Privacy law update: Compliance notices - what are you going to do when they come for you?
November 27, 2019
A major overhaul of New Zealand’s privacy laws is underway and you need to be ready when it comes into force (currently expected to be mid-2020).
This is the third of four briefings to help you and your organisation prepare.
Compliance notices preparedness checklist
What is a compliance notice?
The Privacy Commissioner will be granted new enforcement powers, similar to those found in employment and health and safety law. The Commissioner will be able to issue a compliance notice for you to do, or cease doing, something in order to comply with privacy law. A compliance notice may be issued at any time, and must also specify a time within which the order must be complied with.
The Commissioner can also make binding access requests - if an agency refuses to make information available, the Commissioner will be able to demand release.
When will a compliance notice be issued?
The Commissioner can issue a compliance notice where he considers that one or both of the following may have occurred (cl 124 of the Bill):
-
a breach of this Act, including interference with the privacy of an individual
-
an action that is to be treated as a breach of an IPP or an interference with the privacy of an individual under another Act.
Before issuing a compliance notice, the Commissioner is required to give the agency concerned a reasonable opportunity to comment on a written notice that describes the breach and the remedial steps the Commissioner considers are needed.
Once a compliance notice is issued, the agency concerned must comply with the compliance notice within the specified timeframes (unless the specified dates are varied or modified, or the compliance notice is cancelled or suspended). Agencies can also challenge the compliance notice via proceedings in the Human Rights Review Tribunal.
Consequences of non-compliance
Compliance notices must be published publicly with a statement that includes details about the identity of the agency and the extent of the breach, unless publication would cause undue harm that outweighs the public interest. If an agency does not comply with a compliance notice, it can be enforced by the Commissioner through the Tribunal. Failure to comply with a compliance notice could result in a fine of up to $10,000.
How will you respond to a compliance notice?
You will be given notice before a compliance notice is issued, and you can appeal the compliance notice itself once it is issued. Given the heightened public interest in privacy breaches, and a proactive Commissioner, the risks to an organisation’s reputation could be substantial. You will need robust processes which address the following:
-
Ensure you engage with the Commissioner at an early stage, before any decision is made to issue a compliance notice, so that you have your say both as to the claimed breach and the potential steps to remedy.
-
If a compliance notice is issued:
-
urgently consider whether to appeal (you have 15 days)
-
work out how to comply with the compliance notice
-
report to the Commissioner on the steps taken to remedy the breach
-
develop a media strategy regarding publication of the compliance notice.
-
-
If you do not appeal, the Commissioner may take steps to enforce the compliance notice, and you will become subject to a fine. As such, you have to move quickly.
Compliance notices could be a significant source of reputational embarrassment for an organisation, and formally challenging a compliance notice by appeal can take significant time and cost. Prevention will therefore be the best way to ensure you are a responsible custodian of personal information.
Get in touch / Upcoming workshops
Reviewing and implementing new privacy policies can be a complex and confusing process. Please contact our privacy law specialists if your organisation needs help to get ahead of the new Act’s commencement. Simpson Grierson are also running workshops in both Auckland and Wellington in early 2020 to help organisations get to grips with the new privacy regime. Email us here if you are interested in attending.
Privacy Bill progress update
The second reading of the Privacy Bill indicated a commencement date of 1 March 2020, however we anticipate a six-month transition period from when the Act is passed. This means that if the Act is passed before the end of 2019, commencement is likely to be mid-2020.
Contributors james.meager@simpsongrierson.com, matthew.austin@simpsongrierson.com