Privacy Act Changes

Changes to the Privacy Act came into effect 1 December 2020

The current privacy laws were last put in place in 1993.  A lot has changed since then, including the use of the internet as a business tool and to store data.  As a result, the Privacy Act has now been updated and came into effect 1^st December 2020.

What are the key changes?

1. The Act now requires businesses to report serious privacy breaches, where there is a risk of harm (such as leaked personal information published online or identity theft), to the privacy commissioner and to the individual/s concerned.
2. The Act will enforce penalties of up to $10,000 for certain types of privacy breaches.
3. Individuals affected by the breach may also appeal to the Human Rights Review Tribunal, which can award up to $350,000 per person.

What should your businesses have taken (and continue to take) into consideration as a result of these changes?

1. What customer and employee information do you collect? How is it stored? Which role is responsible for its collection and use? How is it used?
2. Check that no personal information is collected that is unnecessary – the less you collect, potentially the lower the risk of a breach.
3. Are you sufficiently controlling/limiting who has access to the data, including deleting access from those who no longer need it or have left?
4. Do you use a secure password and two-factor authentication system (including for cloud-based data storage)?
5. Has any information been copied and/or stored in a variety of places?
6. Is data regularly and fully deleted when it is no longer required?
7. What process do you have in place with any third-party providers to ensure they are following the right security protocols on your behalf. Does this get audited?
8. Do you have a sufficiently trained go-to person and policy for managing privacy? Who else might need to know more or have training about privacy requirements?
9. How do you know if there has been a breach? Are you monitoring your IT systems, performing regular checks/audits and are there reporting systems and a response plan (including communications) in place?

Don’t hesitate to let us know if we can assist you with any questions about this, to develop a policy and processes, or to provide some training for identified roles who have a responsibility for privacy management.