The Privacy Act 2020 (Privacy Act) is set to come into force on 1 December this year. One of the key changes under the new Act is a new Information Privacy Principle 12 (IPP12), which provides stronger protections for the transfer of personal information to a foreign person or entity.
New regulations will prescribe 'safe harbour' jurisdictions for the purposes of the IPP12. The Ministry of Justice has announced that it is consulting on these regulations and indicated that the initial regulations will not be available until early 2022. Countries will be prioritised for assessment by the Office of the Privacy Commissioner. This will be approached with an annual prioritisation and assessment process, with an anticipated rate of 1-2 countries prescribed annually.
Further information on the Consultation is available here. Consultation is open from 27 October – 4 December 2020.
What does this mean for your business?
For New Zealand businesses, this means you will need to consider other mechanisms in IPP12 to ensure that your practices that involve the transfer of personal information to a foreign person or entity are up to date before the Privacy Act comes into force on 1 December 2020.
The other mechanisms provided under IPP12 apply if you believe, on reasonable grounds, that:
the overseas agency is subject to the Privacy Act,
the overseas agency is subject to privacy laws that, overall, provide comparable safeguards to those in the Privacy Act,
the overseas agency is otherwise required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act e.g. pursuant to an agreement (see model clauses below), or
you have authorisation from the individual concerned after you have informed them that an overseas agency may not be required to protect the information in a way that, overall, provides comparable safeguards to the Privacy Act.
On a practical level, these are a number of steps that you may consider to rely on these alternative mechanisms. For example, developing a company (or industry) position on comparable jurisdictions, updating contracts and templates, and updating privacy policies and statements.
The Office of the Privacy Commissioner has developed model clauses to assist businesses that are seeking to rely on the overseas agency being subject on agreement that includes comparable safeguards to the Privacy Act 2020. The model clauses are intended to assist with compliance - they are not mandatory. Organisations can modify the clauses to suit their needs or use their own form of contract clauses, so long as the key privacy protections are included.
Further information on the model clauses is available here.
Cloud services and other service providers
Guidance from the Office of the Privacy Commissioner has also emphasised that IPP12 does not apply if information is sent to an agent for storage or processing. For example, IPP12 will not apply if you are using offshore cloud providers or other agents to store or process your data, so long as the agent or cloud provider is not using that information for its own purposes.
You will remain responsible for the acts or omissions of those service providers and it is therefore essential that you have robust up-to-date contracts in place, including to address the new framework for the mandatory reporting of privacy breaches.
The Office of the Privacy Commissioner has indicated that it is preparing more detailed guidance about how the Privacy Act applies to information transferred to a cloud provider, software as a service provider or other agent.
Bell Gully Privacy Guide and Chatbot
Bell Gully's privacy team has been closely monitoring guidance on the Privacy Act and developing market practice.
Please see our Guide to the Privacy Act 2020. This includes a practical checklist to ensure that you are prepared.
Bell Gully has also launched a Privacy Breach Chatbot.
With one month until the new Privacy Act comes into effect, now is the time to ensure your privacy practices are up-to-date.
If you would like to discuss the updates discussed above, or require any other guidance on the new Privacy Act, please contact our specialist privacy team or your usual Bell Gully adviser.
This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.