New Zealand Privacy Act rules have recently been updated.
• Transparency: businesses will be required to report serious privacy breaches – leaks, lost data or malicious attacks – to the Privacy Commissioner and the people affected.
• Access to personal data: if people request their personal information from a business or organisation, it must be supplied. The Act specifically states that a business can be fined if it destroys the information to avoid providing it.
• Overseas security: New Zealand-based businesses need to ensure that any overseas services they use – including cloud storage or eCommerce hosting – meet the security standards of the new legislation.
• Overseas businesses: companies that do business in New Zealand, whether they have an office here or not, will also need to follow the rules.
• Data minimisation: this principle is about keeping the data you need only for as long as you need it. In financial services, for example, you’re required to hold data for seven years. After that, it should be securely deleted.
• Compliance: the Act gives the Privacy Commissioner new power to issue compliance notices and fine businesses for breaching privacy rules. The maximum fine has been raised from $2000 to $10,000.
AFL New Zealand is aware of the following changes to the Privacy Act and will update are processes and procedures to meet the requirements.