Posted on

Privacy Act 2020: are you up to speed with what you need to know?

Did you know New Zealand hasn’t changed its Privacy Act since 1993?

Considering how much our world — and the ways we need to think about privacy and sharing our personal information — has changed since then, it’s pretty exciting that the Privacy Act 2020 is about to come into effect. 

We’re delighted to mark Privacy Week by launching a new Privacy Awareness training programme created with our friends at Simply Privacy. It’s all about New Zealand privacy law and how it impacts you and your organisation.

As we’ve been working on this programme, we’ve been thinking about how vital it is for organisations to help their people understand what privacy is, why it’s important, and how to safely and respectfully handle people’s personal information.

And just as essential, to create a culture where everyone feels comfortable to speak up if they see something that could lead to a privacy breach.

We hope our training modules will help get those conversations started.

Emma Pond is a director at Simply Privacy, and she shares her thoughts below about why privacy matters and how organisations can do it really well.

How to be a privacy champion (and avoid a chestburster)

2020 has by and large been a challenging year, but for privacy enthusiasts like us at Simply Privacy (AKA big privacy nerds), there’s been one good thing that’s come out of it. New Zealand finally has its long awaited new privacy law: the Privacy Act 2020.

Coming into effect on 1 December, the Act brings in some new obligations for us all, including a requirement to notify serious privacy breaches to the Privacy Commissioner and the people whose information is involved.

And while complying with the law is important, we think this brave new privacy world also brings a golden opportunity for all of us to pause and think about what privacy is and why it matters to us — both personally and at work.

This isn’t just for navel gazing purposes. Understanding why something matters helps us internalise it, and soon it just becomes part of the way we do things (“culture”, anyone?). If you want your organisation to “do privacy right” then this understanding and internalising is precisely what you want your team to do.

So what even is privacy?

At its heart, privacy is having control over your personal information — the information that is about you.

Privacy laws give individuals rights to know when personal information is being collected about them, what it will be used for, and who it will be given to.

On the flip side, organisations have obligations to make sure they’re handling personal information transparently and with care and respect.

There’s more to meeting privacy obligations than legal compliance

When organisations handle privacy properly, everyone involved knows what the deal is, and there are no nasty surprises lurking. This creates a beautiful, valuable thing: trust.

Trust helps business go better. If your customers trust that you’ll keep their personal information safe and do exactly what you said you’d do with it (and nothing more), they’ll be much more likely to give it to you. And because they trust you, they’ll also hopefully give you the good stuff — the accurate, timely, useful, relevant information that you need to do cool things.

Of course, this trust thing can be a delicate beast. Once trust is broken, it takes time and hard work to restore. Sometimes it never does get restored — that customer, employee, or supplier decides they’re better off with someone else and that’s the last you see of them.

Dealing with a breach: if it happens, handle it well

Sadly, we do sometimes see trust being broken when it comes to privacy.

The most common example is when an agency has a privacy breach. Privacy breaches are bad things in themselves, but there’s a certain amount of inevitability about them. While it’s super important to do your best to prevent breaches from happening in the first place, it’s almost as important to handle them well if (or when) they happen. Handling a privacy breach well can go a long way towards stabilising your relationship with the people who have been affected.

First up, your staff need to know what a privacy breach might look like, and what to do if they discover (or create) one. The last thing you want is for something to be missed or ignored, only for it to fester and grow and eventually burst forth like an alien out of the company chest.

Once the breach has been identified and escalated to your Privacy Officer (yes, you’re legally required to have one), make sure your organisation keeps the people who have been affected squarely in the centre of any decision-making.

This means your communications about the breach need to be clear, authentic, and timely, and they need to provide enough detail so people can understand what the impact on them might be. You should also offer practical advice and assistance to help them deal with any fallout caused by your breach.

Earn back that all-important trust

If you do all of the above well, and avoid the temptation to fudge or minimise what happened, then you’ll be on the road to regaining that precious trust.

Trust is both the product of and the end goal of good privacy practices, so do everything you can to make sure your organisation and the people who work in it understand what privacy is and why it matters.

Investing in your team’s understanding of privacy puts you in a strong position to build and sustain trust with everyone you work with. Even if you do have to deal with a privacy breach one day, you’ll have a strong foundation of trust to work from.

Ready to level up your organisation’s privacy knowledge?

SafeStack Academy’s Privacy Awareness training programme is designed to help you and your team make sense of your privacy obligations, in a way that’s easy to understand and put into practice.

Folder, person reading about privacy principles, privacy checklist, and Frankie

The programme is made up of four short modules that are full of practical information you can use right away. The modules highlight topics like when you need to think about privacy law, how to handle personal information lawfully and respectfully, and the Privacy Principles and how to apply them.

The first two modules — Introduction to Privacy and Principles of the New Zealand Privacy Act 2020 — are available now. Two more modules — Handling Information Requests and Managing Privacy Breaches — will be released next year.

You can buy the Privacy Awareness programme on its own, or as an add-on to our Security Awareness programme. Find out more on our website.

We love to hear from you

We hope this programme gets you and your team thinking about privacy and how to safely and respectfully handle people’s personal information. We’d love to hear your feedback. Drop us a line on and let us know what you think.