The Lowdown: the New Privacy Act

Privacy isn’t just an issue for “big data” corporates. In the digital age, even small businesses have a serious need to protect confidential information.

As data sharing becomes a red-hot issue, the NZ government is bringing in some new rules about privacy, coming into effect before March 2020 (not that far off!).

This introduces bigger penalties for not sticking to our privacy legislation, and stricter enforcement. As an individual, that’s all good news, helping you control who knows what about you. As a business owner, it means compliance just got a little tougher (again).

So, it’s probably time to review how you look after information about your staff and customers.

Here’s what you need to consider:

• How do you store employee and customer records? (Especially sensitive stuff, like payment details or salary info)
• If they’re on paper, are you keeping them secure, in a safe, restricted place?
• If they’re digital, are they password-protected? Do you have any digital defences, like virus-scanners or firewalls?
• Who has access?
• When a staff member leaves, do you have a process to permanently remove their access to private content, changing passwords etc?
• Do all your employees clearly understand their responsibilities to keep certain things private? Do you have rules for everybody around protecting info on work devices, or removing confidential documents from work property? (Ultimately, you’re the one who gets in trouble if one of your employees creates a data breach, so set clear expectations)

It doesn’t have to be Fort Knox, but you do need to take some reasonable precautions to safeguard private data. This will look different depending on the size and nature of your business.

The Flipside

It’s not just about your responsibility to keep info private - it’s also about your obligations to share it.

If a customer or employee requests a copy of their own information, you have to hand it over within 20 working days. If this happens, take care that you only provide them with their personal data, and not anybody else’s, even though you’re likely storing it by group.

The new laws say that the Privacy Commissioner can serve a compliance notice to a company that doesn’t hand over information quickly enough when it’s requested.

Privacy Online

Under the Privacy Bill 2018, you’ll have a new responsibility to report breaches of any private information, if the breach could cause “serious harm”. If there’s a “hack” or some dodgy activity on a system where you’re keeping sensitive records, you have to let those affected know. It could even be something as simple as accidentally emailing a confidential attachment to the wrong contact. If something happens and you keep it to yourself, you might end up with a $10,000 fine.

The update also says that if you’re using a cloud service provider that’s based overseas, you’d better check they’re compliant with New Zealand’s laws. For example, if you’re storing staff and customer records through Dropbox or Google Drive, that means they’re held by a US company. You need to make sure that information still has all the right protections. (PaySauce customers, don’t fret - we’re 100% Kiwi and we play by NZ rules when it comes to your employees’ data). If someone’s personal info is going to an overseas organisation that doesn’t follow NZ rules, you need to get their permission.

Stay Clear

New to all this privacy stuff? Don’t do a Zuckerberg. Be transparent! Create a clear, honest privacy statement and make sure all your customers see it. Here’s a pretty awesome tool to help you build a custom-made privacy statement, really easily. You might find that the questions in this tool actually help you reassess what information you’re collecting, and why.

You’ll probably want to draft up a plan for how you would notify affected customers if a data breach did occur, and make sure there’s a Privacy Officer in your company. That’s just somebody who’s in charge of keeping everybody on the straight and narrow, and dealing with any confidentiality questions or issues.

For your staff, have a basic privacy policy that everybody reads and signs. Outline what can be shared and what can’t, and how to keep things safe. Even if you feel like you’re stating the obvious, just remember, common sense ain’t always common.

 

See the new Privacy Bill here.

 

Want to talk about privacy, payments, or the people part of business? We’re always up for a yarn. Punch in 0800 746 701 or head here.