As of 1 December 2020, all New Zealand registered companies must have a nominated Privacy Officer. This is a requirement under the Privacy Act 2020 coming into as of this date.
No special training is required of the person who is nominated to be the Company Privacy Officer, however they are required to understand the Privacy Act Principles to ensure that the business complies with all obligations under the new Act.
The primary role of the nominated Privacy Officer is to deal with requests for access to, or correction of, personal information that the company may hold on individuals, including its staff and therefore the organisation must have robust process in place to efficiently deal with such requests. In extreme circumstances where a privacy breach occurs or where the organisation receives a complaint regarding a potential privacy breach, the Privacy Officer may also have to work with the Office of the Privacy Commissioner to investigate or resolve the complaint.
The key areas of responsibility for the nominated Privacy Officer are to ensure that the organisation remains compliant in:
- Collecting Personal Information on individuals, including recruitment candidates
- Holding personal information
- Using and disclosing personal information
Where an individual believes that the company may have breached any of its obligations under the Act, the affected individual has a legal right to raise a Privacy Breach Complaint with the Office of the Privacy Commissioner whereby the company may be issued with a Notifiable Privacy Breach Notice. This may be deemed to be a ‘serious harm’ incident in which case the company may be required to take actions to reduce the risk of harm. Where a complaint is raised directly with the company, the company is obligated to notify the Commissioner immediately, with the Act advising that penalties of up to $10,000 may be liable for a failure to provide such notification. In addition, the new Act allows the Human Rights Review Tribunal to award damages of up to $350,000 for class action breaches of the Act.
To ensure that your organisation is prepared and compliant under the new Act the key steps will therefore be:
- Ensure that you nominate a Privacy Officer for your business,
- Ensure that this person develops the knowledge of the Act,
- Implement a robust Privacy Policy within your business so that sound process can be following if a person wishes to lodge a request for information or submit a complaint for a potential breach,
- Ensure that the Privacy Officer has a robust process to follow in the event of a complaint being received.
We have developed a compliant Privacy Policy for organisations to use to ensure that they are prepared for the implementation of the Act as of 1 December 2020 with this outlining the key duties and responsibilities of the Privacy Officer and the processes to follow when a request for information of a complaint is received.
Please contact us if you wish to purchase this policy or would like assistance in this area.