Privacy Act 2020 - Enforced as of Dec 1

The new Privacy Act is in effect as of 1 December 2020.

This overhauls the existing New Zealand privacy laws to meet the privacy issues and requirements introduced by technology platforms and ever increasing digital information storage.
We recommend that you review the Act and seek advice around what effects this may have on your business in general.

The full Act can be reviewed here. They also provide a summary of essential resources which may assist here.
We’ve put together some guidelines as it pertains to information security, the new requirements to notify the privacy commissioner in the event of a harmful breach and what services we can provide to assist with the requirements outlined in the Act.

Notifiable Privacy Breaches

One change for businesses to be aware of is that the new Act brings with it the requirement to notify the Privacy Commissioner as soon as you are made aware of a notifiable privacy breach. Failing to meet the new requirements may result in a fine of up to $10,000.
The Privacy Commissioner’s office has stipulated the process, actions and response required when responding to a breach here:

Office of the Privacy Commissioner | Responding to privacy breaches

Information Storage - Cloud based solutions and providers

The Act also introduces a new privacy principle (IPP #12) outlining a series of controls affecting the disclosure of personal information to foreign agencies. These controls meet the similar requirements outlines in the equivalent legislations in Australia and Europe.
We are happy to help with assessing any existing platforms in production to ensure they meet these new controls.

Recommendations

Breach Detection and Response

The Act indicates that businesses should take steps to implement processes and systems to detect and respond to breaches.
We recommend the development of effective procedures to detect, report and investigate a personal data breach in order to ensure that your business has a plan in place so that you can meet your reporting obligations without undue delay if a notifiable breach occurs.

• Third party/external breaches - Think Concepts can provide real time notification for third party breaches as well as when your credentials are transacted on the Dark Web. Read more about this product here.

• Internal Systems - These are systems you run internally and can be made up on any technology you operate in house or in the cloud (where the system is under your or your IT department’s direct control).

  It is important to undergo a gap analysis to determine which systems have mechanisms in place to detect if a breach has occurred and those which don’t. From there, systems can be developed to ensure that appropriate notifications are in place.
  We are happy to help with assessing any existing platforms in production to ensure they meet these new controls.

Prevention

Preventing a breach is the best approach for securing your staff and client’s personal information.
We recommend taking the following actions to ensure your Cyber Security posture is as good as it can be.

• Regular Security Assessments

• Policy and procedure reviews

• Security audits

• Implementing Multi Factor Authentication wherever possible

• Ongoing staff training – cyber security awareness