Privacy 2020 Flashcards
What is the Privacy act?
strengthens privacy protections. It promotes early intervention and risk management by agencies (the name used for any organization or person that handles personal information) and enhances the role of the Privacy Commissioner
What are the key changes to the privacy act in 2020?
-requirements to report privacy breaches
-compliance notice
-decisions on access requestions
-strengthening cross-border protections
-class actions
-New criminal offenses
-strengthening the privacy commissioners info gathering power
What are the requirements to report privacy breaches?
If an agency has a privacy breach that causes serious harm or is likely to do so, it must notify the people affected and the Commissioner.
What are the compliance notices?
The Commissioner will be able to issue compliance notices to require an agency to do something or stop doing something.
What are the decisions on access requests?
Commissioner will make decisions on complaints about access to information, rather than the Human Rights Review Tribunal. Decisions can be appealed to the Tribunal
What is strengthening cross-border protections?
New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by comparable privacy standards. New Zealand agency engages an overseas service provider will comply with New Zealand privacy laws.
what are the class actions
The Act permits class actions in the Human Rights Review Tribunal by persons other than the Director of Human Rights Proceedings.
what are the new criminal offenses?
: It will be an offence to mislead an agency in a way that affects someone else’s information, and to destroy documents containing personal information if a request has been made for it. The penalty will be a fine of up to $10,000
what is Strengthening the Privacy Commissioner’s information-gathering power?
The Commissioner will be able to shorten the timeframe in which an agency must comply with investigations and the penalty for non-compliance will be increased from $2,000 to 10,000
What is principle 1?
Purpose for collection of personal information
- An organization can collect information if it is for a lawful and necessary purpose. It is also necessary to sure when collecting info, there is not identifying info being collected.
- If there is unnecessary information collected and the same outcome can be achieved with our it, then the information should not be collected at all.
What is principle 2?
Source of information
- The information being collected should come directly from the individual themselves ensuring that the person involved knows what’s going on, they have control of their own information, and that information is up to date
- However information can be collected from someone else if allowed by that individual, or if it’s from a public source
What is principle 3?
Collection of information from subject
- This principle makes it so the organization collecting the information should be open as to why they are collecting the information and what they plan to do with it. The individual should also who will receive the info, if it is compulsory (like in law investigations) or voluntary, and what happens in the information isn’t provided
What is principle 4?
Manner of collection of personal information
-must be collected in lawful and reasonable conditions that makes it fair, which could vary depending on the individual, and may depend on if the collection of info intrudes on privacy
What is principle 5?
Storage and security of information
- Organizations must keep that information in a secure and guarded location so that it is not lost, given unauthorised access, or that the information is not misused.
- Includes employees accessing info that they are not entitled too
What is principle 6?
Access to persona information
-individuals have a right to know information that a organization may have about them, they have the right to access this information.
-however, the organizations can deny request , such as if the information can put someone safety at risk or it breached others privacy.
What is principle 7?
Correction of personal information
-The individual is entitled to ask the organization to update information that they don’t feel is accurate. The Organization can deny this but must disclose a statement stating that the person have challenged the accuracy.
What is principle 8?
Accuracy, etc, of personal information to be checked before use or disclosure
- Pretty self-explanatory: the organization must make sure the information if accurate before they can use or disclose it.
What is principle 9?
Agency not to keep personal information for longer than necessary
-the organization should only keep the information as needed for primary purpose and for a specific period under the public records act.
What is principle 10?
Limit on use of personal information
- The information collected should only be used for the original intended purpose and not used for anything else.
What is principle 11?
Limits on disclosing personal information
-Organisation can only disclose information when it was the original intention to disclose information to another org., if it is directly related to the original reason of collection, or when necessary to pass on to law enforcement for investigations
What is principle 12?
Disclosure of personal information outside New Zealand
This principle was the newly added on to the 2020 Act, stating that organization working with countries overseas must have comparable privacy laws to that of new Zealand before the organization can disclose information
What is principle 13?
Unique identifiers
-Organization need to exclude any identifying numbers or unique identifiers unless the information is necessary for the function of the purpose. Unique identifiers may be individuals numbers or forms of identification, and UI may not be assigned someone if already done so by another organization, this prevents government from giving one number for all your dealings with gov organizations
