Publications

New Privacy Regulations under the Privacy Act 2020: communicating privacy breaches publicly

Home Insights New Privacy Regulations under the Privacy Act 2020: communicating privacy breaches publicly

Contributed by:

Contributed by: Joe Edwards and Shannon Closey

Published on:

Published on: August 20, 2020

Share:

The new Privacy Act and Privacy Regulations, including the public notification requirements for notifiable privacy breaches, come into effect on 1 December 2020. The Government has now published new Regulations under the Privacy Act 2020, which provide further clarity regarding key aspects of the new Act by:

  1. explaining the procedure and notice requirements when giving public notice under section 115(2) of the Act of a notifiable privacy breach;

  2. setting out the requirements for the giving, issuing, and serving of notices and documents for the purposes of the Act; and

  3. prescribing the matters that the Privacy Commissioner may require to be included in a report under section 154(1)(b) of the Act on the operation of an approved information sharing agreement.

The updated Privacy Regulations can be found here, and further detail regarding these is set out below.

1. Procedure for giving public notice of a notifiable privacy breach

The new Regulations also establish the procedural and notice requirements for when public notice of a privacy breach is to be given under section 115(2) of the new Act by an agency. 
 
Agencies will be required to publish a public notice of a notifiable privacy breach:

  • on an internet website that is maintained by or on behalf of the agency, and is publicly accessible free of charge at all reasonable times; and

  • in at least one other medium, whether electronic or non-electronic, that the agency considers to be most likely to bring that notice to the attention of the greatest number of affected individuals.

The Regulations also prescribe requirements for the content of a public notice of a notifiable privacy breach. Notices must:

  • describe the notifiable privacy breach without identifying any affected individual;

  • ​state any steps that an affected individual may take to mitigate or avoid potential loss of harm;

  • confirm that the Commissioner has been notified of the privacy breach;

  • state that an affected individual has the right to make a complaint to the Commissioner about the privacy breach; and

  • state the contact details of a person within the agency to whom inquiries may be made in respect of the privacy breach.

2. Requirements for the giving, issuing and serving of documents for the purposes of the Act

The new Regulations set out a number of permitted methods for the service of notices and documents under the new Act. These include service in person, by electronic transmission such as email, by leaving it at the recipient's usual or nominated address, by document exchange, or by post. The Regulations also provide timeframes for when service is deemed to have taken place for each of the permitted methods of service.
 
The Regulations provide for how service of documents under the Act is to be undertaken on overseas agencies and deceased persons:

  • for overseas agencies with a place of business in New Zealand or a New Zealand agent or representative, notices and documents under the Act can be served:

    • on an employee at the overseas agency's place of business in New Zealand (or, if it has multiple places of businesses in New Zealand, that agency's principal place of business) by any of the permitted methods of service;
    • on the overseas agency's New Zealand agent or representative by any of the permitted methods of service; or
    • abroad by any of the permitted methods of service other than by post. 
  • if the overseas agency does not have a place of business or agent based in New Zealand, the documents can be served abroad by any of the permitted methods of service other than by post.

  • if a document is to be served on a deceased person, the document may instead be served on that individual's personal representatives.

The Regulations empower the Commissioner or the Human Rights Review Tribunal to direct the manner in which a document is to be served, or that a document need not be served, if the person on whom a document is to be served is unknown, or it is otherwise not practicable to serve a document using any of the permitted methods of service.

3. Reporting requirements for approved information sharing agreements

Finally, the Regulations prescribe a lengthy list of matters that the Privacy Commissioner may require to be included in a report prepared under section 154(1)(b) of the Act by the lead agency to an approved information sharing agreement on the operation that agreement.
 
Further guidance on how New Zealand businesses can begin preparing for the changes brought into effect by the new Act and Regulations is available here. If you have any questions relating to the changes brought into effect under the new Act or Regulations, or how they relate to you, please contact one of our experts listed below.


This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.

Talk to one of our experts:
Related Expertise