While CIOs and legal professionals tend not to speak a common language, they are likely to be having a lot more conversations in preparation for the Privacy Act 2020, which has been passed unanimously by the New Zealand parliament and will come into effect in December 2020.\n Office of the Privacy Commissioner\n\nJohn Edwards, New Zealand\u2019s privacy commissioner\n\n\nPrivacy Commissioner John Edwards said that one of the reforms in the new act is the mandatory notification of harmful privacy breaches. \u201cCIOs need to be working with compliance officers, legal counsels, audit and risk committees to figure out a way of bringing those matters to the attention of the appropriate people in the organisation. If they get it wrong, there can be fines of $10,000 if they fail to report something that ought to be reported. Reaching out to the other parts of the organisations and putting systems in place to capture not just the reportable matters but the near misses. Those systems will allow CIOs and others to learn from their experiences and make constant improvements which means the likelihood of future breaches will be reduced.\u201d\n[ Keep up on the latest thought leadership, insights, how-to, and analysis on IT through CIO\u2019s newsletters. ]\nA risk factor leading to a breach can be the disconnection between the CIOs who are responsible for security and the legal teams in charge of risk and compliance, Edwards said. \u201cThey need to find a common language to be able to have conversations that enable each to understand the nature and extent of risks that they encounter.\u201d\nWhat CIOs need to be aware of in the new NZ privacy act\nThe privacy act ushers in a new information privacy principle which restricts the transfer of personal information overseas. While it won\u2019t affect cloud storage arrangements, it might apply when organisations use third-party platforms that have their own use for that information\u2014for example, using the data for advertising purposes.\n\u201cCIOs will need to ensure that is permitted under [the new] information privacy principle 12. That will mean they either arrange model contract clauses with the partner company or they satisfy themselves that the jurisdiction that the information is going to has a comparable level of privacy protection, or they have very explicit informed consent from the individuals,\u201d Edwards said. \u201cThey will need to examine their information flows and see what\u2019s going overseas and what the legal basis for that is.\u201d\nIn addition, overseas companies that are seen to be doing business in New Zealand\u2014regardless of whether they have an office in the country\u2014will be subject to the new Privacy Act.\nTo help prepare IT professionals for the new reforms there is information on the Privacy Commissioner\u2019s website discussing the changes. It also includes videos explaining basic privacy principles which can be shared across an organisation.\n\u201cIt\u2019s a really good opportunity with the passage of the new act, to do a health check to raise awareness the organisations. I would suggest all CIOs jump onto our website and access the online training tools that we\u2019ve got, like Privacy 101,\u201d Edwards said.\nHow the NZ Privacy Act compares with Europe\u2019s GDPR\nLocal organisations that have customers located in the European Union will be familiar with the comprehensive privacy law known as the General Data Protection Regulation (GDPR). So how do the reforms in the 2020 New Zealand Privacy Act compare?\n\u201cThey don\u2019t go as far and they don\u2019t impose the same level of burden on New Zealand CIOs,\u201d Edwards said. \u201cFor example, there\u2019s not the same obligation to provide explainability about automatic decision making; at least it\u2019s not expressed. That concept of algorithmic transparency that CIOs\u2019 European colleagues have to implement is not a feature of the law here.\u201d\nData portability is also not a requirement under the new act. That means that a customer can only request that a company provide them with their own data\u2014there is no obligation for it to transfer the data to another business. So, if a customer decides to switch providers there is no legal requirement for the original provider to send information to the new provider, nor does the original provider have to destroy the former customer\u2019s data after they leave.\n\u201cThere is more policy work to be done, but I think it [data portability] will occur. Government hasn\u2019t made any decisions on it, but it is something that I recommended in a report to the Minister of Justice in 2017. It\u2019s an important component to, for example, open banking,\u201d Edwards said.\nWhile it has taken 27 years to update New Zealand\u2019s privacy laws, it is seems likely that the new act will be reviewed as new technology is introduced. \u201cWe do have an undertaking from the Minister of Justice that this will be a rolling process. I mentioned data portability, which is something that will being considered. There are other issues that pop up relating to technology, we may have to see some restrictions on the use of facial recognition technology,\u201d Edwards said.\nWhen asked if there is anything not in the law that he\u2019d like to have seen, Edwards referred Computerworld New Zealand to reports and submissions he\u2019s made over the years. He says he has now switched from \u201cadvocacy mode to implementation mode.\u201d\n\u201cThere are gaps but I now must simply accept that this is what Parliament has delivered and I need to work with that and implement it to the best of ability. I don\u2019t think it would be a very good signal for me to be going out into the community and saying \u2018this Privacy Act I\u2019ve got is useless and outdated already\u2019. That would undermine my ability to argue for better privacy compliance and standards and to use the tools I\u2019ve got effectively. I\u2019ve accepted that we\u2019ve had a difference of opinion about the regulatory model but now I need to set about putting it to the best use for most New Zealanders,\u201d Edwards said.\nNZ law is a lighter touch than other jurisdictions\nUnder the 2020 Privacy Act, organisations that fail to follow a compliance notice, or mislead an organisation in some way that affects personal information, may be liable for a fine of up to $10,000.\nThis appears to be a light-handed censure when compared with the financial penalties dished out overseas for privacy breaches. In the US, the Federal Trade Commission has fined Facebook US$5 billion, while in the UK the Information Commissioner fined British Airways \u00a3180 million.\nWhich is why the potential damage to an organisation\u2019s reputation may be a greater concern for those that don\u2019t comply with the new privacy act. \u201cWe have a fairly high trust environment [in New Zealand], so the reputational harm of a commissioner declaring a company as non-compliant should be an incentive. That\u2019s what we will work with\u2014that\u2019s the assumption that we will test. Our powers of persuasion, our ability to make findings and to issue compliance notices should be able to give New Zealanders the confidence they need to deal in the digital economy,\u201d Edwards said.\nFew Privacy Trust Marks awarded in NZ\nMeanwhile the Privacy Trust Marks that were introduced by Edwards in May 2018 to encourage outstanding examples of privacy have only been awarded to five organisations. The most recent awards were announced in June 2020, and were made to contact tracing app Rippl and TICC\u2019s Anti-Money Laundering (AML) Customer Due Diligence Online Forms and AML Online Portal.\nWhile only five have been awarded in two years, there have been 13 applications. Edwards said they may revisit the criteria, which has been focussed on awarding products and services that are exemplary when it comes to privacy. \u201cSome jurisdictions in our region are being more open with their trust mark awards and we may have to look at that standard and see if we have set it a bit too high, whether it would be a useful thing to allow a wider range of agencies to signal their commitment to privacy,\u201d Edwards said.