Over the last 18 months, we have seen a deluge of high-profile privacy breaches in New Zealand. In this article, Mark Hargreaves and Belinda Sidnam explain what New Zealand's Privacy Act is all about, and what your business should be aware of.
The breaches include:
- ACC emailing the confidential information of over 6000 people to Bronwyn Pullar, including information about the victims of sexual abuse
- blogger Keith Ng accessing personal information about WINZ clients from public kiosks provided by the Ministry of Social Development
- EQC emailing the details of about 80,000 claimants to the wrong person, and following up with a second email to another wrong person that same week, this time containing the personal information of 2000 people
- employees from the West Coast and South Canterbury District Health Boards accessing Jesse Ryder's medical records while he recovered from an assault. Those employees had no involvement in his care or treatment.
The opposition pounced. The media had a field day - actually many field days. Complaints were made to the Privacy Commissioner and others. Reviews, reports and recommendations were commissioned left and right, from inside the government and externally. A CEO and chief executive fell on their swords, and a government minister resigned in the fall out.
Privacy is not just a public sector issue
"So what?" you might say. "These are government bodies, and I'm in business. This is a public sector issue. The Privacy Act doesn't apply to me."
Wrong. The Privacy Act applies to all "agencies". "Agency" is expressly defined to cover both private and public sector organisations. It covers companies and other kinds of bodies corporate, as well as sole traders and partnerships.
To which you might say:
"Well, those cases are about really sensitive information, like personal injuries, sexual abuse, claim information and medical details, and well, that's not the kind of information I handle in my business."
Privacy is not just about "sensitive" information
Actually, the Privacy Act applies to any "personal information". "Personal information" is any information about an identifiable living individual. It is not limited to only "private", "sensitive" or "medical" information. Think about it-if your business has employees, contractors, suppliers or customers, and you have names, addresses, phone numbers, email addresses, mailing lists, photos, or information relating to their credit cards, billing, bank accounts or tax, you definitely have "personal information".
So what is the Privacy Act all about then?
The Privacy Act sets out guidelines on how personal information is to be collected, stored, used and disclosed by agencies, in the form of 12 information privacy principles (principles).
The principles are broadly divided into four categories: collection, storage, use and disclosure of personal information. They deal with:
- how to collect personal information
- how to store it, and what security measures you need to take to protect it
- the need to keep personal information complete, up to date and accurate before using it
- how long personal information can be kept for
- the purposes it can be used for
- when it can be disclosed it to others
- how you must allow the person the information is about to access and correct it.
What happens if I don't comply?
Most allegations of a breach of the Privacy Act are initially dealt with by a complaint to the Privacy Commissioner. The Privacy Commissioner's office can investigate, and they generally try to resolve the complaint through conciliation. Unresolved complaints can be referred to the Human Rights Review Tribunal who can make determinations, award damages or grant declarations or other enforceable orders. To date, the highest monetary award made by the tribunal is $40,000.
How do I comply with the Privacy Act?
A well-drafted privacy policy is an efficient way to meet many of your obligations under the principles. But as recently noted in the media, a privacy policy is only the beginning. You will also need to consider the security measures for the information you store, and how long you will need to keep that information. Your business is also required to have a privacy officer to manage compliance, personal information and be the contact person for any individuals about Privacy Act issues.
If your business is implementing a new system or service that will handle a lot of personal information, it is becoming increasingly common to undertake a privacy impact assessment to help ensure compliance.
What exactly constitutes compliance with some of the principles is not prescribed. It will depend on the circumstances, and the nature of the personal information held or used.