Guidance

Getting ready for Privacy Act 2020 - Checklist

The Privacy Act 2020 came into effect on 1 December 2020.
We’ve made a checklist of the key things we think organisations should do to get in shape for it:


Get your governance settings right

  • Appoint a Privacy Officer, if you haven’t already – it’s a mandatory requirement
  • Formalise your privacy accountabilities and reporting, to ensure that privacy gets the appropriate level of attention and resourcing for your organisation’s risk
  • Map where personal information sits within your organisation’s systems

Prepare for mandatory privacy breach notification

  • Ensure the systems holding your more sensitive personal information enable you to determine who has accessed what and when in the event of a breach
  • Ensure your service providers have satisfactory security safeguards in place
  • Ensure your service providers are required to notify you of a privacy breach and help you deal with it
  • Ensure your staff can identify a privacy breach and know who to report it to
  • Establish a privacy breach response plan
  • Practice your privacy breach response plan with the right people involved
  • Draft some notification communications to have ready to go (for the Privacy Commissioner and affected individuals)
  • Think about who else you might have to notify in the event of a privacy breach (e.g. insurers/NZX/Police)
  • Ensure you can manage a privacy breach in the midst of a privacy breach (e.g. if you can’t access your systems)

Consider the relevance of tweaks to other IPPs

  • IPP1 – Purpose of collection – Review what personal information your organisation is collecting, including personal identifiers, and make sure it’s all necessary
  • IPP4 – Manner of collection – Check if you collect personal information directly from children/young people and if so, assess whether this is being done fairly, transparently and proportionately
  • IPP13 – Unique Identifiers – Ensure you’re taking appropriate steps to minimise the harm of misuse of your unique identifiers

Get ready for cross-border information sharing

  • Identify what personal information your organisation is sharing overseas, and for what purpose
  • Remember – disclosures to overseas service providers are not covered by the new IPP 12, but must comply with IPP 5 (your data must be protected from harm)
  • If you’re sharing personal information with a foreign entity that is not solely delivering services to your organisation, ensure:
    o An exception to IPP 12 applies to permit the disclosure (document your justification)
    o If you want to rely on the contractual exception, your current contracts provide for sufficient safeguards and limitations
    o Ongoing governance around cross-border information sharing, to ensure exceptions still apply (e.g. if relying on equivalent laws)

Fine-tune your processes for handling information requests

  • Check your identification verification processes to see if they are fit for purpose, including:
    o how to reduce the risk of impersonation
    o whether your staff understand and can identify when an information request may be made under threat of physical or mental harm
  • Ensure your information request process allows requests for urgency to be appropriately considered
  • Ensure your automated deletion processes can be paused to allow for the retention of personal information that has been requested under IPP 6

Take the opportunity to improve general privacy hygiene

  • Check your external facing privacy statement is accurate and easy to understand
  • Use the new law as a lever to get your people thinking about privacy not just as a compliance exercise but as an opportunity to build trust
  • Consider whether you need to review your insurance coverage
  • Consider refreshing your information security awareness training for your staff – especially around email use and phishing, a significant cause of privacy breaches
  • Don’t forget your employee personal information – you have the same obligations there