5 minute read
5 reasons the new Privacy Act can impact your business
New Zealand’s new Privacy Act became law at the beginning of December. It’s a good time to also consider whether your organisation is compliant with overseas privacy regulations, writes Planit Software Testing’s Dave Withers APP.
David Withers APP is a Security Consultant with experience in large CCTV installations. He has also worked for over 20 years in Quality Assurance. As a Shadow Committee member of the ASIS NZ Chapter, David establishes and supports Auckland-based ASIS certification study groups. New Zealand has ironically caught a lucky break with COVID-19. New Zealand businesses are now in a situation that we can all take advantage of. With many parts of the world in lockdowns, our workforce is now living their healthy normal lives. Teams can now meet in-person to collaborate on ideas and work together.
The first wave forced most workers into remote working. As a result, going to a physical location to work is no longer a requirement for many assignments, and remote work is now an accepted work practice worldwide.
Our workforce can now work with clients anywhere in the world, and we are well placed to grow our businesses outside our borders as a result.
Given that from December businesses are required to adjust to New Zealand’s new Privacy Act 2020, in our globalised context it is recommended that you also look to become compliant for international markets as well.
Privacy regulations worldwide are all based on the same ideal of collecting and securing appropriate personal and sensitive data correctly. This means for very little extra effort you can become complaint in other territories. Some examples are: • General Data Protection
Regulation (GDPR): The
European data privacy and security law covers a market of 446 million people. Noncompliance costs for hundreds of companies were more than 114 million euros in fines in the law’s first 20 months. Health Insurance Portability and Accountability Act (HIPAA): This US standard is designed to protect sensitive patient data in a market of 328 million people. Noncompliance costs companies an average penalty of USD1.2 million per violation. California Consumer Privacy Act of 2018 (CCPA): This law protects the rights of consumers personal data.
All the above could be addressed when making your company compliant with the new NZ Privacy Act. The new Act comes into effect on 1 December 2020, bringing with it a number of changes: • New privacy breach notification regime:
If a privacy breach has caused (or is likely to cause) serious harm, the company must notify the Office of the Privacy Commissioner and affected individuals as soon as possible • Compliant notices: The Privacy
Commissioner can issue compliance notices to organizations to require them to do something; or stop doing something • Enforceable access directions: The
Privacy Commissioner can
direct organizations to provide individuals access to their personal information in line with principle 6 Disclosing information overseas: New principle 12 to regulate the way personal information can be sent overseas The extraterritorial effect: Any overseas organisation that is ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations New criminal offences: Up to $10,000 fine for person impersonating or misleading someone to access the information you are not entitled to see, or organization destroying data after a request is made to access it. Principle 1 Change: Organisations can now only collect identifying information if necessary.
As you can see, the new act has more enforceable action and fines. This means organisations need to review their current privacy policies and data collection processes to ensure compliance. When conducting a review, consider the following as good privacy practices:
People and organisations own their data! It is important to remember you are just a custodian of private information. It is not yours to sell or pass on without explicit permission from the person or organization.
What Personal Information are you holding? Part 3, Principle 1 of the privacy act clearly states you can only collect
Class
3
2
1
0
Governmental classification
Top Secret
Secret
Confidential
Public
Non-Governmental Classification
Confidential / Proprietary
Private
Sensitive
Public
Potential Damage
Exceptionally Grave Damage
Serious Damage
Damage
No Damage
personal information for a lawful purpose where that data is needed to fulfill that purpose. Collecting or holding personal or organizational data that is not required is not allowed.
Data classification, Storage, and Access control To keep data safe, you must classify all data to ensure correct handling and storage. Information security professional association (ISC)2 talks about four classes types of data
For each data classification above there should be a policy for: • Where data can be stored, given a lot of data is in the cloud do you have to host it in NZ, or can it be anywhere in the world? • Where it is used? • Security and Access controls, who can see the data? • Are audit trails needed for who accessed the data from where and when?
By classifying the data and basing policy on each class you can protect your organisation from unintended breaches of the Privacy Act What data don’t you need to retain? There is a difference in what you need to have to onboard a customer versus maintain a relationship with them. Some considerations are: • Do you need to retain Id documents used and other sensitive data to identify the person/organisation and onboard them? • Do you need to keep personal or sensitive related data to maintain the relationship? • Do you need to retain data for past customers and employees?
If you don’t need it, the best practice is to purge it.
Retention period of data As per the point above, all personal and other organisations’ data needs to have a prescribed retention period. When you assess and classify data that you hold a good practice is to set a retention period based on how long you need that data. Holding data longer than needed makes any breach event worse than it needs to be
The time to act is now. Armed with the information from this article, go through your datasets and identify anything that might be in non-compliance with the new Privacy Act. Ignorance is not a defence. We can see from the GDPR and HIPAA examples, regulators in other jurisdictions have not been shy to use their powers and available enforcement options to ensure compliance.
If you are not sure of anything feel free to reach out for in-depth guidance. Our IT security specialists are available to help.
