The new Privacy Act 2020:  overview of changes to New Zealand’s privacy laws and its impact on Landlords and Property managers.

The new Privacy Act 2020 (“Act”) came into force on 1 December 2020, repealing and replacing its outdated predecessor - the now defunct Privacy Act 1993.

The new Act has been drafted to reflect changes in our modern society due to increasing use of technology. It also strengthens privacy protections and gives effect to internationally recognised privacy obligations, standards and controls in respect of privacy of personal information. The Act also introduces new penalties and criminal offences for non-compliance or breach of the Act. 

This article summarises some of the key changes and outlines implications for both landlords and property managers as a result of the new legislative changes.

What does the new Act mean for Landlords and Property managers?

It is important that landlords and property managers understand the way in which they can now collect and store private information on prospective tenants under the Act.

Topical in the current climate of rental shortages are instances in which the Privacy Commissioner has been made aware of landlord’s asking for more information than is required by law from prospective tenants as part of a selection process. In a recent example, the Commissioner was made aware of landlord’s demanding to see copies of tenant bank statements to assess whether they could afford to pay rent. Whilst unethical, collecting bank statements as a means of gauging how a tenant spends their money was deemed unfair, intrusive and an invasion of privacy. The Commissioner reinforcing landlords should only be collecting the minimum of personal information necessary.

The Commissioner has also been made aware of “bad tenant” blacklists being published in the public domain revealing names and locations of bad tenants, which have been shared on webpages and social media forums that some landlords were accessing as part of their selection process. Not only could this constitute a privacy breach, but it could also lead to a defamation claim for those persons or organisations publishing this information. Consequently, the Commissioner is looking very closely into this issue.

To assist all parties in the tenancy space, the Privacy Commissioner has published a set of guidelines which outline what information should and should not be collected by landlord’s when deciding whether someone is a suitable tenant. This includes such things as pet ownership, whether a tenant is smoker are permitted as part of a landlord or property managers assessment, but more personal intrusive lines of questioning are absolutely prohibited.
Following these guidelines, it is clear collection of private information should be transparent and be kept to a minimum necessary in order to make a lawful assessment of whether a tenant is suitable or not. Accordingly, landlords and property managers should only collect information that is necessary and not privacy-intrusive. Moreover, this information should be stored separate to the tenant’s generic information in order to avoid sensitive personal information, for example credit and criminal checks from being inadvertently disclosed.

Additionally, there are also firm obligations around retention of personal information at the conclusion of a tenancy. That information may not be kept for any longer than is required. This is because the longer that information is held, the greater the possibility of it becoming outdated and therefore inaccurate and/or irrelevant. And, in circumstances where a tenant has moved on, landlords and managers are required to dispose of private information in a safe and secure manner.
Summary of key changes under the Act

Because the Act applies to virtually all New Zealanders, businesses and organisations and anyone accessing personal information, it is crucially important key personnel are informed of, and understand obligations imposed by the Act as it relates to storing, accessing and dissemination of personal information about tenants and any other stakeholder relationships where private information could be at risk. In summary, these requirements provide:

Reporting of privacy breaches:

The Act mandates a new requirement for businesses to report serious privacy breaches where there is a risk of harm (“notification of privacy breach”).

The Act defines a “notifiable privacy breach”, as being a privacy breach that it is reasonable to believe has caused serious harm to an affected individual, or is likely to do so. The Act provides an assessment of factors to be considered in deciding if a privacy breach has caused serious harm, but outside of this, there is no set definition, suggesting that any breaches are to be treated on a case-by-case basis until the courts can determine a threshold standard.

Where a notifiable privacy breach occurs, there is also an obligation to notify the affected persons so they can take appropriate steps to protect themselves and their information.

Additionally, any privacy breach must be notified to the Office of the Privacy Commissioner. Consequently, reporting obligations should not be taken lightly, as any business failing to notify the Commissioner of a privacy breach is liable on conviction to a fine of up to $10,000.00.

Access requests:

In addition to existing powers, the Privacy Commissioner has also been granted new powers and can now order agencies to give people access to personal information that is held on them (by way of an “access direction”). Moreover, where a person requests personal information held by a business or organisation, the business or organisation cannot destroy the information in order to avoid providing, or disclosing it to the requesting party.

For this purpose, the Commissioner has been granted the power to issue and enforce a “compliance notice”. A compliance notice in short will either: direct an organisation to do something, refrain or stop from doing something, or to comply with the Act. Contained within the notice will be specified timeframes and steps to be taken by the receiving party.

The Commissioner also has the power to make binding decisions on complaints regarding access to information, formerly the domain of the Human Rights Tribunal (however, noting a right to appeal to the Tribunal still exists as a fundamental right in respect of any decision made by the Commissioner).

Much like a notifiable privacy breach, failing to obey  a compliance notice could  see a non-compliant party face a fine of up to $10,000.00.

Extraterritoriality and Cross-border application:

In keeping with its modernisation, the Act has been given extraterritorial effect, meaning that an overseas business or organisation may be treated as carrying on business in New Zealand for the purpose of their privacy obligations, even if that business or organisation does not have a physical presence here.

The relevance of the Act’s extra territorial effect will be important to landlords and property managers who utilise cloud-based storage providers to hold or process information in an agency capacity on their behalf. In these circumstances, personal information may only be disclosed to the overseas agency or organisation where it has a comparable level of protection to New Zealand’s privacy laws, or where similar protocols have been adopted and implemented to protect information.

If the provider does not the same level of protection, then disclosure can only be made if an individual (generally the tenant) is fully informed, expressly consents, and authorises the disclosure, acknowledging that the level of protection may not be the same as that in the Act.

Ultimately, what this means is that landlords and property managers holding personal information, will now be responsible for ensuring that personal information disclosed to organisations outside of New Zealand will be adequately protected and that necessary due diligence has been completed before making any such disclosure.

Implementing sufficient privacy measures

For those to whom the Act applies the requirement to have a “Privacy Officer” remains a necessary feature of the Act, and this requirement will be particularly relevant to professional property managers.

Consequently, for those businesses handling private information, they will need to ensure continuity with the Acts requirement of nominating a Privacy Officer, whose primary role is to ensure the management of private information and information requests in line with the Act’s stringent requirements. The only exception to the mandate of a Privacy Officer is for an individual who is collecting and holding personal information solely for the purposes of, or in connection with, the individual’s personal or domestic affairs. An exemption would therefore likely apply to private landlords who manage their own portfolio.

People entrust businesses with their personal information and therefore it is not unreasonable to expect that personal information will be vigorously protected from privacy breaches.

With the Act now in force, it is appropriate and timely for both landlords and property management enterprises to take stock of, and review all third-party contracts, business privacy policies and procedures with a view to ensuring these are sufficiently robust enough to enable protection of private information. And, to further ensure that there are adequate measures in place to detect, report and investigate a notifiable privacy breach where one does occur.

In tandem, all property management enterprises should be undertaking and implementing appropriate training for staff and key personnel with a view to ensuring their personnel are fully conversant with the mandatory obligations imposed in the Act in circumstances where private information might be encountered.

As the Office of the Privacy Commissioner advises on its webpage, “Privacy is Precious. Protect it. Respect it”.

By Michelle Igasan*

Disclaimer: This article is general in nature and should not be treated as professional advice. It is recommended that you consult your advisor. No liability is assumed by Harris Tate Limited for any losses suffered by any person relying directly or indirectly upon the article above.

*This article is provided for general information purposes only and should not be taken as constituting legal or other such advice. We make no warranty or representation of any kind, whether express or implied regarding the accuracy or validity of any information referred to.