Privacy Act 2020 | What's changed?

On December 1st, the new Privacy Act came into force. While much of the Act remained unchanged, there were several additions to bring it up to date with the modern digital world. The most significant changes were:

  • Enforces penalties should an organisation fail to meet their compliance obligations.
  • Introduces public compliance notices.
  • Requires mandatory reporting of serious breaches to the Privacy Commissioner.

2c6bbd4a-105a-4017-a91c-5541a321ee5e.png

 

Our Responsibilities

As part of Yorb’s Managed Service Agreement, we take security seriously. We will endeavour to put the appropriate security in place to protect your systems and advise when we feel improvements can be made. At a minimum, we recommend that every business has:

  • An enterprise-grade firewall
  • Up to date anti-virus software
  • Software patch management
  • Multi-factor authentication

adafea28-9478-4acf-af49-b55515371421.png

For more information on business security, please visit our Security page. You can also access our Security booklet here

Your Responsibility

As Yorb does not have visibility of the type and sensitivity of the data you are storing, or indeed how you might be sharing this either internally or externally, we are unfortunately unable to certify your business's compliance with the Privacy Act. It is your responsibility to identify Personally Identifiable Information (PII) that is stored within your systems and to ensure the appropriate controls put in place around its use in compliance with the Privacy Act. However, we are here to help and provide guidance. Learn how we can help in the assistance section below. Here are some important questions to consider:

  • Do you know all the information you collect about individuals and is it considered PII?
  • Where is the information stored?
  • What systems and policies have been put in place to protect the data?
  • Are you able to detect if data gets breached?
  • Who in the business is responsible for privacy?
  • Is your team trained to identify and handle PII?
  • Do you take into consideration data sovereignty and local privacy laws? E.g. data stored regarding Australian or European residents must comply with the NDBR/GDPR.

What Next?

The office of the Privacy Commissioner has some free online training on their eLearning platform (https://www.privacy.org.nz/further-resources/online-privacy-training-free/). This is an excellent resource to ensure your teams understand the basics of what is required.

Need assistance?

We have a team of consultants available to tailor a Data classification audit specific to your business and consider with your internal teams items such as:

  • The current data silos you have.
  • The information that is stored in each of these silos
  • The sensitivity of the information stored.
  • The security policies, protocols, and systems put around each silo
  • The level of security around that silo, if it is appropriate for the information stored.
  • The mechanisms you have in place to detect that data has been breached.

Contact our team for further advice about the upcoming changes. We are here to support your business and help you meet the legislative requirements.