Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Protecting Employees’ Data Under New Zealand’s Privacy Act

Published August 14, 2021 / Updated February 12, 2024
Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

New Zealand has recently replaced its Privacy Act of 1993 with a modernized version, the Privacy Act 2020. The New Zealand Privacy Act 2020 (NZPA) went into effect on December 1, 2020. It treats natural persons including consumers as well as employees equally and grants them several rights and safeguards in connection to the processing of their personal data.

This article provides a guide to the Human Resource Management team of an organization aiming to comply with New Zealand’s Privacy Act 2020. Let’s look into some of the key obligations under the NZPA that a Human Resource Management team must consider while handling employees’ personal data.

Collection and processing of employees’ data:

Under the NZPA, employers can collect employee's personal information only if it is necessary for the employer to carry out its legitimate function (lawful function) The employer is not allowed to collect employees’ personal information just because it can - it has to be able to justify why it needs to collect the information in order for the business to function.

Employers must also be open with their employees about what information they are collecting and what they will be using the information for. Additionally, they cannot collect information in ways that are unfair or unreasonably intrusive. For example, asking a remote employee to have a camera in their home at all times raises considerable privacy concerns and is likely to be considered unfair and unreasonable as it places the employee under constant surveillance. Similarly, misleading employees about what the information will be used for or unnecessarily collecting sensitive personal information is unfair and unreasonable.

The employer must always ensure that the employees’ data it has is accurate, up-to-date, complete, relevant and not misleading. In addition, it must not use the employees’ personal information that was obtained in connection with one purpose for any other purpose unless there are reasonable grounds to do so.

Securiti can help organizations map data to their owners, create privacy notices and incorporate sensitive data intelligence to ensure that all data protection principles are complied with.

Security of employee's personal data and privacy breaches:

Employees’ data must be protected by security safeguards in order to prevent loss, disclosure, or any other misuse of the data. In case of a privacy breach that has caused serious harm to the concerned employee, the employer must notify the Privacy Commissioner and the affected employee as soon as practicable after becoming aware of the breach. This will also include the obligation of notification of those privacy breaches that are caused by outsourced third-parties.

Securiti’s Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations deliver breach notification within hours of a security incident.

Third-party or cross-border data transfers:

While sharing an employees’ personal data with external third parties and vendors such as HR services, security contractors or medical insurance services, employers must assess their privacy practices and their third-party/vendor’s compliance with NZPA requirements. As far as cross-border data transfers are concerned, an employer can transfer an employee’s personal information outside New Zealand only if the destination country provides comparable safeguards to those in the NZPA, the destination country is part of a prescribed binding scheme issued by the government of New Zealand, or if the employee expressly authorizes the disclosure of personal information after having been informed of the inadequate data protection standards of the foreign country.

Securiti’s Vendor Management Solution allows organizations to assess their vendors based on a predefined risk score and also offers a centralized process to assess how compliant the third-party vendors are with the NZPA. Securiti also offers transfer impact assessments that will help organizations identify and review data transfers from New Zealand and remediate discovered vendor risks.

Also read International data transfers under New Zealand’s new Privacy Act.

Protection of vaccination status:

Employers must protect an employees’ vaccination status in accordance with the provisions of the NZPA. This means that employers must not share an employees’ vaccination details with third-parties or other employees unless the concerned employee has provided his/her consent. Another exception where vaccination status may be shared is where it is necessary to prevent or lessen a serious threat to public health or public safety. Additionally, employees must be made aware of how the information related to their vaccination status will be used and why it is being collected.

Securiti’s Sensitive Data Intelligence Solution can help your organization to discover, analyze and protect large data sets. It can help incorporate data intelligence in an automated fashion to achieve privacy compliance across all data processing activities and projects.

Employees’ requests to access and correction of their information:

The data subjects’ requests in relation to access and correction of their data will apply even during the COVID-19 emergency. An employer must respond to a data access request within 20 working days. However, an employer may notify an extension of time if the volume of information is such that a response cannot be given within 20 working days or necessary consultations cannot be completed within 20 working days, considering that the information requested is not readily retrievable.

Securiti offers the DSR Automation Solution to help organizations honor all rights and simplify the process of exercising these rights. This process turns manual work into an automated system that will help enterprises swiftly process data subject requests and enable coordination between stakeholders for reviews and approvals.

Operationalizing the NZPA

HR Management must meet the requirements of the above provisions of the NZPA. To achieve compliance, organizations need to operationalize their processes. This can be achieved in the following ways:

  • Disclose how you collect, process, retain, share and process employees’ data through transparent formal policies
  • Develop formal policies and procedures for the collection and handling of employees’ data
  • Update privacy policies as needed and share with all employees as well as consumers
  • Ensure privacy policies and notices are easily accessible and understandable to your workforce as well as incorporated in your employees’ handbooks
  • Review and update your processes
  • Maintain proper documentation with regards to your employees’ personal data

Manual processes are becoming obsolete and automation is the way forward if organizations hope to comply with global privacy regulations such as the NZPA. Securiti recruits the help of artificial intelligence and robotic automation to help organizations operationalize their processes.

Request a demo today and see how Securiti solutions can help your organization on the road to compliance.

Also read the Compliance Checklist for New Zealand’s new Privacy Act.

Frequently Asked Questions (FAQs)

Personal information under New Zealand's Privacy Act includes data that identifies, or could reasonably identify, an individual. This includes names, contact details, financial information, and other data that can be linked to a specific person.

 

An employee data privacy statement is a document that informs employees about how their personal data is collected, used, and protected by their employer. It outlines the rights and protections afforded to employees under data protection regulations.

Workplace privacy in New Zealand is governed by the Privacy Act, which regulates the collection and handling of employee data. It grants employees the right to know how their data is used and to request corrections if the information is inaccurate.

Securiti for Workday

Security | PrivacyOps | Governance | Compliance

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What Is Data Risk Assessment and How to Perform it? View More
What Is Data Risk Assessment and How to Perform it?
Get insights into what is a data risk assessment, its importance and how organizations can conduct data risk assessments.
What is AI Security Posture Management (AI-SPM)? View More
What is AI Security Posture Management (AI-SPM)?
AI SPM stands for AI Security Posture Management. It represents a comprehensive approach to ensure the security and integrity of AI systems throughout the...
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
View More
Key Amendments to Saudi Arabia PDPL Implementing Regulations
Download the infographic to gain insights into the key amendments to the Saudi Arabia PDPL Implementing Regulations. Learn about proposed changes and key takeaways...
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New