations across Europe compliant with the stringent General Data Protection Regulation (GDPR), and we can do the same for yours.

How Cryoserver can help you

Our solution stores copies of every email and attachment sent or received in a secure, tamper-evident, encrypted archive. So, if your business experiences a data loss or a cyber-attack with your Office 365 or on-premise mail server, all your email is protected. Also, you control access to all emails stored in the archive.

Subject Access Requests

Under the Privacy Act, individuals have the right to request a copy of all the data your organisation holds on them via a Subject Access Request (SAR). Cryoserver has been helping both public sector organisations and private companies fulfil such requests for over 15 years. Our search tool enables authorised employees to retrieve the information needed quickly – in milliseconds – and securely.

Privacy by design

When we developed Cryoserver, key considerations were the privacy and rights of end users. This is our “Privacy by design” philosophy, which is at the core of the solution. It leads to enhanced privacy options for organisations and individual employees. It enables role-based access to archived emails, audit trails at all levels, and preservation of audit trails – all overseen by employees you assign to be your archive custodians or what we call “Data Guardians”. The unalterable nature of Cryoserver creates an evidential repository, which is admissible in court. The software is designed to protect your employees’ human rights.

To see how Cryoserver can help your business comply with the Privacy Act  – on top of being a handy productivity tool for everyday business – book a demo or email us.