What CIOs need to know about NZ’s 2020 Privacy Act reforms

While CIOs and legal professionals tend not to speak a common language, they are likely to be having a lot more conversations in preparation for the Privacy Act 2020, which has been passed unanimously by the New Zealand parliament and will come into effect in December 2020.

Office of the Privacy Commissioner

Privacy Commissioner John Edwards said that one of the reforms in the new act is the mandatory notification of harmful privacy breaches. “CIOs need to be working with compliance officers, legal counsels, audit and risk committees to figure out a way of bringing those matters to the attention of the appropriate people in the organisation. If they get it wrong, there can be fines of $10,000 if they fail to report something that ought to be reported. Reaching out to the other parts of the organisations and putting systems in place to capture not just the reportable matters but the near misses. Those systems will allow CIOs and others to learn from their experiences and make constant improvements which means the likelihood of future breaches will be reduced.”

A risk factor leading to a breach can be the disconnection between the CIOs who are responsible for security and the legal teams in charge of risk and compliance, Edwards said. “They need to find a common language to be able to have conversations that enable each to understand the nature and extent of risks that they encounter.”

What CIOs need to be aware of in the new NZ privacy act

The privacy act ushers in a new information privacy principle which restricts the transfer of personal information overseas. While it won’t affect cloud storage arrangements, it might apply when organisations use third-party platforms that have their own use for that information—for example, using the data for advertising purposes.

“CIOs will need to ensure that is permitted under [the new] information privacy principle 12. That will mean they either arrange model contract clauses with the partner company or they satisfy themselves that the jurisdiction that the information is going to has a comparable level of privacy protection, or they have very explicit informed consent from the individuals,” Edwards said. “They will need to examine their information flows and see what’s going overseas and what the legal basis for that is.”

In addition, overseas companies that are seen to be doing business in New Zealand—regardless of whether they have an office in the country—will be subject to the new Privacy Act.

To help prepare IT professionals for the new reforms there is information on the Privacy Commissioner’s website discussing the changes. It also includes videos explaining basic privacy principles which can be shared across an organisation.

“It’s a really good opportunity with the passage of the new act, to do a health check to raise awareness the organisations. I would suggest all CIOs jump onto our website and access the online training tools that we’ve got, like Privacy 101,” Edwards said.

How the NZ Privacy Act compares with Europe’s GDPR

Local organisations that have customers located in the European Union will be familiar with the comprehensive privacy law known as the General Data Protection Regulation (GDPR). So how do the reforms in the 2020 New Zealand Privacy Act compare?

“They don’t go as far and they don’t impose the same level of burden on New Zealand CIOs,” Edwards said. “For example, there’s not the same obligation to provide explainability about automatic decision making; at least it’s not expressed. That concept of algorithmic transparency that CIOs’ European colleagues have to implement is not a feature of the law here.”

Data portability is also not a requirement under the new act. That means that a customer can only request that a company provide them with their own data—there is no obligation for it to transfer the data to another business. So, if a customer decides to switch providers there is no legal requirement for the original provider to send information to the new provider, nor does the original provider have to destroy the former customer’s data after they leave.

“There is more policy work to be done, but I think it [data portability] will occur. Government hasn’t made any decisions on it, but it is something that I recommended in a report to the Minister of Justice in 2017. It’s an important component to, for example, open banking,” Edwards said.

While it has taken 27 years to update New Zealand’s privacy laws, it is seems likely that the new act will be reviewed as new technology is introduced. “We do have an undertaking from the Minister of Justice that this will be a rolling process. I mentioned data portability, which is something that will being considered. There are other issues that pop up relating to technology, we may have to see some restrictions on the use of facial recognition technology,” Edwards said.

When asked if there is anything not in the law that he’d like to have seen, Edwards referred Computerworld New Zealand to reports and submissions he’s made over the years. He says he has now switched from “advocacy mode to implementation mode.”

“There are gaps but I now must simply accept that this is what Parliament has delivered and I need to work with that and implement it to the best of ability. I don’t think it would be a very good signal for me to be going out into the community and saying ‘this Privacy Act I’ve got is useless and outdated already’. That would undermine my ability to argue for better privacy compliance and standards and to use the tools I’ve got effectively. I’ve accepted that we’ve had a difference of opinion about the regulatory model but now I need to set about putting it to the best use for most New Zealanders,” Edwards said.

NZ law is a lighter touch than other jurisdictions

Under the 2020 Privacy Act, organisations that fail to follow a compliance notice, or mislead an organisation in some way that affects personal information, may be liable for a fine of up to $10,000.

This appears to be a light-handed censure when compared with the financial penalties dished out overseas for privacy breaches. In the US, the Federal Trade Commission has fined Facebook US$5 billion, while in the UK the Information Commissioner fined British Airways £180 million.

Which is why the potential damage to an organisation’s reputation may be a greater concern for those that don’t comply with the new privacy act. “We have a fairly high trust environment [in New Zealand], so the reputational harm of a commissioner declaring a company as non-compliant should be an incentive. That’s what we will work with—that’s the assumption that we will test. Our powers of persuasion, our ability to make findings and to issue compliance notices should be able to give New Zealanders the confidence they need to deal in the digital economy,” Edwards said.

Few Privacy Trust Marks awarded in NZ

Meanwhile the Privacy Trust Marks that were introduced by Edwards in May 2018 to encourage outstanding examples of privacy have only been awarded to five organisations. The most recent awards were announced in June 2020, and were made to contact tracing app Rippl and TICC’s Anti-Money Laundering (AML) Customer Due Diligence Online Forms and AML Online Portal.

While only five have been awarded in two years, there have been 13 applications. Edwards said they may revisit the criteria, which has been focussed on awarding products and services that are exemplary when it comes to privacy. “Some jurisdictions in our region are being more open with their trust mark awards and we may have to look at that standard and see if we have set it a bit too high, whether it would be a useful thing to allow a wider range of agencies to signal their commitment to privacy,” Edwards said.