Key changes of the new Privacy Act 2020 include:

• Application of the Act: In respect of personal information collected or held, the Act applies to New Zealand agencies and overseas agencies carrying on business in New Zealand. It also applies to individuals who are not ordinarily resident in New Zealand but have collected or held personal information while in New Zealand.
• Reorganisation and tidy up: While many of the provisions under the Privacy Act 1993 replicated in the Act, they have been reorganised and some sections have been amended to resolve issues that have arisen under the Privacy Act 1993. For example, information privacy principle 1 has been clarified in respect of anonymity. If an agency does not require an individual’s identifying information with their personal information, then that agency may not collect identifying information.
• Management of information sent overseas: The Act creates limits and cautions on disclosing personal information outside of New Zealand. Agencies will be required to ensure authorisation for the disclosure of personal information to an offshore entity unless the agency is reasonably satisfied the information is going to a country or environment with comparable privacy safeguards to New Zealand.
• Reporting serious privacy breaches: An agency will be required to notify the Privacy Commissioner as soon as practicable that a notifiable privacy breach has occurred. A notifiable privacy breach is where there has been a privacy breach and it is reasonable to believe this has or is likely to cause serious harm to an affected individual or individuals. This does not apply to personal or domestic matters.
• Access direction: The Privacy Commissioner will be able to direct an agency to provide an individual access to the individual’s personal information in any manner that the Commissioner considers appropriate. If an agency fails to comply with or appeal an access direction, this direction can be enforced in the Human Rights Review Tribunal.
• Grounds for withholding personal information: There are new grounds for withholding personal information on an access request:
  • where the disclosure will create a significant likelihood of serious harassment of an individual; and
  • where the disclosure would include disclosure of information about another person who is a victim of an offence or alleged offence and disclosure would cause significant distress, loss of dignity, or injury to feelings by the disclosure
• Compliance notices: The Privacy Commissioner will be able to issue a compliance notice to an agency if the Commissioner considers there has been a breach of the Act or a Code of Practice. The compliance notice will require the agency to remedy the breach. The Privacy Commissioner will also be able to publish details of any compliance notice issued.
• New criminal offences: The Act creates new criminal offences with the maximum penalty being a fine up to $10,000:
  • misleading an agency in a way that affects someone else’s information; and
  • destroying documents containing personal information after a request.
• Making a complaint: The Privacy Act 1993 provided for any person making a complaint to the Privacy Commissioner. The Act makes it clear any person will be able to make a complaint. This means the Privacy Commissioner will be able to make a complaint of his own initiative.
• Strengthening the Privacy Commissioner’s information gathering power: During an investigation, the Privacy Commissioner will be able to require an agency to provide information, documents or any other thing that is relevant to the investigation within a time period set by the Privacy Commissioner or within 20 working days after the date of receipt of the notice. The penalty for the offence of not complying with a request for information has been increased from $2,000 to a maximum of $10,000.
• Class action: The right to bring a class action before the Human Rights Review Tribunal will be extended to a representative bringing a class action as opposed to just the Proceedings Commissioner having the right to bring a class action.

Subscribers to Human Rights Law on Westlaw NZ can click here for access to the Comparative Table, for section by section comparison between the old (1993) and new (2020) Privacy Acts, along with associated commentary on the new Act.