Privacy & Data
Building Trust
The Privacy Act applies to any organisation or business that collects, stores or uses personal information about employees and/or customers
This includes:
- government departments
- companies
- small businesses
- social clubs
- other types of organisations
The Act includes privacy principles that guide how personal information can be collected, used, stored and disclosed.
Key Points
Do you know that data is a valuable asset, did you also know that you own your personal data and companies that use it are merely custodians of your asset. This brings along responsibilities to protect your data from unauthorized use or misuse.
Personal information is any information that can identify you as an individual. Careful even with so called anonymized data, if you are the only French Octogenarian living in the Chatham Islands (Population of 690 in 2019 NZ Stats), it may still be obvious who you are.
There are multiple global legislations relating to Data Privacy, and if you are dealing with offshore companies you may need to ensure that you are aware of other regulatory jurisdictions not just New Zealand's Privacy Law.
One of the major offshore legislations and the one that others have align to (including New Zealand) is the General Data Protection Regulation (GDPR), published in 2018 by the European Union and relates to the data of persons within Europe or their data being transferred out of European jurisdiction. If you are dealing with Companies that have European presence you will need to consider the traceability and usage of your data (even that of 3rd parties that you integrate with) as there is a requirement for Data Protection Officers to maintain and report changes to a Data Register which records the category, purpose and usage of all data elements. For more information my go to is the comprehensive version of GDPR published by Intersoft Consulting see GDPR link below
In New Zealand the Privacy Act was published in 2020 and relates to the use of personal information of New Zealanders. Whilst similar to the GDPR legislation, it does not have some of the tighter constraints such as a data register, focusing more on practical protection of personal information. Companies are required to understand the lifecycle of the data and its usage and ensure that it is protected from unauthorized use.
For more information look below at a summary of the Privacy Act key 13 principles, else go direct to the legislation via the below PRIVACY link
The Privacy Act 2020
The Privacy Act has 13 information privacy principles which set out how your organisation should handle personal information.
Collecting personal information
1. You can only collect personal information if it is necessary for a lawful purpose. Personal Information can be any information that can identify you as an individual.
your name
your address
a picture of your face
a record of your opinion and views
employment information
health records
financial information
2. Personal information should only be collected from the person the information belongs to ( note: special conditions relate to children - check the regulation for details)
Personal information can be collected from other sources with that persons permission
3. When you collect information ensure that the person understands
Why it is being taken
How it will be used
Whether the collection is mandatory or optional
What will happen if they do not provide the information
4. Information can only be collected in lawful, fair and non-intrusive ways
Holding personal information
5. You are responsible for the security and accessibility of personal data that you collect.
6. People have the right to ask you for access to their personal information, you must reply within a reasonable period unless doing so
Would endanger someone's safety
Prevent detection or investigation of a crime
Breach someone else's privacy
7. People have the right to ask you to correct their personal information if they think it is incorrect.
Using or sharing personal information
8. Before using or disclosing personal information you must be assured that it is accurate, complete, relevant and not misleading.
9. You must not keep personal information once it is no longer needed
- When disposing of information do so securely so that no one can retrieve it
remove names, addresses and birthdays from documents before you dispose of them
use shredders and secure destruction services
wipe hard drives from machines – including photocopiers – before you sell or decommission them
delete back-up files as well as originals
10. You can only use personal information for the purpose that you have collected it, unless
you have permission to do so, or
if requested to uphold or enforce the law
11. You may only disclose personal information for limited circumstances
The disclosure is the purpose of collecting information
The person authorized disclosure
The information is used anonymously
Disclosure is necessary to avoid endangering someone's health & safety
Disclosure is necessary to uphold or enforce the law
12. You may only disclose personal information to another organisation outside New Zealand if the receiving organization:
is subject to the Privacy Act because they do business in New Zealand
is subject to privacy laws that provide comparable safeguards to the Privacy Act
agrees to adequately protect the information
is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government.
13. A business or organisation may only use a unique identifier (such as a drivers license number) where it is necessary. They must take reasonable steps to protect unique identifiers from misuse
Information replicated from : Privacy.org.nz. 2021. Your Privacy responsibilities. [online] Available at: <https://privacy.org.nz/responsibilities/your-obligations/collecting/> [Accessed 21 March 2021].
Want more help?
Take at look at the links below or contact the who can help for more support with managing your Privacy obligations
Privacy Act 2020
New Zealand Legislation document
For latest updates to the Privacy Act please refer to the authoritative source published on the New Zealand Government legislation website
WHO CAN YOU CALL ?
Fiona Hall
Barrister and Solicitor
Specialising in Consumer Credit Law, AML/CFT & Privacy Law
Fiona brings the knowledge gained as a member of the leadership teams in the businesses she has advised together with her experience working for a regulator enforcing consumer legislation, to offer comprehensive advice in her areas of expertise. In particular, Fiona recognizes the impact and significance that regulatory compliance obligations can have on a business and the need for robust yet commercially sustainable processes to meet them. In addition to advising on how to meet these obligations, Fiona can also advise when businesses are facing regulatory enforcement action.
NOTE: Whilst agreeing to be a published contact, Fiona does not endorse the content of this site, or the products of suppliers referenced.
Mark & Caroline Carver
TwoBlackLabs
Privacy Operations Specialists
TwoBlackLabs' team consists of experienced privacy experts who have a myriad of skills from legal, architecture and design, project management to risk analysis and management.
Caroline specialises in providing both privacy and data protection consultancy. She is a leading expert in the European Union's General Data Protect Regulation (GDPR).
Mark specialises in privacy engineering and operations disciplines, privacy design and architecture (“Privacy by Design”) as well as technology-based privacy engagements, in particular cloud based ‘as a service’ solutions