Full source list for The Privacy Act applies to my business. What do I actually have to do?
Five numbered references for /wayfinder/refs/privacy-act-for-smbs:
1. Privacy Officer requirement: section 201 of the Privacy Act 2020 requires every agency to designate at least one Privacy Officer. The Privacy Officer's functions include encouraging compliance with the IPPs, dealing with requests under the Act, working with the Privacy Commissioner, and ensuring compliance generally. No specific qualifications are required; appointment is internal.
2. Notifiable privacy breach framework: Part 6 of the Privacy Act 2020 (sections 112-119) establishes the notifiable privacy breach regime. A privacy breach is notifiable when it is reasonable to believe the breach has caused, or is likely to cause, serious harm to one or more affected individuals. Factors for assessing serious harm are set out in section 113. Notification to the Privacy Commissioner and affected individuals must be made as soon as practicable. Failure to notify is an offence under section 118 punishable by a fine not exceeding $10,000.
3. The 13 Information Privacy Principles: section 22 of the Privacy Act 2020 sets out the IPPs governing the lifecycle of personal information. IPP 1 (purpose for collection), IPP 2 (source — collect from the individual where possible), IPP 3 (collection notice), IPP 4 (manner of collection — lawful and fair), IPP 5 (storage and security), IPP 6 (access by the individual), IPP 7 (correction), IPP 8 (accuracy before use), IPP 9 (retention), IPP 10 (use), IPP 11 (disclosure), IPP 12 (overseas disclosure), IPP 13 (unique identifiers).
4. IPP 12 overseas disclosure: the Privacy Act 2020 imposes specific requirements on disclosure of personal information outside New Zealand. Section 22 IPP 12 requires that the receiving agency be subject to comparable privacy safeguards, be bound by contractual privacy obligations, or that the individual concerned has authorised the transfer. This catches most SMBs using cloud-based services hosted overseas (US-based SaaS, Australian data centres) and requires either contractual privacy terms in the supplier contract or comparable-jurisdiction assessment.
5. Privacy Commissioner enforcement powers: sections 84-92 of the Privacy Act 2020 give the Privacy Commissioner powers to investigate complaints (including own-motion investigations), issue compliance notices, and publish those compliance notices. Non-compliance with a compliance notice is an offence. Individual complaints can also be taken to the Human Rights Review Tribunal under section 98, which can order damages.