With the Privacy Act 2020 coming into force on December 01, 2020, there are important changes underway that will impact how NZ organisations – including financial advice businesses – and how they operate in this increasingly digital world.
As part of our webinar series Bring in the Experts, Campbell Featherstone and David Ireland from law firm Dentons Kensington Swan talked about what this piece of legislation means for financial advisers, and the practical steps you can take to ensure your privacy settings are fit for purpose for the new regime.
The overarching message is that being compliant with the new Privacy Act isn’t just about legislation; it’s about your reputation, your clients’ safety and confidence, and public trust in financial services. Let’s dive in.
New principle of ‘data minimisation’
As you’ll know, the Privacy Act 2020 repeals and replaces the 1993 Act. While the overall principles are mostly unchanged, the ‘refreshed’ version of the law acknowledges that a lot has happened in the past 27 years in the way businesses interact with clients and collect information.
Under the new principle of ‘data minimisation’, all companies – including financial advice businesses – must only collect and keep personal information that is needed (e.g. data related to the advice you provide), for only as long as it is needed (e.g. at least seven years as per FAP licence standard conditions).
Binding access direction
The Privacy Act 2020 gives individuals in New Zealand a right to access the personal information you hold about them (with a few exceptions). Importantly, unlike current legislation, the Privacy Commissioner will now have the authority to compel the release of this information (upon the individual’s request) by issuing an ‘access direction’. Failing to comply without a reasonable excuse can result in a fine of up to $10,000.
Mandatory data breach reporting
Data breach reporting shifts from voluntary to mandatory. It’s important to note that this obligation only concerns ‘notifiable’ privacy breaches. What’s notifiable? Generally speaking, if it’s reasonable to believe that the breach would cause serious harm to an individual, then the breach is ‘notifiable’.
The threshold may not always be clear, so the experts at Dentons Kensington Swan recommended a cautious approach – when in doubt, notify the Privacy Commissioner as soon as possible.
As technology evolves and becomes more sophisticated, so do the privacy challenges that we face. Cloud computing is a good example. Unlike 1993, data is no longer stored in large filing cabinets but rather lives in ‘the cloud’ – a metaphor for the internet and its ubiquitous data centres all over the world.
The Privacy Act 2020 says that, when you’re engaging with a service provider to hold your clients’ personal data (e.g. a cloud-based CRM system), you remain responsible for the security and use of that personal information.
A four-pillar strategy to get privacy-ready
Practical tips and insights were scattered throughout the webinar, and in essence, they boiled down to one overarching message: Now is the time to be proactive. Here are some technical and organisational steps to get your current privacy practices up to speed.
To quote Campbell Featherstone: “Don’t wait until privacy becomes an issue. Take a holistic approach to privacy from the onset of designing any process or service.”
2. Document your privacy processes
Under the new Privacy Act, it’s important to know where your clients’ information is kept at all times, so you can easily access the right data upon request. From both an organisational and technical standpoint, documenting processes is about efficiency and security – what you need to respond to security breaches faster and maintain proper data hygiene.
3. Have a response plan
The reality is, privacy breaches can happen to businesses of any size and industry. And with cyber-crime getting more sophisticated by the day, it’s important to prepare well before it happens. Consumers care a lot about the integrity of their personal information, so a privacy breach can be very damaging to your reputation, undermining the level of trust consumers (clients and prospects) have in your business.
If a data breach happens, you must notify the Privacy Commissioner as soon as possible. Consider how you’ll be managing this within the business, and who else may be involved in your plan – like your lawyer, a PR agency, and your IT provider in case of a technical breach. Also, think about the messaging to your clients. Once their trust has been eroded, you’ll need to do some remedial work to rebuild your reputation.
The bottom line is: Plan ahead, act fast, be transparent. The sooner and more comprehensive your response is, the more likely you are to resolve the issue and repair your reputation quickly.
4. Look at your security
Lastly, if your clients’ data is stored online, engage closely with your IT service provider. Make sure they have robust policies in place to protect information, and that your agreements with them give you effective rights with regards to privacy. For example, are they required to cooperate with you in case of a privacy breach?
Keep in mind that this is also relevant under the new financial advice regime, and the proposed standard condition that relates to outsourcing.
Like more information?
As you know, clients entrust advisers with their most sensitive information and protecting their data is paramount. If you would like more information about the new Privacy Act 2020, we welcome you to listen to the full webinar here and to contact the team at Financial Advice New Zealand should you need assistance.