Privacy Statements – Information for websites owners.

As of the 1st of December 2020, the new Privacy 2020 Act came into effect in New Zealand. So what does that mean for your website, and how should you respond to the changes?

The Act has been amended to make it more relevant to today’s landscape, where so much business and communication is conducted online.

Key changes that relate to websites include:

• Organisations should ensure they have robust systems in place for digital forms
• Organisations must give people the right to access their personal information
• Organisations should minimise the amount of information they collect from a person wherever possible (i.e. if the name and email is sufficient then don’t ask for more unnecessary information)
• If information is being sent overseas (i.e. a cloud-based service) then the organisation must ensure that the overseas company handles the data in accordance with the New Zealand Privacy Act 2020
• If an organisation has a breach, then they need to notify affected people directly and the Privacy Commissioner as soon as possible.

If you have an existing Privacy Statement on your website, now is a good time to review it.

If you’re collecting any information from a visitor on your website (for example, someone filling out a contact form on your enquiry page asking for a quote, or if someone is subscribing to a newsletter, or buying a product on your website), then the systems (sometimes referred to as plugins or modules) within the website will be collecting information about that person as they enter it into the form.

Your website may or may not store this information about the person (more specifically store the information on the server where the website is hosted – this can be in New Zealand or possibly in another country).

We think it’s good practice to let the person know about your privacy practices if you’re collecting information from them. The ‘Principles’ of the new Privacy Act 2020 also highlight this:

Principle 3:

When you collect personal information, you must take reasonable steps to make sure that the person knows why it’s being collected, who will receive it, whether giving it is compulsory or voluntary, what will happen if they don’t give you the information. Sometimes there may be good reasons for not letting a person know you are collecting their information – for example, if it would undermine the purpose of the collection, or if it’s just not possible to tell them.

A good starting point for what to include on your own Privacy Statement is the example provided on the NZ Digital Government site, found here: https://www.digital.govt.nz/home/about-digital-govt-nz/privacy/

Topics the example Privacy Statement covers are:

• Purpose of the privacy policy
• Collection, storage and use of personal information
  • No need to disclose personal information
  • Your disclosure of personal information
  • Holding of information
  • Use of personal information
  • Feedback
  • Submission forms
• Statistical information and cookies
  • Statistical information collected
  • Use of statistical information
  • Cookies
• Records and disclosure statement
• Correcting your personal information
  • Your rights
• What to do if you have a Privacy Complaint.

There are a number of templates available online via a quick google search. You can also use the government Privacy Statement generator tool: https://www.privacy.org.nz/tools/privacy-statement-generator/.

If you’re unsure, however, we’d recommend you seek the advice of a legal professional to help write your privacy statement. They will be able to assess your specific business requirements and work with your website developer to ascertain if there are any additional considerations that need to be taken into account. For example – your website enquiry form may talk to your CRM system (such as Hubspot), which may be hosted on a server that is outside of New Zealand. If this is the case, you’ll need to inform the user that their data may be sent offshore (it’s also important that the system you’re using is compliant with the NZ Privacy Act 2020).