What New Zealand’s Privacy Act 2020 means for APIs

On December 1st 2020, New Zealand’s revamped privacy act went into effect. The Privacy Act originally passed in 1993 and has been revisited multiple times, but the 2020 act clarifies its reach and outlines what organizations need to do in order to be compliant.

In addition to updating the original privacy act, Privacy Act 2020 also expands the office of the national Privacy Commissioner that can receive complaints from individuals, investigate privacy concerns, require organizations to make changes to their operations, and even impose fines on organizations not in compliance.

Let’s look at who it affects, and particularly how it affects you if you use APIs and cloud services. Then we’ll go over the 13 information privacy principles outlined in the act, and look at the immediate steps you should take to ensure compliance.

Who the act affects

Any individual, organization, or business that collects data from users or customers in New Zealand is affected. This new act explicitly clarifies the organization doesn’t need any physical or business presence in New Zealand. If you collect data from citizens of New Zealand, even if you don’t make a profit in any way, you are expected to comply with the privacy act.

What are the primary actions you need to take

If you’re already meeting the privacy standards set in other privacy regulations—such as GDPR—you’ve done most of the hard work. There are two key parts to be aware of, that require additional or modified processes.

The first is overseas disclosure. Whenever information about an individual is disclosed or moved overseas—outside of New Zealand—, you need to ensure the country it ends up in has comparable privacy protections to those in the New Zealand Privacy Act 2020. In other words, if you transfer personal information about a user to a third-party API in another country, you need to make sure the country where that organization exists has a similar privacy law. There are some exceptions to this, and you can explicitly receive consent from the individual to disclose their information in instances where this might be a problem.

The next key part requires you notify the individual affected and New Zealand’s Privacy Commissioner when a privacy breach occurs. A portal, NotifyUs, has been set up for organizations to report privacy breaches. There are a few exceptions where the immediate disclosure of a breach can be delayed, but these primarily deal with the security or protection of the individual, or even the protection of trade secrets.

Failure to be in compliance with either of these can result in fines—as does failing to meet any of the privacy principles we mention throughout this article.

What about APIs and Cloud Services?

When it comes to APIs and cloud services, it depends on how the data is used. For many cloud service providers—such as AWS—they are generally exempt from many of the more user-facing parts of the privacy principles. AWS outlines in their white paper, Using AWS in the Context of New Zealand Privacy Considerations, that they act as the agent, which means they store and process information without directly using it. In other words, the responsibility falls on you—the principle— to handle security of the information and your applications, and they will handle security of their servers. While the act puts responsibility on the organization collecting the data, both the organization and cloud providers can be held accountable if a data breach occurs.

When it comes to APIs where personal data about individuals is transmitted, particularly personally identifiable information (PIIs), you’ll want to make sure the overseas disclosure aspect of the act we mentioned above is being met. Additionally, you’ll need to ensure the APIs providers you use have a system in place to notify you—so that you can notify your customers—if a privacy breach occurs. Beyond that, you’ll need to notify users how their data is being used, and which services it is being exposed to.

Privacy Act 2020 Information Privacy Principles

The act is made up of 13 privacy principles. Principles 1,4, and 13 have been amended from the original 1993 act, while principle 12 is a new addition. A complete wording on each principle can be found in Part 3 Subpart 1 of the act, but here is a brief overview.

Principle 1: “Purpose of collection of personal information”

Organizations can only collect information directly connected to what their business does. They should also try to collect and use the least amount of information possible. The Privacy Commissioner encourages businesses to practice “data minimization” rather than capturing everything possible.

The 2020 act updated this principle to emphasize organizations should only collect information they need.

Principle 2: “Source of personal information”

Information about a person should only be collected from the person themselves. They should also be aware they are providing information. There are some exceptions to this, such as information in the public record and instances where a person authorizes the collection from someone else.

Principle 3: “Collection of information from subject”

This principle can be thought of as notification. Whenever data is collected about an individual, the organization should ensure the person is aware. They should explain:

  • Why the information is being collected.
  • Who will have access to the information.
  • Whether the individual needs to provide it, or if it is voluntary.
  • What will happen if they choose not to provide the information.

