Privacy In Practice – Understanding the Privacy Act 2020
There has been a lot of buzz recently about privacy and what the Privacy Act 2020 (“Act”) means for organisations in the real world. It can be tricky to navigate, so we will cover some basics here.
There are 13 Privacy Principles any agency must comply with in terms of the collection, use, disclosure, access, correction, retention and deletion of personal information. That can be personal information of staff, customers, people who complete website forms, the list goes on. As soon as personal information is collected, such as a customer providing their name or email address, the Act is triggered. There are also obligations elsewhere in the Act, for example the requirement for every agency to have a nominated Privacy Officer and to make that person/role known to people who share information with the agency, as the Privacy Officer will need to deal with any requests regarding personal information (such as correction of or access to personal information).
One of the simplest ways to comply with some of these obligations is to ensure the agency has an up to date and accurate privacy policy.
Beware, if the agency is an incorporated society, or a trust, or has a membership list of any kind, the members or individuals on the list must be made aware of why information is collected about them, how it will be used, who will be able to access it, etc. It can be tempting to use lists like that for convenience (e.g. as a mailing or contact list), but unless the individuals understand and have consented to that use, the relevant agency risks being in breach of the Act.
A privacy policy should cover how the agency in question meets the Privacy Principles, along with matters such as the identity of the Privacy Officer and how incidents such as data leaks will be addressed (including external measures such as informing potentially affected customers).
A privacy policy needs to be tailored to the agency in question (using a “cookie cutter” template can create, rather than remedy, potential breaches). Relying on third party privacy policies to cover your agency also doesn’t offer protection – usually that third party will be clear that its privacy policy only applies to that agency, and remember, your agency will likely be making use of different information, or the same information, in a different way.
For more information
If you or your organisation would like advice about privacy policies or the current Act, please do not hesitate to reach out. For more information, please contact 04 472 0020 or one of our employment law experts.
See more of our employment law articles here.
JB Morrison Employment Law | Request a Consultation