Securiti+Veeam Will Accelerate Safe Enterprise Al at Scale

View
Contact Us See a demo

Protecting Employees’ Data Under New Zealand’s Privacy Act

nzpa employee data banner
Published August 14, 2021 / Updated February 12, 2024
Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

New Zealand has recently replaced its Privacy Act of 1993 with a modernized version, the Privacy Act 2020. The New Zealand Privacy Act 2020 (NZPA) went into effect on December 1, 2020. It treats natural persons including consumers as well as employees equally and grants them several rights and safeguards in connection to the processing of their personal data.

This article provides a guide to the Human Resource Management team of an organization aiming to comply with New Zealand’s Privacy Act 2020. Let’s look into some of the key obligations under the NZPA that a Human Resource Management team must consider while handling employees’ personal data.

Collection and processing of employees’ data:

Under the NZPA, employers can collect employee's personal information only if it is necessary for the employer to carry out its legitimate function (lawful function) The employer is not allowed to collect employees’ personal information just because it can - it has to be able to justify why it needs to collect the information in order for the business to function.

Employers must also be open with their employees about what information they are collecting and what they will be using the information for. Additionally, they cannot collect information in ways that are unfair or unreasonably intrusive. For example, asking a remote employee to have a camera in their home at all times raises considerable privacy concerns and is likely to be considered unfair and unreasonable as it places the employee under constant surveillance. Similarly, misleading employees about what the information will be used for or unnecessarily collecting sensitive personal information is unfair and unreasonable.

The employer must always ensure that the employees’ data it has is accurate, up-to-date, complete, relevant and not misleading. In addition, it must not use the employees’ personal information that was obtained in connection with one purpose for any other purpose unless there are reasonable grounds to do so.

Securiti can help organizations map data to their owners, create privacy notices and incorporate sensitive data intelligence to ensure that all data protection principles are complied with.

Security of employee's personal data and privacy breaches:

Employees’ data must be protected by security safeguards in order to prevent loss, disclosure, or any other misuse of the data. In case of a privacy breach that has caused serious harm to the concerned employee, the employer must notify the Privacy Commissioner and the affected employee as soon as practicable after becoming aware of the breach. This will also include the obligation of notification of those privacy breaches that are caused by outsourced third-parties.

Securiti’s Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations deliver breach notification within hours of a security incident.

Third-party or cross-border data transfers:

While sharing an employees’ personal data with external third parties and vendors such as HR services, security contractors or medical insurance services, employers must assess their privacy practices and their third-party/vendor’s compliance with NZPA requirements. As far as cross-border data transfers are concerned, an employer can transfer an employee’s personal information outside New Zealand only if the destination country provides comparable safeguards to those in the NZPA, the destination country is part of a prescribed binding scheme issued by the government of New Zealand, or if the employee expressly authorizes the disclosure of personal information after having been informed of the inadequate data protection standards of the foreign country.

Securiti’s Vendor Management Solution allows organizations to assess their vendors based on a predefined risk score and also offers a centralized process to assess how compliant the third-party vendors are with the NZPA. Securiti also offers transfer impact assessments that will help organizations identify and review data transfers from New Zealand and remediate discovered vendor risks.

Also read International data transfers under New Zealand’s new Privacy Act.

Protection of vaccination status:

Employers must protect an employees’ vaccination status in accordance with the provisions of the NZPA. This means that employers must not share an employees’ vaccination details with third-parties or other employees unless the concerned employee has provided his/her consent. Another exception where vaccination status may be shared is where it is necessary to prevent or lessen a serious threat to public health or public safety. Additionally, employees must be made aware of how the information related to their vaccination status will be used and why it is being collected.

Securiti’s Sensitive Data Intelligence Solution can help your organization to discover, analyze and protect large data sets. It can help incorporate data intelligence in an automated fashion to achieve privacy compliance across all data processing activities and projects.

Employees’ requests to access and correction of their information:

The data subjects’ requests in relation to access and correction of their data will apply even during the COVID-19 emergency. An employer must respond to a data access request within 20 working days. However, an employer may notify an extension of time if the volume of information is such that a response cannot be given within 20 working days or necessary consultations cannot be completed within 20 working days, considering that the information requested is not readily retrievable.

Securiti offers the DSR Automation Solution to help organizations honor all rights and simplify the process of exercising these rights. This process turns manual work into an automated system that will help enterprises swiftly process data subject requests and enable coordination between stakeholders for reviews and approvals.

Operationalizing the NZPA

HR Management must meet the requirements of the above provisions of the NZPA. To achieve compliance, organizations need to operationalize their processes. This can be achieved in the following ways:

  • Disclose how you collect, process, retain, share and process employees’ data through transparent formal policies
  • Develop formal policies and procedures for the collection and handling of employees’ data
  • Update privacy policies as needed and share with all employees as well as consumers
  • Ensure privacy policies and notices are easily accessible and understandable to your workforce as well as incorporated in your employees’ handbooks
  • Review and update your processes
  • Maintain proper documentation with regards to your employees’ personal data

Manual processes are becoming obsolete and automation is the way forward if organizations hope to comply with global privacy regulations such as the NZPA. Securiti recruits the help of artificial intelligence and robotic automation to help organizations operationalize their processes.

