Recent changes to privacy legislation have implications for contractors, who often collect and store people’s personal information, for example on site sign-in registers, Civil Contractors New Zealand explains
In December 2020 an updated Privacy Act came into being. With the country focussed on keeping Covid-19 out, this legislation received little airtime.
While the Privacy Commission has run a campaign to provide information on the Act and how it would affect everyone, it is a subject area most in the construction industry are unlikely to have encountered.
This got us digging as to what the updated Act means for contractors.
Collection and storage of personal information
Businesses have an obligation to keep employee personal information confidential. For many this will require that all hard copy information is kept under some form of lock and key. All information kept on a computer system should be password protected or kept on a system where only authorised individuals can have access.
Breakdown of relevant changes
For most contractors, the revised Act is largely business as usual. Technology has changed significantly since the previous Act was implemented and the revision was primarily to make it current and provide the Privacy Commissioner with greater ability to take enforcement action against privacy breaches.
It was widely recognised that the previous Act lacked ‘teeth’ for enforcement and therefore was not incentivising compliance with privacy principles.
- The Act will introduce a privacy breach notification regime. If a business or organisation has had a privacy breach that it believes has caused or is likely to cause serious harm, it will need to notify the office of the Privacy Commissioner and the affected individuals as soon as possible. Under the Act it is an offence to fail to notify the Privacy Commissioner. With a spike in recent hacker activity targeting computer systems and websites of private organisations, such as the New Zealand Exchange website, there is clear necessity for compliance with this reporting requirement.
- Restrictions on offshore transfers of personal information now clarify that offshore destinations must have comparable privacy protections in place before data transfers are permitted to be made.
- Clarifications on the extraterritorial scope of the Privacy Act. An overseas business or organisation that is ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations, even if it does not have a physical presence here.
- The Privacy Commissioner can now issue compliance notices requiring agencies to remedy breaches of the Act within specific timeframes, which is enforceable in the Human Rights Review Tribunal.
- Previously, there was no method of enforcement against agencies who fail to provide access to personal information under the Act’s requirements, except for an expensive and time consuming application to the Human Rights Review Tribunal. The Act now provides for the Commissioner to issue access determinations, which are binding decisions on agencies, enforceable with fines up to $10,000 for failure to comply.
- Any failure to comply with a lawful requirement of the Commissioner may be a criminal offence leading to a fine of up to $10,000.
The Act contains Information Privacy Principles (IPP’s) which cover collection, use, disclosure and storage of information. Key IPPs for contractors to bear in mind include:
- IPP1, relating to the need for a lawful purpose to collect information. It has been clarified to ensure that businesses and organisations do not collect identifying information from people if it is not necessary.
- IPP2, which is about who you collect the information from.
- IPP4, which is about the manner in which information is collected.
- IPP8, which sets out a requirement to check the accuracy of information before it’s used. This has been changed to require the accuracy of personal information to be checked before disclosing that information.
- IPP13, relating to requirements to minimise the risk of misuse with a unique identifier. For example, bank statements that only display part of the account number.
- Recruitment information
When requesting information about a person’s background during recruitment, you can only ask for information that is relevant to the job. Irrelevant and intrusive requests might include a prospective employee’s sexual orientation, religious beliefs or intention (or not) to have children. Before collecting personal information during the recruitment process, prospective employees /or contractors should be informed why it is collected, who will get the information, whether the information is required or voluntary and what will happen to the information following recruitment.