February 22, 2021
The Privacy Act 2020 came into force on 1 December 2020.
There have been numerous global changes to the law of privacy and data protection in recent years, the most notable being the European Union’s General Data Protection Regulation (GDPR) which was implemented in May 2018.
Aspects of the GDPR are reflect in the 2020 Act. For example, new Information Privacy Principle 12 provides that, in general, an agency may only disclose personal information to foreign agencies or entities if those foreign entities have comparable privacy laws or data protection safeguards to those contained in the 2020 Act.
The 2020 Act also introduces mandatory breach notification. If an agency experiences a privacy breach (such as unauthorised or accidental access to personal information) that it is reasonable to believe has caused, or is likely to cause, harm to an affected individual, that agency must notify the Privacy Commissioner. Failing to report such a breach can carry a fine of up to $10,000.
The 2020 Act replaces the Privacy Act 1993.