Requests for personal information covered by the Privacy Act are commonplace in employment disputes.
The updated Pr
ivacy Act is coming into force on 1 December 2020. Now is the time to consider the changes and think about how it may affect you and the work you do.
The amendments introduce a number of changes. Some of the key changes to bear in mind are:
Mandatory reporting of privacy breaches
Currently when there is a privacy breach, whether an agency (an employer is an agency) reports it to the Privacy Commissioner or the affected individuals is voluntary. The Act imposes mandatory reporting of breaches but only where the breach causes or risks causing serious harm. Failure to report such a breach would be an offence that could result in a fine of up to $10,000.
New offences
The Act also introduces the offence of misleading an agency to obtain access to someone else’s personal information and the offence of destroying a document containing personal information knowing that a request has been made. The Act increases penalties to a fine of up to $10,000, rather than the current maximum of $2,000.
Additional powers for the Privacy Commissioner
Currently the powers of the Privacy Commissioner are largely confined to when there is an interference with privacy resulting in a complaint by an individual.
The changes give the Commissioner new powers including the ability to issue compliance notices for privacy breaches without requiring a complaint, make binding decisions on requests to access information, and the ability to use discretion not to investigate a complaint.
These changes allow the Privacy Commissioner to be more proactive with privacy issues and reduce the case load in the Human Rights Review Tribunal.
Modernisation
The new Act clarifies how the Act applies to Cloud service providers, and it makes it clear that personal information can be provided electronically.
The Act also provides clarification of when the Act applies to overseas agencies, responding to issues about international social media companies and big multinationals, including where there is transfer of information overseas.
New Privacy principle
There is an additional privacy principle, Privacy Principle 12, which places limits on disclosing information overseas.
How to prepare
There are less than three months until these changes come into effect, so it is a good idea to think about any changes or training that may need to occur in your organisation.
Think about your policies and whether they may need to be updated.
Also consider whether additional training in privacy issues may be useful, particularly given the increased powers of the Privacy Commissioner and the new offence relating to destruction of documents. The Office of the Privacy Commissioner website provides free educational resources for individuals to better understand the privacy laws.