What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
Historically, the Privacy Act 1993 has been the foundation for privacy regulations in New Zealand. Effective December 1, 2020, The Privacy Act 2020 will replace the 1993 law (2020 Amendment). The updated law modernizes the original privacy law, and adds a few key reforms that may impact employers, including mandatory notification of harmful privacy breaches and controls on information that is being disclosed overseas.
The Privacy Act 2020 sets 13 privacy principles, including that personal information can only be collected for a lawful purpose connected with a function or activity of the agency (i.e., the employer in the context of HR), and when the collection is necessary for that purpose. Personal information should be collected directly from the individual, with some exceptions (for example, when information is publicly available). The following is a summary of the privacy principles:
Principle 1: Personal information (i.e., information about a particular individual) can only be collected for a lawful purpose.
Principle 2: Personal information must be collected directly from the individual concerned (with a few exceptions).
Principle 3: Employers, and other agencies who collect personal information, must ensure the individual is aware of the purpose for which the personal information is collected, the intended recipients, and the fact that the individual has a right of access to, and a right to request correction of, their information (with a few exceptions).
Principle 4: Personal information can only be collected lawfully and fairly, and in a way which does not unreasonably intrude upon personal privacy.
Principle 5: Reasonable security safeguards must be taken to protect personal information against loss and unauthorized access, use, modification, or disclosure.
Principle 6: Individuals are entitled to confirm whether an employer (or other agency) holds any personal information about them, and to request access to that information.
Principle 7: Individuals are entitled to request the correction of their personal information. Employers (and other agencies) may refuse to correct the information. If the request is refused, the employer (or other agency) must take reasonable steps to attach a statement to the information noting that a correction has been sought but not made. If a correction is made, other persons to whom the employer has disclosed the information must be informed of the correction when reasonably practicable.
Principle 8: Personal information cannot be used or disclosed without taking reasonable steps to ensure that the information is up to date, complete, relevant, and not misleading.
Principle 9: Personal information may not be kept longer than necessary for the purposes for which it may lawfully be used.
Principle 10: Personal information obtained for one purpose may not be used for another purpose (with a few exceptions).
Principle 11: Personal information cannot be disclosed to any person or agency without the consent of the individual to whom the personal information is about (with few exceptions).
Principle 12: Personal information can only be disclosed to foreign persons and entities in certain circumstances.
Principle 13: Employers (and other agencies) may only assign a unique identifier to an individual if it is necessary to enable the employer (or other agency) to carry out its functions efficiently. A “unique identifier” is a tag which may identify a specific individual but does not use the individual’s name.
The current authority responsible for enforcement of data privacy law and regulations in New Zealand is the: