New Privacy Act ' Do you know your obligations?

• Published date: 17 May 2021
• Subject Matter: Privacy, Compliance, Data Protection
• Law Firm: Gibson Sheat Lawyers
• Author: Ms Laura Ridenton and Nikki Farrell

The Privacy Act 2020 (Act) came into force on 1 December 2020 and applies to any individuals, businesses, or organisations that collect personal information.

If your business collects information from customers, suppliers or others, you should review your policies and internal procedures to ensure they comply with the obligations under the Act.

Is your "privacy health" up to date?

Businesses should review their procedures and policies in light of the new Act. Below are some questions to consider whether you comply with your obligations under the Act.

1. Do you have a privacy statement, and does it correctly reflect the information you collect?
2. Have you reviewed your privacy policy?
3. Do you have a privacy officer? This is now a requirement under the Act.
4. Do you have sufficient security in place to protect the personal information you collect?
5. Have you reviewed your contracts with suppliers and businesses who process your information? Have you incorporated breach notification obligations?
6. If you provide information overseas, do you have agreements with the organisation receiving the information?
7. Do you have internal procedures and a data breach response plan in place?
8. Do you provide training to your staff on privacy and reporting breaches?

If these questions make you question your privacy policies or you would like advice on the Privacy Act, please contact one of Gibson Sheat's Privacy experts:

Laura Ridenton	email Laura	P 04 916 7476
Nikki Farrell	email Nikki	P 04 916 6458

Key changes

The key changes to the Act are:

1. Mandatory privacy breach notification obligations: You have to notify the Privacy Commissioner and any affected individuals if there has been a privacy breach.

2. What is a privacy breach?

   A privacy breach is notifiable if it is reasonable to believe it has caused (or is likely to cause) serious harm to an affected individual. A breach may be:

   • A confidentiality breach - unauthorised or accidental access to, disclosure, alteration, loss, or destruction of personal information. Common examples include sending an email to the wrong person, laptop or paper records with customer's data being lost or stolen, staff improperly accessing customer information, or disclosing information inappropriately.
   • Availability breach - you are prevented from accessing information. This may be a cyber-attack.

   What is "serious harm"?

   Harm may be specific damage (financial loss, loss of employment, physical injury), loss of benefits (any adverse effect on the...