With the new Privacy Act around the corner for New Zealand, what are some of the Top things you need to be aware of?
65% of New Zealanders are concerned to a significant extent about their individual privacy and of those, 80% are concerned about the security of their personal information on the internet and 78% concerned about businesses sharing people's information without permission - we are required to be diligent and upfront with how we care for the data we collect and store. *1
When you collect and make decisions about data, regardless of the size of your organisation, you become the controller of that data and therefore have obligations to adhere to the privacy act. This post highlights the most obvious points that we all should be considering.
1. Only Collect What You Need
It is vital to consider each piece of data you collect to determine if you actually need to collect it. e.g. do you really need a person's gender or the fact that they volunteered with another organisation at some point? Remember that you are responsible for each new piece of data you collect.
2. Tell People What You Are Doing
At the point of collection - be that electronically on a form, or verbally; you need to be clear with the owner of that information why you are collecting it and how and where you are storing it. Its most important to be upfront about how you are going to use it, this may be sending a regular newsletter, or more complex purposes such as providing care for their needs whilst they are part of your community.
3. Store It Securely
This is primarily your software’s problem if they are a software provider such as infoodle, but you have a responsibility to take precautions too such as keeping your password safe, use Two Factor Authentication (or multi factor authentication) *3 in case your login details have been compromised in some way. If you use desktop solutions such as Excel - you are totally responsible.
4. Give People Access To What You Hold
This for the most part is ok - you have no reason not to withhold this information from the data owner - but its an important consideration if you hold more personal information such as counselling notes or any personal preferences. There are some caveats in the law which can be used to get around disclosing this data but its not that clear cut to be confident of those caveats. It's also a reminder not to ‘derive’ information from other sources, it's always best to get it directly from the person themselves.
5. Make Sure It Is Accurate
This is in your interest as well!
6. Use It For The Reason You Obtained It
This refers back to the ‘collecting’ information step too. If you tell people you only collected their data to send them a newsletter - dont send them anything else!
7. Make Sure You Have One!
For every data collection exercise you do in particular, you need to consider the privacy act - and having a point person who has knowledge of and takes responsibility for compliance is really helpful.
Changes working through parliament and scheduled for 1st March 2020 currently seem to be nothing too onerous. Most of the clause changes seem to be ‘beefing’ up the powers, fines and Commissioners powers for the most part. Perhaps the most notable strengthening is around sharing data with overseas agencies.
New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by acceptable privacy standards. The Bill also clarifies that when a New Zealand agency engages an overseas service provider, it will have to comply with New Zealand privacy laws.
Many services used by New Zealand companies are performed by overseas agencies, its an important compliance check that must be done by your Privacy Officer!
As a footnote - this represents our reading of the legislation - but we are not lawyers! Please undertake your own review and get legal advice where necessary - but regardless - we all need to take data privacy seriously!