Request a demo today and see how Securiti solutions can help your organization on the road to compliance.

Also read the Compliance Checklist for New Zealand’s new Privacy Act.

Frequently Asked Questions (FAQs)

Personal information under New Zealand's Privacy Act includes data that identifies, or could reasonably identify, an individual. This includes names, contact details, financial information, and other data that can be linked to a specific person.

 

An employee data privacy statement is a document that informs employees about how their personal data is collected, used, and protected by their employer. It outlines the rights and protections afforded to employees under data protection regulations.

Workplace privacy in New Zealand is governed by the Privacy Act, which regulates the collection and handling of employee data. It grants employees the right to know how their data is used and to request corrections if the information is inaccurate.

Securiti for Workday

Security | PrivacyOps | Governance | Compliance

See a demo

Analyze this article with AI

ChatGPT Claude Perplexity Grok
Prompts open in third-party AI tools.
Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Share
More Stories that May Interest You
Inside Echoleak View More
June 25, 2025
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
The Risks of Legacy DLP: Why Cloud Security Needs DSPM View More
June 10, 2025
The Risks of Legacy DLP: Why Cloud Security Needs DSPM
82% of 2024 data breaches involved cloud data, raising concerns about the effectiveness of legacy data loss prevention (DLP) solutions in today's cloud-centric data...
Navigating the Evolving Data Security Landscape View More
December 22, 2024
Navigating the Evolving Data Security Landscape: Why Detection Alone Isn’t Enough
Proactive vs. Reactive: Why Threat Detection Alone Falls Short in Data Protection In an era where digital transformation and AI adoption are accelerating at...
Please enter a minimum of 3 characters to begin your search.

Type

Videos
View More
January 20, 2025
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
January 15, 2025
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
January 2, 2025
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
December 24, 2024
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
November 1, 2024
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
October 29, 2024
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
August 12, 2024
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
June 3, 2024
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
January 29, 2024
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
October 17, 2023
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 50:52
From Data to Deployment: Safeguarding Enterprise AI with Security and Governance
Watch Now View
Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Latest
View More
October 21, 2025
Securiti+Veeam Will Accelerate Safe Enterprise Al at Scale
We started Securiti Al with the strong conviction that in the Information Age, the Information aka Data, is the life blood of businesses and a unified platform was needed to provide all essential controls and deep intelligence around...
View More
October 16, 2025
DataAI Security for Financial Services: Turn Risk Into competitive Advantage
Financial services run on sensitive data. AI is now in fraud detection, underwriting, risk modelling, and customer service, raising both upside and risk. Institutions...
View More
October 13, 2025
Navigating China’s AI Regulatory Landscape in 2025: What Businesses Need to Know
A 2025 guide to China’s AI rules - generative-AI measures, algorithm & deep-synthesis filings, PIPL data exports, CAC security reviews with a practical compliance...
View More
October 7, 2025
All You Need to Know About Ontario’s Personal Health Information Protection Act 2004
Here’s what you need to know about Ontario’s Personal Health Information Protection Act of 2004 to ensure effective compliance with it.
The 5 Tenets of Modern DSPM for Financial Services View More
October 19, 2025
The 5 Tenets of Modern DSPM for Financial Services
Learn the 5 tenets of modern DSPM for financial services: continuous discovery, access governance, real-time risk visibility, automated remediation, and continuous compliance.
Maryland Online Data Privacy Act (MODPA) View More
October 6, 2025
Maryland Online Data Privacy Act (MODPA): Compliance Requirements Beginning October 1, 2025
Access the whitepaper to discover the compliance requirements under the Maryland Online Data Privacy Act (MODPA). Learn how Securiti helps ensure swift compliance.
DSPM vs Legacy Security Tools: Filling the Data Security Gap View More
September 30, 2025
DSPM vs Legacy Security Tools: Filling the Data Security Gap
The infographic discusses why and where legacy security tools fall short, and how a DSPM tool can make organizations’ investments smarter and more secure.
Operationalizing DSPM: 12 Must-Dos for Data & AI Security View More
September 22, 2025
Operationalizing DSPM: 12 Must-Dos for Data & AI Security
A practical checklist to operationalize DSPM—12 must-dos covering discovery, classification, lineage, least-privilege, DLP, encryption/keys, policy-as-code, monitoring, and automated remediation.
The DSPM Architect’s Handbook View More
June 16, 2025
The DSPM Architect’s Handbook: Building an Enterprise-Ready Data+AI Security Program
Get certified in DSPM. Learn to architect a DSPM solution, operationalize data and AI security, apply enterprise best practices, and enable secure AI adoption...
Gencore AI and Amazon Bedrock View More
January 7, 2025
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
What's
New