Privacy Legislation changes in NZ have implications for Australian businesses

Australia is currently undertaking the Review of the Privacy Act 1988 in order to update our privacy legislation for the complexity of the modern data and privacy landscape.

However, New Zealand legislation regarding privacy has already been through a similar process. On the 1st of December 2020, the Privacy Act 2020 came into force in New Zealand, replacing their previous Privacy Act 1993. This new legislation clarified and codified much that was unclear or implied in the previous legislation. Protections for individuals have been markedly increased under the new rules.

The new legislation also applies to overseas agencies collecting and holding personal information during the course of their business in New Zealand. This makes it relevant to the many Australian organisations that conduct business in New Zealand as well.

A great deal of the regulations outlined in the Privacy Act 2020 are similar to Australian privacy rules. Some of the changes even reflect a closer alignment than previously: for example, New Zealand has now included new rules for sending personal information overseas, which closely mirrors Australia’s Privacy Principle 8 regarding cross-border disclosure of personal information.

But there’s at least one curious divergence in the NZ Act: the scope of privacy breaches that have to be notified is significantly broader.

In Australia, a notifiable data breach occurs if there’s access, disclosure or loss of personal information that is accidental or unauthorised and which can be reasonably expected to cause serious harm. In those circumstances, organisations have to notify both the Office of the Australian Information Commissioner and the affected individuals. However, New Zealand’s Privacy Act 2020 purports that even temporary loss of access to personal information is capable of causing sufficient serious harm such that it should be a notifiable breach. They have therefore expanded that scope to include ‘an action that prevents the agency from accessing the information on either a temporary or permanent basis’.

This change has unexpected implications for organisations. Such complications as denial of service attacks, or temporary, accidental problems such as might be experienced during local infrastructure failures or unanticipated server downtime have suddenly become situations in which an organisation may have to report a privacy breach. And Australian businesses operating partially or fully in New Zealand may find themselves required to notify the Office of the Privacy Commissioner when they experience this kind of interruption to the normal processes of business, too.

This will be a change to operations in New Zealand, of course, but even for those of us who don’t operate overseas, New Zealand’s acknowledgement that access to personal information held by various agencies is an important part of daily life for many individuals serves as a reminder. We must make sure our policies and governance frameworks relating privacy and security are up to date and functioning correctly.

Today’s data privacy landscape is changing rapidly, and it’s important that organisations evolve with it.

A recent ANU report found that, although COVID-19 saw Australians’ trust in organisations’ data privacy practices increase, over 87% of Australians still say that they are concerned their personal information is not being kept secure. Meeting best practice guidelines serves not just to protect you against data privacy compliance failures like unauthorised access and disclosure, but to ensure responsible stewardship and appropriate care is taken on behalf of those to whom the information belongs—and data privacy and security are becoming ever more central to receiving and keeping the trust of your customers. Organisations across the world are forced to pay attention to their customers’ expectations relating to data privacy more and more, a trend that shows no signs of slowing down in the future. As recently as February this year, Forbes came out with a list of businesses taking new steps to prioritise customer data privacy.

As Australia is currently reviewing our own Privacy Act 1988, we are naturally looking to international examples, like Canada’s PIPEDA and the European GDPR, as well as New Zealand’s Privacy Act 2020. It will be interesting to see what changes may emerge from the Australian Review of the Privacy Act 1988, and how they affect our business practices moving forward.


About the Author

Martin Soley is Group General Manager Data Services and has over a decades experience across data quality, analytics and related technology in ANZ and abroad. Martin’s strategic insight and expertise drives commercial outcomes for DCA’s varied clients.

Blog Categories