Privacy laws are changing. Are you ready?
Before the updated Privacy Bill of 2019, the last time New Zealand updated its Privacy Act was in 1993. Over the last 26 years we have seen rapid growth and changes in both technology and cyber-crime.
The updated Privacy Bill, set to be introduced by July 2019, is New Zealand playing catch up with the unintended and potentially harmful consequences of technology. As technology – including devices, printers, hardware and software – becomes more sophisticated and more common, so too does cyber-crime. New Zealand companies are exposed to more vulnerabilities than ever before from the risks of both intentional harm (like being hacked), and accidental harm (like unauthorised people seeing data they shouldn’t or sharing personal information incorrectly).
The new Privacy Bill will also bring New Zealand more in line with what’s happening around the world, including the European General Data Protection Regulation (GDPR).
The Privacy Bill 2019
Here are some of the key things you need to know:
- If someone’s privacy has been breached and there’s a risk of serious harm to those affected, you must notify the NZ Privacy Commissioner and the affected individual(s) as soon as possible after the date of becoming aware of the breach.
- A privacy breach is: any unauthorised or accidental access to, or disclosure, change, loss or destruction of personal information; or an action that stops the agency from accessing the information either temporarily or permanently.
- A privacy breach may not have a malicious intent behind it – it also extends to your staff accidentally seeing information that they shouldn’t have.
- If your data is hosted by another organisation (e.g. a cloud service or technology company) and the breach is a result of their activity, you will still need to report the breach.
- What amounts to a privacy breach is set at a low threshold – which means, while many instances may not actually result in serious harm to individuals, the bar is set at “if there is a risk of” causing serious harm.
- What constitutes serious harm to the individual is broad and includes financial damage, emotional harm and injury to their rights, dignity or feelings.
- The Bill also sets out what is required when notifying individuals and the commissioner of a breach, as well as the steps the affected individual(s) may take. If it is not practical to give notice directly to individuals, businesses can issue a public notice.
- Consequences – if you fail to comply, you may be fined up to $10,000.
Also be aware that the Bill is still subject to change following feedback from the select committee, so there may be additional points to be aware of.
What does this mean?
So, what should you do? What changes can you adopt to make sure that you are secure, compliant, and doing the right thing by your employees, company and your clients?
Here are my top ten tips:
1) Identify – Ensure you’re up-to-date on how to identify, reduce and prevent information breaches.
2) Train – Educate your staff on best practice for sharing, storing, identifying and dealing with information breaches.
3) Evaluate – Check to see if your technology can quickly identify and deal with information breaches. Check your whole network is watertight and up-to-date-including your software, hardware, printers and security systems.
4) Monitor – Make sure your IT, printer software and security are monitored 24/7.
5) Decrease – You can reduce your vulnerability of attack or mistakes by trying to decrease the amount of personal information your company stores.
6) Encrypt – Wherever possible, encrypt or anonymise personal information.
7) Manage risk and oversight – Depending on your resources and the size of your business, appoint an information protection officer or delegate tasks to a capable team member, so that you have someone who is responsible for oversight, managing risks, dealing with privacy breaches if they come up, and notifying the affected individual(s) and the Privacy Commissioner.
8) Record and report –Keep records of where personal information is stored, who can access it, and how and when it is shared.
9) Insurance – Depending on your circumstances, you may choose to talk to an adviser about cover that protects you against cyber-security risks.
And most importantly,
10) Policies – Put in place strong internal and external policies that all your staff are aware of, and that clearly lay out the above nine points.
Be ready for the change
The IT Psychiatrist can design and develop best practice policies, processes and strategies, so that you feel confident that your business is protected, compliant and ready for the new privacy rules.
You may also need some more support and resources to get ready for the changes. We can be your dedicated part-time IT manager for as long as you need.
If you want industry-leading and best practice IT policies, processes and strategies, or a part-time IT manager to help you get ready for the privacy changes, please give us a call.