Ready, set, go – update your policies and procedures now for privacy changes

It’s time for social, health and other services to get their policies and procedures ready for the new Privacy Act 2020. The Act commences on 1 December.

The Act applies to all social service and health providers and the range of personal information that agencies collect for referral, service delivery, employment and other purposes.

The Act is not revolutionary. Much of the current privacy regime will continue.

However, the Act introduces some changes that agencies will need to reflect in their organisational policies and procedures. Two of the changes are a new obligation to collect information in a fair manner and a duty to report serious privacy breaches.

Fairness when collecting personal information

The Act requires that collection methods are fair with particular regard to be given to the circumstances of children/tamariki. The requirement aligns us with overseas jurisdictions like Canada and Europe’s General Data Protection Regulation (article 5(1)(a)).

The obligation to act fairly is closely linked to Principle 3, which requires that when collecting information from a person, that person is made aware of a number of matters including:

  • the purpose of collection
  • what will be done with the information collected
  • their right to correct the information etc

To act fairly you must not act in a misleading or deceptive way.

As a social or health service collecting personal information, to be fair you need to inform about Principle 3 matters in a way that is understandable and appropriate to the person from whom information is being collected. Collection methods should therefore take into account and be responsive to disability-related needs; cultural backgrounds, language and cultural differences.

What does fairness mean when working with children/tamariki?

If personal information is being collected from a child, fairness requires that agencies should consider and address the risks that the tamaiti/rangatahi will be less aware of their rights, less able to understand the purpose of collection and the importance of safeguards.

Their best interests should be considered (as elaborated in the Oranga Tamariki Act 1989 and UNCROC) and how their personal information can be collected in a way that:

  • addresses their needs, age, ability, culture
  • supports their wellbeing
  • avoids causing harm, detriment or undue interference to them and their whānau
  • supports the primary role of their parents and those with whanaungatanga responsibilities for them, and
  • other circumstances relevant to the child/rangatahi.

To collect information fairly, think about using age-appropriate formats (eg using diagrams, cartoons, graphics, gamification, videos etc) and ensure information is given to parents and whānau in clear and accessible ways.

Duty to notify serious harm

The new Act makes it mandatory to report notifiable privacy breaches to the Privacy Commissioner and affected persons.  To be notifiable, the breach must have caused or pose a risk of serious harm to a person.

This requirement aligns with notifiable breach provisions in other countries like Canada and Australia. There are three reasons for it:

  • people have a right to know that their privacy has been breached and should be made aware of the breach so that they can minimise adverse impacts
  • agencies are more likely to take the security of personal information seriously (and to address breaches early before harm is caused) if they know they have to report a breach, and
  • to assist the Privacy Commissioner to address systemic privacy issues.

A failure to comply with the requirement to report a breach will attract a sizeable penalty.

This new requirement is basically a  call to pull-up our socks when it comes to safeguarding against privacy breaches and to ensure that we manage breaches in a responsible and accountable way.

Updating your policies and procedures

We’re recently reviewed and updated our privacy policy suite for our online subscribers.

If you’re not a subscriber, now is a good time to join us. You will get:

  •  updated privacy policies PLUS
  • access to the full range of policies and procedures aimed at the Social Sector and Health and Disability standards PLUS
  • the policies customised to your branding/ unique aspects of your organisation PLUS
  • no more worry about the reviews and updating because we do it for you PLUS
  • the benefit of cross-sector input to reviews and updates.

Book your Free Policy Consult now – if you want to know more about our online policies and procedures.

If, however, you want to stick with the DIY approach, it’s time to get ready – 1 December is not far away! The Office of the Privacy Commissioner has some great resources to help you.

For more on fair practice with children see eg Age Appropriate Design: a code of practice for online services).