Principle 4: “Manner of collection of personal information”

This principle outlines how an organization can—or more importantly cannot—collect information. They should avoid any unlawful, unfair, or unreasonably intrusive means of collecting information about the individual.

The principle was updated in the 2020 act to include specific language related to collecting information about children and young people—essentially emphasizing specific care should be given toward ensuring that gathering the information does not intrude in the affairs of children.

Principle 5: “Storage and security of personal information”

We like to think of this as the security principle. Organizations need to keep personal information secure and guard against loss and unauthorized access, use, disclosure, or misuse. This also includes employees at the organization accessing personal information about individuals when it isn’t part of their job function.

Principle 6: “Access to personal information”

In short, an individual has the right to know if an organization has information about them. They also have the right to access that information. There are some exceptions to this, which primarily focus on protecting public safety and ensuring another individual's privacy isn’t breached by allowing someone to access their own information.

Principle 7: “Correction of personal information”

Individuals can request you correct any errors in the personal information you have about them. You can choose not to update the data, but the information must then include a notice that the individual challenges that accuracy of the information.

Principle 8: “Accuracy, etc, of personal information to be checked before use of disclosure”

Essentially, an organization needs to ensure information is accurate before it is disclosed or used. The act expects you to make a reasonable effort to validate the accuracy of information before using or sharing it.

Principle 9: “Agency not to keep personal information for longer than necessary”

You can think of this as “retention with a twist.” Organizations should only keep the information they collect as long as they need it to achieve the original purpose.

Principle 10: “Limits on use of personal information”

Speaking of the original purpose from the previous principle, an individual’s information can only be used for the purpose stated during collection. The individual can authorize new use, and the information can also be used if the data won’t identify the person in any way.

Principle 11: “Limits on disclosure of personal information”

Organization should generally get consent from the individual whenever they wish to share information, but otherwise that information can only be disclosed when the following exceptions apply:

  • The original stated purpose when the information was collected was to disclose it.
  • Disclosure to another organization is directly related to the original reason for collection.
  • It is necessary to pass the information on to law enforcement to prevent or investigate a crime.

Principle 12: “Disclosure of personal information outside New Zealand”

We discussed this earlier, but to reiterate: If an organization discloses the information overseas, it needs to ensure the country the information goes to has comparable privacy protections to New Zealand.

This is the only completely new principle that wasn’t in the original 1993 act. If your organization isn’t based in New Zealand, there’s a good chance you’ll need to pay attention to this principle in particular.

Principle 13: “Unique Identifiers”

It is common to apply a unique identifier to an individual. Under this law, organizations should avoid doing so unless it is required in order to carry out the functions of the business. If they do need to assign unique identifiers to individuals, they should take all reasonable steps to protect the unique identifier from being misused.

Steps you should take to ensure compliance

To start, if you don’t already have a dedicated privacy officer at your company, you should look into appointing one. For Privacy Act 2020 and many of the privacy regulations throughout the world, having a dedicated representative that can keep track of changing regulations and take responsibility for notifying agencies as needed, will help avoid any potential mistakes.

For many readers of this article, the emphasis will be on ensuring your vendors and third-party API providers have taken the steps they need to protect your customer’s data. The first question to ask yourself is: Do we store personally identifiable information (PII) or data about New Zealanders?

If the answer is yes, or may ever be yes—as in you don’t actively block citizens of New Zealand from signing up for your service—then you need to ensure a process exists to address the overseas disclosure and breach notification requirements of the law. Confirm your API providers have systems in place to handle these and notify you so that you can in turn notify the individuals and the privacy commissioner. A vendor’s compliance can often be found in their privacy policies, service agreements, or with the provider’s sales team directly. In many cases, since the Privacy Act 2020 is more recent, and affects a smaller portion of people than other privacy regulations, it may not yet be part of the privacy policy for many companies. When policies have been updated, details will likely appear in a provider’s Data Protection Addendum alongside information about other regional privacy regulation.

Mitigating risk by tracking APIs

At Bearer, we’re building solutions that help you track and manage third-party APIs and web service vendors. We believe visibility into your APIs is important, and can help you avoid shadow APIs and better govern how your organization uses APIs.

You may also like

Ready to start your
Privacy by Design journey?

Learn best practices with a privacy specialist.