What do Privacy Act changes mean for company policy?


Recent changes to privacy legislation have implications for contractors, who often collect and store people’s personal information, for example on site sign-in registers, Civil Contractors New Zealand explains

In December 2020 an updated Privacy Act came into being. With the country focussed on keeping Covid-19 out, this legislation received little airtime.

While the Privacy Commission has run a campaign to provide information on the Act and how it would affect everyone, it is a subject area most in the construction industry are unlikely to have encountered.

Some direct impacts of the updates to the Act were brought to our attention when one of our members contacted us after an ISO audit. The auditor had raised a few issues on the allowance of access to personal information, and the absence of a privacy policy. Recommendations were made to tighten up on company policy and put in greater controls minimising unauthorised access to personal information.

This got us digging as to what the updated Act means for contractors.

Collection and storage of personal information

Businesses have an obligation to keep employee personal information confidential. For many this will require that all hard copy information is kept under some form of lock and key. All information kept on a computer system should be password protected or kept on a system where only authorised individuals can have access.

Our recent experience has raised questions about site sign-in registers which require a written entry, and therefore potentially inadvertent disclosure of personal information each time someone ‘signs on’.
Traditionally, this information is written on register at site entry and access to this information is available upon coming or going from the site. With sites that have electronic sign in and out this should not be a problem. The information is necessary to prevent or minimise a serious threat to the life or health of the individual concerned – an allowance that can be made under the Act.
However, contractors still need to consider how to collect and store that information in a manner that meets this purpose while avoiding inadvertent disclosure via a public sign-on sheet.
Having a disclosure statement on the register stating that the person entering site agrees to the collection and potentially necessary disclosure of their personal information, would also assist in ensuring everyone is aware of their rights and obligations under the access to information principle, which could be included in a company privacy policy, assisting in clarification for all (and providing protection for the company).
The Privacy Commission provides E-learning courses online.

Company Privacy Policy

Best practice is to have a privacy policy in place for your business. It should outline how your business will collect, use and store potentially sensitive information and how employees can gain access to it if required.  A privacy policy should also include the appointment of a privacy officer or someone delegated to be responsible for overseeing compliance with privacy requirements.

Breakdown of relevant changes

For most contractors, the revised Act is largely business as usual. Technology has changed significantly since the previous Act was implemented and the revision was primarily to make it current and provide the Privacy Commissioner with greater ability to take enforcement action against privacy breaches.

It was widely recognised that the previous Act lacked ‘teeth’ for enforcement and therefore was not incentivising compliance with privacy principles.

  • The Act will introduce a privacy breach notification regime. If a business or organisation has had a privacy breach that it believes has caused or is likely to cause serious harm, it will need to notify the office of the Privacy Commissioner and the affected individuals as soon as possible. Under the Act it is an offence to fail to notify the Privacy Commissioner. With a spike in recent hacker activity targeting computer systems and websites of private organisations, such as the New Zealand Exchange website, there is clear necessity for compliance with this reporting requirement.
  • Restrictions on offshore transfers of personal information now clarify that offshore destinations must have comparable privacy protections in place before data transfers are permitted to be made.
  • Clarifications on the extraterritorial scope of the Privacy Act. An overseas business or organisation that is ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations, even if it does not have a physical presence here.
  • The Privacy Commissioner can now issue compliance notices requiring agencies to remedy breaches of the Act within specific timeframes, which is enforceable in the Human Rights Review Tribunal.
  • Previously, there was no method of enforcement against agencies who fail to provide access to personal information under the Act’s requirements, except for an expensive and time consuming application to the Human Rights Review Tribunal. The Act now provides for the Commissioner to issue access determinations, which are binding decisions on agencies, enforceable with fines up to $10,000 for failure to comply.
  • Any failure to comply with a lawful requirement of the Commissioner may be a criminal offence leading to a fine of up to $10,000.

The Act contains Information Privacy Principles (IPP’s) which cover collection, use, disclosure and storage of information. Key IPPs for contractors to bear in mind include:

  • IPP1, relating to the need for a lawful purpose to collect information. It has been clarified to ensure that businesses and organisations do not collect identifying information from people if it is not necessary.
  • IPP2, which is about who you collect the information from.
  • IPP4, which is about the manner in which information is collected.
  • IPP8, which sets out a requirement to check the accuracy of information before it’s used. This has been changed to require the accuracy of personal information to be checked before disclosing that information.
  • IPP13, relating to requirements to minimise the risk of misuse with a unique identifier. For example, bank statements that only display part of the account number.

Some reminders

  • Recruitment information
    When requesting information about a person’s background during recruitment, you can only ask for information that is relevant to the job. Irrelevant and intrusive requests might include a prospective employee’s sexual orientation,  religious beliefs or intention (or not) to have children. Before collecting personal information during the recruitment process, prospective employees /or contractors should be informed why it is collected, who will get the information, whether the information is required or voluntary and what will happen to the information following recruitment.
  • Training
    As a minimum, those that come into contact with personal information should be briefed on the requirements of the Act and the company privacy policy, although this practice would be helpful to implement across the entire business. Where a privacy officer is appointed, or someone is delegated to those duties, additional training should be provided to allow them to execute those duties effectively.