Privacy law: The top five changes affecting employers
In December 2020 the new Privacy Act 2020 comes into force. The Act has not only been modernised, but there have been significant changes to how privacy law will be enforced. Here are the top five key changes employers should be aware of.
(In no particular order)
Number 1: Mandatory breach notification
The current Privacy Act 1993 does not require you to notify or report privacy breaches.
From December 2020 you will be required to notify serious breaches.
Breaches are notifiable when it is reasonable to believe the breach is likely to cause serious harm to an affected individual.
You will generally be required to notify both the Privacy Commissioner and the affected individuals. This must be done so as soon as reasonably practicable after the breach occurs.
Number 2: Access determinations
The Office of the Privacy Commissioner will have the power to require you to give individuals access to their personal information.
Such a determination would previously have required a formal procedure through the Human Rights Review Tribunal.
The new procedure will streamline many contentious access requests, including those involving requests for documents and information in employment disputes.
Number 3: Compliance notices
A new power is being introduced where the Privacy Commissioner may issue notices requiring compliance with the Privacy Act 2020.
Such notices can require you to either actively do something to comply with the Act, or to cease an activity that breaches the Act.
Number 4: Application to information sent overseas
New restrictions require adequate protections for personal information being sent overseas. You will either need to ensure the agency receiving the information is itself subject to the Privacy Act 2020, or that it has comparably similar safeguards in place.
This new restriction will not, in most situations, apply when you upload information to the cloud (such as where you are storing or processing information on a cloud-based system hosted overseas).
Number 5: New criminal offences
Fines of up to $10,000 are introduced under the Privacy Act 2020.
The new criminal offences are for:
- failing to comply with a compliance order;
- misleading an agency by impersonating an individual for the purpose of accessing the individual’s personal information;
- destroying documents containing personal information after receiving an access request to that information; and
- failing to notify a serious privacy breach.
Want to know more?
If you have any questions about privacy law please contact our specialist Employment Team.
This article was included in our Spring 2020 edition of our Employment Newsletter which can be viewed here.