Securiti Launches Industry’s First Solution To Automate Compliance


Protecting Employees’ Data Under New Zealand’s Privacy Act

Published August 14, 2021 / Updated February 12, 2024

Listen to the content

New Zealand has recently replaced its Privacy Act of 1993 with a modernized version, the Privacy Act 2020. The New Zealand Privacy Act 2020 (NZPA) went into effect on December 1, 2020. It treats natural persons including consumers as well as employees equally and grants them several rights and safeguards in connection to the processing of their personal data.

This article provides a guide to the Human Resource Management team of an organization aiming to comply with New Zealand’s Privacy Act 2020. Let’s look into some of the key obligations under the NZPA that a Human Resource Management team must consider while handling employees’ personal data.

Collection and processing of employees’ data:

Under the NZPA, employers can collect employee's personal information only if it is necessary for the employer to carry out its legitimate function (lawful function) The employer is not allowed to collect employees’ personal information just because it can - it has to be able to justify why it needs to collect the information in order for the business to function.

Employers must also be open with their employees about what information they are collecting and what they will be using the information for. Additionally, they cannot collect information in ways that are unfair or unreasonably intrusive. For example, asking a remote employee to have a camera in their home at all times raises considerable privacy concerns and is likely to be considered unfair and unreasonable as it places the employee under constant surveillance. Similarly, misleading employees about what the information will be used for or unnecessarily collecting sensitive personal information is unfair and unreasonable.

The employer must always ensure that the employees’ data it has is accurate, up-to-date, complete, relevant and not misleading. In addition, it must not use the employees’ personal information that was obtained in connection with one purpose for any other purpose unless there are reasonable grounds to do so.

Securiti can help organizations map data to their owners, create privacy notices and incorporate sensitive data intelligence to ensure that all data protection principles are complied with.

Security of employee's personal data and privacy breaches:

Employees’ data must be protected by security safeguards in order to prevent loss, disclosure, or any other misuse of the data. In case of a privacy breach that has caused serious harm to the concerned employee, the employer must notify the Privacy Commissioner and the affected employee as soon as practicable after becoming aware of the breach. This will also include the obligation of notification of those privacy breaches that are caused by outsourced third-parties.

Securiti’s Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations deliver breach notification within hours of a security incident.

Third-party or cross-border data transfers:

While sharing an employees’ personal data with external third parties and vendors such as HR services, security contractors or medical insurance services, employers must assess their privacy practices and their third-party/vendor’s compliance with NZPA requirements. As far as cross-border data transfers are concerned, an employer can transfer an employee’s personal information outside New Zealand only if the destination country provides comparable safeguards to those in the NZPA, the destination country is part of a prescribed binding scheme issued by the government of New Zealand, or if the employee expressly authorizes the disclosure of personal information after having been informed of the inadequate data protection standards of the foreign country.

Securiti’s Vendor Management Solution allows organizations to assess their vendors based on a predefined risk score and also offers a centralized process to assess how compliant the third-party vendors are with the NZPA. Securiti also offers transfer impact assessments that will help organizations identify and review data transfers from New Zealand and remediate discovered vendor risks.

Also read International data transfers under New Zealand’s new Privacy Act.

Protection of vaccination status:

Employers must protect an employees’ vaccination status in accordance with the provisions of the NZPA. This means that employers must not share an employees’ vaccination details with third-parties or other employees unless the concerned employee has provided his/her consent. Another exception where vaccination status may be shared is where it is necessary to prevent or lessen a serious threat to public health or public safety. Additionally, employees must be made aware of how the information related to their vaccination status will be used and why it is being collected.

Securiti’s Sensitive Data Intelligence Solution can help your organization to discover, analyze and protect large data sets. It can help incorporate data intelligence in an automated fashion to achieve privacy compliance across all data processing activities and projects.

Employees’ requests to access and correction of their information:

The data subjects’ requests in relation to access and correction of their data will apply even during the COVID-19 emergency. An employer must respond to a data access request within 20 working days. However, an employer may notify an extension of time if the volume of information is such that a response cannot be given within 20 working days or necessary consultations cannot be completed within 20 working days, considering that the information requested is not readily retrievable.

Securiti offers the DSR Automation Solution to help organizations honor all rights and simplify the process of exercising these rights. This process turns manual work into an automated system that will help enterprises swiftly process data subject requests and enable coordination between stakeholders for reviews and approvals.

Operationalizing the NZPA

HR Management must meet the requirements of the above provisions of the NZPA. To achieve compliance, organizations need to operationalize their processes. This can be achieved in the following ways:

  • Disclose how you collect, process, retain, share and process employees’ data through transparent formal policies
  • Develop formal policies and procedures for the collection and handling of employees’ data
  • Update privacy policies as needed and share with all employees as well as consumers
  • Ensure privacy policies and notices are easily accessible and understandable to your workforce as well as incorporated in your employees’ handbooks
  • Review and update your processes
  • Maintain proper documentation with regards to your employees’ personal data

Manual processes are becoming obsolete and automation is the way forward if organizations hope to comply with global privacy regulations such as the NZPA. Securiti recruits the help of artificial intelligence and robotic automation to help organizations operationalize their processes.

Request a demo today and see how Securiti solutions can help your organization on the road to compliance.

Also read the Compliance Checklist for New Zealand’s new Privacy Act.

Frequently Asked Questions (FAQs)

Personal information under New Zealand's Privacy Act includes data that identifies, or could reasonably identify, an individual. This includes names, contact details, financial information, and other data that can be linked to a specific person.


An employee data privacy statement is a document that informs employees about how their personal data is collected, used, and protected by their employer. It outlines the rights and protections afforded to employees under data protection regulations.

Workplace privacy in New Zealand is governed by the Privacy Act, which regulates the collection and handling of employee data. It grants employees the right to know how their data is used and to request corrections if the information is inaccurate.

Securiti for Workday

Security | PrivacyOps | Governance | Compliance

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You