Legal compliance requirements increasing in the IT space
Posted on 20 August 2015
Author: Samuel Moore, Associate, Meredith Connell – The Law Firm.
Over the last year, legal compliance in the IT space has been quietly getting more complex. Health and safety, cyberbullying and information privacy have been hot topics, with controversial law reforms going through Parliament and getting more than their fair share of media attention.
As you may be aware, these topics raise many legal issues for IT organisations and contractors. However, there are ways that you can protect yourself from legal liability as an organisation and as an individual – the first steps being creating awareness of how to be legally compliant and by regularly communicating it across your organisation.
Health and Safety
The health and safety reform is expected to come into force in late 2015/early 2016. The reform will see increased fines of up to $3 million for organisations and fines of up to $600,000 and/or five years’ jail time for individuals. The regulator – WorkSafe New Zealand – has a mandate to proactively enforce the law. The overarching standard for organisations’ compliance with the Reform Bill is to ensure, so far as is “reasonably practicable”, the health and safety of workers. IT is no exception to these changes. Health and safety laws also extend wider than some may realise. For example, workplace bullying can constitute a breach of existing health and safety laws. Also, where contractors go on-site, they will have overlapping duties with the site owner to ensure the health and safety of all workers, including themselves.
Digital Communications - Cyberbullying
On top of general workplace bullying, 2015 has seen the introduction of the “Harmful Digital Communications Act 2015” (HDC Act) – a statute brought in to help prevent harm to people by digital communications, otherwise known as cyberbullying. Serious or repeated breaches of the HDC Act are punishable with jail time of up to 2 years and maximum fines of $50,000 for a person and $200,000 for organisations.
You may wonder how cyberbullying could be a potential issue to an IT organisation. It is particularly important due to IT organisations’ ability to access personal information and the potential for that information to be disclosed or used maliciously. The HDC Act provides ten “Communications principles” that prohibit certain online behaviours. You should familiarise yourself with the principles to ensure that as an organisation, employee or contractor you are following them. The principles include that a communication should not:
- disclose sensitive personal facts about a person or make false allegations;
- be threatening, intimidating, menacing, indecent, extreme or denigrate an individual by reason of their personal attributes;
- be grossly offensive to a reasonable person in the complainant’s position;
- contain a matter that is published in breach of confidence; or
- be used to harass an individual or encourage anyone to send a message to a person with the intention of causing that person harm or encourage suicide.
Not only should you set your organisation’s policies in line with the HDC Act, but all employees and contractors should have to adhere to the policies as part of their employment and service agreements. You should also ensure that your policies clearly reference the communications principles to mitigate the potential for breaches that your organisation’s access to networks gives you and your workers. Employees and contractors need to be aware that the HDC Act applies to them directly. They should also have any confidentiality and proper use of network facilities clauses in their employment or service agreements clearly explained.
In parallel to cyberbullying and the HDC Act’s principles not to disclose sensitive personal facts and not to publish in breach of confidence, the Privacy Act 1993 outlines how personal data can be gathered, stored and used. The Privacy Act has twelve “Information privacy principles” that should be regularly communicated across your business. The principles include:
- reasons why personal information may be collected, who it can be collected from, and how it is collected;
- how personal information is stored;
- the rights of individuals to access and amend their personal information;
- restrictions on disclosure of personal information; and
- when and how “unique identifiers” can be used.
Again, organisations should refer to the privacy principles in their organisation-wide policies to ensure that collection, storage and use of personal information is compliant. Not only should employment and services agreements refer to the policies, but all employees and contractors should also be fully informed of appropriate usage of personal information. By bolstering policies and contracts, you will help to provide your organisation with a preventative approach as well as some protection should personal information be used by employees/contractors to bully or in a way that breaches privacy.
If your organisation employs or contracts workers, now is a great time to get your compliance house in order. By using the tools inherent in IT infrastructure and by revisiting policies and agreements, you will be able to address many of your health and safety, cyberbullying and privacy obligations in one hit. If you’re not sure how to ensure compliance with the law, the process can be simplified to some degree through the use of compliance software. Some of the leading releases of compliance software include cloud-based subscriber services that are in line with the legal requirements and are backed up by expert lawyers. By taking a pro-active approach to compliance, you will be able to take steps to improve your organisation’s working environment as well as avoiding potential breaches of the health and safety, cyberbullying and privacy laws.
This Contractor Corner post on Legal Compliance was written by Samuel Moore, Associate, Meredith Connell – The Law Firm.