Your smartphone could land you in hot water with the Privacy Commissioner as a new raft of laws around data protection and privacy are just months away, says one data protection expert.
Mark Carver is a member of the International Association of Privacy Professionals (IAPP) and a director of TwoBlackLabs – a Wellington-based firm that advises clients on how to remain compliant when it comes to data protection and the Privacy Act.
He says companies and traders large and small have around six months to get up to speed and ensure they comply with changes to the act.
Despite all the checks and balances a firm might adopt, Carver says people using the same phone for business and personal use could inadvertently break the law. One reason for this is that they could unknowingly share client information with companies such as Facebook and cloud-based services.
Most phones gather information and send it off to different companies in the background…
“Most phones gather information and send it off to different companies in the background,” says Carver. “Phones mine all sorts of data, so the breadth of this for causing a breach of the act is potentially quite large.
“People need to understand what information they are collecting, who it is being shared with, and what they are allowed to do with it. You have to perform due diligence on the third-party services you are using and do a risk assessment on them.”
Carver says there are two key changes to the Privacy Act 2020. A legal requirement to tell people when their privacy has been breached, and the embarrassment of companies being named and shamed for allowing a breach to occur. There is also the small matter of a $10,000 maximum fine for each breach.
“Everyone following the changes have been debating how mandatory breach notifications will be decided,” says Carver. “What it means is in the event of a breach of personal information – such as releasing personal data to people who shouldn’t have it – then you have to inform the people whose privacy has been breached. In addition, you have to tell the office of the Privacy Commissioner.”
A legal requirement to tell people when their privacy has been breached…
Carver says the test for reporting a breach is: ‘has the breach caused serious harm to an individual?’
“And there is some debate about how to measure that at the moment,” he says.
There will be guidance published to give companies examples of different scenarios. Such as someone losing their laptop that has private information about clients on it.
“The Privacy Commissioner will also have compliance powers,” says Carver. “In the event of a breach the commissioner can issue a compliance notice that sets out what the breach was, recommendations for fixing it, and in extreme cases can force companies to remedy the situation – and there is a risk people could also end up in the Human Rights court.
…reputational damage to an organisation found in breach of the act will likely outweigh any financial penalty…
“So there is a whole set of legal obligations coming in and all compliance notices will be made public – so the reputational damage to an organisation found in breach of the act will likely outweigh any financial penalty.”
In addition a section of the act covers overseas data protection.
“If you are sending personal information off-shore then under certain criteria you would have to look at the requirements under the act,” says Carver.
“There is an exception for cloud service providers that are processing information solely on your behalf, and which have no rights to use the data you supply for any other purpose. You need to understand what information is going to whom and what can they do with it.”
You not only have to consider New Zealand law but there is the General Data Protection Regulation (GDPR) in Europe to consider.
The general rule of thumb is that if – for example – your website can be seen in Europe, and perhaps you collect user data or email subscribers, then the European rules may apply to you, says Carver.
- New Zealand firms wanting to understand more can use a free Privacy Act readiness checker at TwoBlackLabs.
Are you fully compliant with the Privacy Act?
- Not sure (49%)
- Yes (43%)
- No (8%)
Loading ...