Practical Privacy Tips for Companies and Organisations 

 People care how their personal information is used, much more so in recent times.  It has become much harder for individuals to keep control of their information.  Similarly, organisations face major challenges in managing personal information which they hold about their customers, patients and employees for example.

Hamish.Fletcher Lawyers is very strongly of the view that embracing privacy and keeping up high levels of compliance with privacy obligations is a value add opportunity.  Privacy is now a mainstream issue and people are becoming less likely to support organisations that don’t respect privacy rights.  That means a potential loss of trust followed by a loss of reputation and sales.

The Privacy Building Blocks

The Privacy Act 1993 applies to most individuals, companies and organisations in New Zealand.  The PA is currently under review and will most likely be replaced by an updated new Act in March 2020. 

One key concept underpins the PA, which is the definition of “personal information” which is defined as information about an identifiable individual.  The primary purpose of the PA is to promote and protect individual privacy, specifically the personal information of individuals.

The basic building blocks of the PA are the 12 Information Privacy Principles (IPPs).  Everyone must comply with these IPPs and the purpose of this short article is to provide some tips on how to manage this process within a small to medium sized enterprises (SME).  The same principles can be applied to government entities and larger organisations.

First, a reminder of what the 12 IPPs look like:

  1. IPP 1 - Purpose of collection of personal information – must be lawful and necessary
  2. IPP 2 Source of personal information – must be from the individual concerned
  3. IPP 3 Collection process – informing the individual about the collection process
  4. IPP 4 Manner of collection – cannot be unlawful, unfair or intrusive
  5. IPP 5 – Storage and security of personal information – must be kept securely
  6. IPP 6 – Access to personal information – access must be given to the individual concerned
  7. IPP 7 – Correction of personal information – wrong information must be corrected
  8. IPP 8 – Accuracy – the information must be up-to-date, accurate and complete
  9. IPP 9 – Retention – information must not be held longer than required for the purpose
  10. IPP 10 - Limits on use – can’t use information collected for one purpose for another purpose
  11. IPP 11 - Limits on disclosure – strict limits on disclosure to third parties
  12. IPP 12 - Use of Unique Identifiers – e.g. Driving Licence numbers; limited use allowed.


Most of the IPPs have exceptions.  For example, IPP 2 allows an organisation to collect personal information from sources other than the individual concerned in some circumstances, such as where this is necessary for the protection of public revenue.

Practical Tips

  1. Think about your privacy obligations in line with the type and scale of your business.  There is no need to over-complicate your business processes in doing this.
  2. Know what personal information you hold on individuals as a starting point.  If you are unable to take this first basic step then some alarms bells should be ringing.
  3. Put in place a process to deal with privacy, whether that is maintaining current data about the personal information you hold, or dealing with a privacy complaint or breach.
  4. Individuals have extensive rights under the PA.  If your organisation does not comply with the primary obligation (such as collecting the information directly from the individual – IPP 2), be prepared to answer questions about what exception applies. 
  5. To prepare for privacy problems identify a person, or build a group of people (depending on your size), who understand the basic requirements of the PA and who are responsible for following internal privacy processes.  Identify those who will be frontline troops in the case of a crisis.
  6. Kill off any sign of excessive confidence in your privacy team that serious privacy issues are simple to understand.  There is a mountain or recent evidence to show that even highly experienced organisations can misunderstand and misapply simple language in the PA.

Summary

Having the right privacy framework in place will minimize the risk of a complaint, which could otherwise lead to financial claims for damages or even prosecution and fines.  We can assist organisations to build a privacy framework, including:

•             Privacy audits

•             Privacy Policies

•             Compliance programs

•             Privacy Impact Assessments

•             Privacy request management programs.

As noted above, we take the view that meeting these challenges and creating the right privacy environment can deliver real business benefits rather than simply being a compliance burden.

By : Chris ApplebyJuly 2019