Changes to be aware of in the new Privacy Act coming soon…

Next Article

How COVID-19 is affecting housing ‘needs’ and ‘wants’

A new Privacy Act is coming into force on 1 December 2020. While things will stay largely business as usual, the new Act will introduce some important changes to privacy law in New Zealand that real estate agents and agencies should be aware of. Some of the changes will require planning and preparation to make sure compliance is achievable when the new Act kicks in.

What’s changing?

Our current privacy regime makes it clear that personal information must only be collected for lawful purposes, that it must be stored and safeguarded correctly, and that people must have reasonable access to review and edit private information that is held about them. Disclosure of personal information is only permitted in limited circumstances.

The new Act is intended to make sure that personal information is kept safe and secure in line with new technology and ways of doing business. Most businesses will need to make some updates to their current privacy practices as a result.

The changes will be relevant to all businesses that collect, store, and use personal information about employees and customers. Real estate agencies are a good example of a business that collects a significant amount of personal information about a wide variety of people, from employees to vendor clients to potential purchasers attending open homes. Agencies and agents will need to understand their obligations under the new Act, and make sure they can meet them.

Implement a privacy breach procedure

Under the new Act, businesses will need to report serious privacy breaches. A privacy breach is any unauthorised or accidental access to, disclosure, alteration, loss, or destruction of personal information, or an action that prevents the holder from accessing the information.

If a real estate agency has a privacy breach that it believes has or could cause serious harm, it will need to notify the Office of the Privacy Commissioner and the affected person or people as soon as possible. Failing to inform the Privacy Commissioner about a notifiable privacy breach will be an offence.

Not all breaches will need to be reported, only those that cause serious harm. Determining if a breach has or might cause serious harm will be a case-by-case assessment, taking into account things like disclosure of very sensitive information or to a large number of recipients, and the nature of the harm that might result. The Office of the Privacy Commissioner will be releasing online guidance about the new requirement to notify privacy breaches.

More information collected now than ever before

Anti-money laundering requirements have increased the amount of personal information agents need to collect on a regular basis. The current situation with COVID-19 has also resulted in a greater need to obtain information from everybody who is interested in a property, so agents and agencies are dealing with an increasing volume of personal information that needs to be obtained, used, stored, and disclosed correctly.

Agents must ensure that they do not obtain, or keep, private information unless it is really necessary. The anti-money laundering requirements are not a ‘get-out-of-jail free card’ to avoid legal obligations. If agents are collecting personal information from a client or customer as part of carrying out the customer due diligence process, that information should be collected from them directly wherever possible, and they should be made aware of what is being collected and why.

Using providers based overseas

Kiwi businesses that use service providers based overseas, for example cloud storage or computer software, will need to make sure that their providers are meeting New Zealand privacy laws. The vast majority of businesses will have some degree of personal information stored, processed, or otherwise transferred overseas in the course of doing their normal business.

A relevant example for agents is the frequent use Dropbox, which is an American based service provider. Many agents put property information documents into Dropbox, which contain a lot of personal information such as vendors’ full names, contact details, rates information (including what is outstanding), historic information relating to previous owners, and this information is often disclosed to many interested parties. If Dropbox’s current procedures are not compliant with New Zealand’s privacy law, then any business that uses it will be in breach of the new Act.

It is timely to consider your agency's information transfer practices, and which third parties are used to process information. The onus is the business using the service provider to ensure compliance, not the other way around.

Time for a review!

Now is the time to get ready for the new Act, ahead of 1 December 2020. Here are a few practical things agencies and individual agents can do to start to get ready now:

• Review and update your privacy policies to make sure they align with the new Act, clearly telling clients and customers what personal information you will obtain and how it will be used

• Make sure your procedures for detecting, reporting, and investigating privacy breaches are robust – how will you know if a breach occurs, and if it does, what will you do?

• Start training staff now, and make sure you have a few key people who are really up to speed on the changes (including your privacy officer/s)

• Make sure everybody knows who to approach about privacy issues – within each office, and/or at a regional or agency-wide level.

Legal advisors are already helping clients get across the new Act and the changes it will bring for businesses. If you have any questions relating to privacy practice and the new Act, or how it might affect you, please feel free to get in touch.

For more information, visit www.raineycollins.co.nz or email lsmith@raineycollins.co.nz