Privacy Act 2020 changes The Privacy Act 2020 came into effect on the 1 December. It has been modernised to reflect changes in the wider society and to ensure it is fit for the technological world in which we live. But what does this mean for GPs and other professionals working in the health sector? The new Privacy Act introduces greater obligations for businesses and organisations, a financial penalty for serious privacy breaches, and more enforcement powers for the Privacy Commissioner. A brief video providing an overview to the changes can be viewed here. Reporting serious privacy breaches There is a new legal requirement to tell the Privacy Commissioner if there has been a privacy breach that has caused, or is likely to cause, serious harm. In most instances you will also need to tell the affected individuals. But what is serious harm? Practices can use the online tool NotifyUs to assess whether a privacy breach is notifiable, and then to report that breach if necessary. More info here. Changes to the privacy principles The new Act retains the privacy principles of the 1993 legislation, with some changes: • •
•
Principle 1 has been updated to clarify that you can only collect identifying information if it is necessary. The goal is data minimisation. Principle 4 in the new Act requires businesses and organisations who collect information from children and young people to consider whether the way they collect this information is fair in all circumstances. Principle 13 now states that businesses and organisations must take reasonable steps to protect unique identifiers, such as an NHI, from being misused.
Sending information overseas This new information privacy principle, principle 12, sets the rule that a New Zealand business or organisation may only disclose personal information to an overseas agency if that agency has a similar level of protection to New Zealand, or the individual is fully informed and authorises the disclosure. More info here. Enforcement powers The Privacy Commissioner can issue a compliance notice requiring you to do something, or stop doing something, in order to comply with the Privacy Act. The Privacy Commissioner can also direct agencies to provide individuals access to their personal information. It will now be an offence to mislead an agency to access someone else’s personal information—for example, impersonating someone in order to access information that you are not entitled to see. It will also be an offence to destroy personal information, knowing that a request has been made to access it. The penalty is a fine of up to $10,000. More info here.
Resources For more information on the Privacy Act 2020, visit https://privacy.org.nz/ Free online privacy education courses can be accessed at https://elearning.privacy.org.nz/ Foundation Standard Indicator 2: Patient Information, click here. The PHO is producing a Privacy Policy template, available 2021 and accessed via the PHO portal.
V 1_WBOP PHO 7 December 2020