Whether it’s customer details or employee information, it’s likely you keep some personal information on file. The protection of personal information is important for any business, especially with the introduction of the much-anticipated Privacy Act 2020 in New Zealand.

The new act builds on the strengths of the previous 1993 Act but has been updated to ensure our privacy laws remain fit for purpose in the digital age. As such, it creates new requirements for employers and payroll to navigate.

Here are some of the key changes you need to know.

Mandatory breach notification

It is now mandatory to report to the privacy commissioner and affected individuals (where relevant) of a privacy breach that is likely to cause serious harm. Failure to do so will carry a fine of up to NZ$10,000.

Privacy breaches or careless handling of personal information is one way of losing the trust and confidence of your employees. To reduce the financial and reputational risks associated with privacy breaches, ensure your physical and electronic payroll records are filed in a system that is always secured from unauthorised access.

Information privacy principle 12 (IPP 12): Disclosure of personal information outside New Zealand

Newly introduced IPP 12 imposes greater protections for the disclosure of personal information to foreign entities or persons, including the requirement on these entities to have comparable levels of privacy protection as in New Zealand.

IPP 12 doesn’t apply when using offshore cloud services to store and process personal data, so long as the overseas service provider isn’t using the data for its own purposes. In these situations, the New Zealand business or organisation remains responsible to ensure compliance with the act.

If you use an overseas-based payroll provider, ensure you find out how it’s meeting New Zealand privacy laws. You’ll want to be satisfied that it has appropriate security measures in place to protect your payroll information and it will cooperate with any investigations or personal information requests.

The extra-territorial effect on overseas agencies that carry on business in New Zealand

This means that companies who collect or hold personal information from New Zealanders will be subject to the act regardless of whether or not they have a physical place of business in New Zealand.

Binding access determinations

If a business or organisation refuses to make personal information available on request, the privacy commissioner has the power to demand the information is released.

Often when information requests are received, the information may have to be collected from a range of sources to meet the request within 20 working days. For example, you might receive a request from a former employee to provide their most recent employment records. Some of this information might be held in HR (human resources) files, while pay information might be kept with the payroll department. That’s why it’s important to ensure your records are accurate, complete, and up to date, and they can be easily accessed.

Compliance and criminal offences

The privacy commissioner can issue compliance notices to require a business or organisation to do something, or stop doing something, in order to comply with the act. Failure to comply can result in fines of up to N$10,000.

It’s also now an offence to mislead a business or organisation to access someone else’s personal information (e.g. by impersonation) or deliberately destroy personal information knowing that a request has been made to access it. The penalty for this offence is a fine of up to NZ$10,000.

Are your privacy practices up to date?

Businesses collecting, using, or storing personal information should now be prepared to identify privacy breaches and determine the appropriate action to take when these occur (including notifying the privacy commissioner where applicable).

The financial and reputational risks of privacy breaches mean the security of your business systems and data should be taken seriously. This means keeping any personal information stored electronically safe from breaches and doing whatever you reasonably can to protect any paper files or documents.

As data held in the payroll system is almost entirely personal information, talk to your payroll supplier to ensure it has a firm commitment to ongoing security which is validated by regular independent audits. And, if you’re still using paper-based payroll processing, then consider the advantages of moving to a modern cloud solution.

The Office of the Privacy Commissioner has introduced a range of resources to help businesses and individuals understand and comply with the new requirements. This includes ‘NotifyUs’ – a privacy breach reporting tool that businesses can use as a guide to assess if the privacy commissioner needs to be notified of a potential breach.

Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose. We expressly disclaim any liability to you or your business in relation to the information contained in this article, and you rely on any information solely at your own risk.

Related industries
Related solutions
Payroll systems & human resources