Skip to main content

Privacy Act 2020 (New Zealand)

New Zealand's Privacy Act 2020 modernized the country's privacy regime around 13 Information Privacy Principles, adding mandatory breach notification and stronger Privacy Commissioner powers. It applies broadly to agencies and overseas businesses operating in New Zealand.

Jurisdiction
New Zealand

The Privacy Act 2020 is New Zealand's principal privacy law. It came into force on December 1, 2020, replacing the Privacy Act 1993 and modernizing the country's privacy regime. The Act regulates how agencies collect, use, store, disclose, and give access to personal information, and it strengthens the powers of the Office of the Privacy Commissioner. It is built around 13 Information Privacy Principles (IPPs) that apply to almost all organizations and businesses, called agencies.

The 2020 Act introduced a mandatory privacy breach notification scheme, new compliance and enforcement tools, and clearer rules for sending personal information overseas.

Who It Applies To

The Act applies to agencies, a broad term covering almost any person, business, or organization in New Zealand, whether in the public or private sector. It also has extraterritorial effect: an overseas agency that carries on business in New Zealand is subject to the Act in respect of personal information it collects or holds in the course of that business, regardless of where the information is held. There are limited exceptions, such as for the news media in their news activities and for personal or domestic affairs.

Key Requirements

The 13 Information Privacy Principles govern the purpose and manner of collection, source of information, notice, storage and security, access and correction, accuracy, retention, limits on use and disclosure, unique identifiers, and disclosing personal information outside New Zealand. Agencies must collect only what is necessary, keep it secure, and let individuals access and correct their information. IPP 12 restricts cross-border disclosure unless the receiving agency is subject to comparable safeguards or another exception applies. Under the notifiable privacy breach scheme, agencies must notify the Privacy Commissioner and affected individuals as soon as practicable when a privacy breach has caused or is likely to cause serious harm.

Penalties for Non-Compliance

The Privacy Commissioner can investigate complaints, issue compliance notices, and make binding decisions on access requests. It is an offence to fail to notify a notifiable breach, to mislead an agency to access someone else's information, or to destroy information that is the subject of a request, with fines of up to NZD 10,000. Complaints about interference with privacy can be taken to the Human Rights Review Tribunal, which can award damages.

How to Comply

Map your handling of personal information against the 13 IPPs. Collect only necessary information with appropriate notice and keep it secure. Provide access and correction processes. Assess cross-border disclosures under IPP 12 and apply comparable safeguards. Establish a privacy breach response plan that assesses serious harm and meets the notification scheme. Train staff and assign privacy responsibilities, and respond to compliance notices from the Privacy Commissioner.