It’s here. Privacy Act 2020

It’s here. Privacy Act 2020

Office of the Privacy Commissioner New Zealand
3 minutes to Read
Privacy Act Hosted Content

There are some important changes in the Privacy Act 2020 —such as mandatory notification of privacy breaches, additional restrictions on disclosing personal information offshore (including health information), additional criminal offences, compliance notices and enforceable access directions.

In line with the new Privacy Act, we are issuing an updated Health Information Privacy Code. The Code reflects the changes that are in the Privacy Act. If you would like to understand the changes, see the information paper on the replacement health code: code consultation

An opportunity to review privacy practices 

This is the perfect time to do a health check of your existing privacy practices and check that the procedures your agency has in place are effectively protecting the personal information you hold. This could be as simple as reviewing whether the policies and procedures you currently use are working as they should, or if they need updating.

For example, do your consent forms request only the minimum amount of information required? Do your information practices match what you tell patients or clients you will do with their information? Do you have processes to respond promptly to an individual’s request for information about themselves?

Now is a good time check the type and quantity of personal information you’re collecting, to ensure that you’re not collecting more information than you should be. You might like to consider your information disclosure practices—for example, do you have staff that are trained to respond to requests to transfer records, or respond to Police information requests?

The new Privacy Act is also a great opportunity to upskill your staff on their privacy obligations. Try the e-learning modules:

Security of personal information is always important 

The obligation on agencies to take reasonable steps to prevent loss, unauthorised access, disclosure or misuse is just as important as ever. Both the 1993 Act and the Privacy Act 2020 refer to an agency being required to protect information “by such security safeguards as it is reasonable in the circumstances to take”. This can mean that where the information is particularly sensitive, an agency should take additional steps to secure that information.

Earlier this year we were notified of a privacy breach which illustrated the importance of offsite backups for data storage. A law firm was burgled, and their computers were taken. The law firm had relied on the physical security of their building as their main security protection. An external hard drive which included backups of the data did exist, but it was stored on-site, and the data was not encrypted. The hard drive was also stolen during the burglary.

The law firm stored records which contained sensitive personal information about clients, and the disclosure of that information could have caused serious harm to many people.

We strongly encourage all agencies that hold personal information, and particularly those agencies that hold sensitive personal information, to have a comprehensive approach to encryption and offsite storage of backup servers or hard drives. Not only does this help to mitigate the risk of loss in the event of a burglary, it can be useful in case of a fire, earthquake damage, or other event which necessitates offsite working (such as an unexpected pandemic!).

If you’re a small health agency and you’re not sure where to start with your security processes and policies, talk to your sector’s industry body about what advice or support they can provide you with. We also encourage all agencies to use CERT NZ’s resources and guidance on backups and security:

If things do go wrong and your practice has a privacy breach, you’ll want to use the online privacy breach reporting tool, NotifyUs. See below for further information.

Disposal of health information 

Take some time to consider how you dispose of information once you are no longer required to keep it, or in the event of your business closing. Health agencies have an obligation under the Health (Retention of Health Information) Regulations 1996 to keep any patient health records for 10 years from the last time you provided services to them. If you were to close your practice, you would need to contact your patients and arrange to transfer their records to another health agency, return their records to them, or have the health records stored securely until they can be safely transferred or returned.

Further privacy guidance and resources

We want to help agencies to comply with their new (and existing) privacy obligations. The health sector is wide and varied, with agencies of differing sizes and privacy maturity levels, so we’ve created a range of guidance. See:

NotifyUs will help you if your practice has a privacy breach to deal with. You can complete a self-assessment to determine how serious the breach is, and whether you need to notify the Privacy Commissioner. NotifyUs is the best way to report privacy breaches to the Commissioner.