What You Need to Know About New Zealand’s Privacy Act 2020

I. Introduction

New Zealand was one of the first countries that enact a law specifically dedicated to its residents' right to privacy with its Privacy Act of 1993. Whilst the entire definition of what "privacy" means has undergone a radical shift since then, New Zealand’s principles-based legislation has remained relatively fit for purpose.

In recognition of the evolution of privacy, New Zealand updated its legislation in 2020, known as the Privacy Act of 2020. It remains principles-based and relatively consistent with the 1993 Act, albeit with some additional protections for individuals and obligations for organisations.

To further improve the country’s privacy framework, the Privacy Amendment Bill was introduced to Parliament on September 5, 2023, with key amendments set to take effect from June 1, 2025. The bill introduces the Information Privacy Principle (IPP) 3A, updates data correction response times, and clarifies how foreign privacy laws are assessed.

The legislation and organisation’s obligations are centred around the 13 Information Privacy Principles (IPPs) within the Act. While it is reassuring for the users in New Zealand, it can present a problem for organisations catering to users in New Zealand as the legislation is principles-based rather than prescriptive.

So, to make any compliance effort easier, here are all the significant bits to know about New Zealand's Privacy Act 2020:

II. Who Needs to Comply with the Law

While the Privacy Act 2020 improves on its predecessor, it also clarifies and expands its application. The scope of application of the Act can be broken down into two distinct categories, as mentioned below:

A. Material Scope

The Privacy Act expressly deals with personal information (PI) collected, held, used, and disclosed by any organisation. The definition of PI in the Act is information about an identifiable individual. Thus, organisations must be careful, as even publicly available information can be personal information—for example, a photograph of an individual’s face that clearly identifies them, as highlighted in a blog by the Office of the Privacy Commissioner.

Importantly, the Privacy Act applies to entities of all sizes and structures, including individuals. There is no organisational size limit on the application of the legislation.

B. Territorial Scope

Any organisation that falls under the following sub-categories has to comply with the Privacy Act 2020:

• Organisations located within New Zealand;
• Organisations located outside New Zealand but offering goods/services to individuals in New Zealand; or
• Organisations located outside New Zealand but collecting information about individuals in New Zealand.

It should be noted that any organisation that fulfils the criteria mentioned above does not necessarily need to have a physical presence within the country. Suppose it has conducted business that has generated revenue from New Zealand residents in any way or intends to make a profit from business in New Zealand. In that case, it will be subject to the Privacy Act 2020.

III. Obligations for Organisations Under the Privacy Act 2020

Under the Privacy Act’s jurisdiction, all organisations have specific responsibilities or obligations towards their users. The most important of these obligations include the following:

A. Lawful Purpose Requirements

While data processing has become immensely important for nearly all businesses, the Privacy Act ensures that such data processing can only occur if the organisation collecting the data has a lawful purpose for collection and that collection of the information is necessary for that purpose. It is also expected that the information will be collected directly from the individual concerned.

When collecting personal information, organisations are required to ensure the individual is aware of:

• The fact that the information is being collected;
• The purpose for which it is being collected;
• The intended recipients of the information;
• The details of the organisation that will be collecting and holding the information;
• Any laws that authorise or require the collection of the information;
• Any consequences of not providing the information, and/or
• The individual’s right to access or correct the information.

B. Consent Requirements

Unlike many other privacy laws, the Privacy Act does not include the word consent in its drafting. The Act states that if information is collected for a purpose, then it can be used or disclosed for that purpose.

However, there are certain areas where an individual’s authorisation will be required to enable the collection, use, or disclosure of information. These are:

• If the information is being collected from a third party rather than directly from the individual themselves;
• The organisation would like to use or disclose the information for a purpose other than that for which it was originally collected; or
• The organisation would like to disclose the information outside of New Zealand.

This means it is essential that an organisation understands the purpose any personal information is collected and can build in processes to obtain authorisation from individuals where it is required.

C. Privacy Notification/ Privacy Policy Requirements

There is no specific requirement for a privacy notice in the Privacy Act. However, as stated above, organisations are required to ensure the individual is aware of a range of matters when collecting personal information. Hence, the best practice in such a case would be to adhere to the standard privacy policy requirement elaborated in other major data protection laws and design the website's privacy policy accordingly. Such a policy would include the following information:

• Contact information about the organisation;
• Contact information for the organisation’s Privacy Officer;
• What categories of personal information are being collected;
• The purpose for which the organisation is collecting the individual’s information and why it is necessary;
• How the individual’s information will be used;
• Who the information will be shared with;
• Information on whether the individual’s information will be transferred to other countries;
• The period for which the personal information will be stored;
• Detailed information on individuals’ rights to access and correct the information;
• How the individuals' data is stored and protected; and
• The individuals' right to complain to the Office of the Privacy Commissioner.

With the introduction of the Information Privacy Principle (IPP) 3A, organisations must also inform individuals when their personal information has been collected from a source other than the individual themselves. IPP 3A removes the previous requirement under IPP 3 to inform individuals of the consequences of failing to provide requested information. However, there are exemptions to providing notice; these exemptions include:

1. Organizations are not required to notify individuals if the collected information is already publicly available. This includes data from public registers, official records, and information the individual has willingly made accessible.
2. If providing notice would undermine the reason for collecting the data, organizations are exempt. This exemption applies to law enforcement, regulatory investigations, or fraud detection, where alerting the individual could compromise an investigation.
3. Organizations are not required to provide notice if another law expressly prohibits or overrides the requirement.
4. If providing notice is not reasonably practicable, organizations are exempt. This includes scenarios where:
   • The organization does not have direct contact with the individual.
   • The number of individuals affected is too large to notify each person individually.
   • The cost and effort required to comply are disproportionate to the benefit of notification.

D. Security Requirements

The Privacy Act and IPP 5 state that an organisation that holds or stores personal information on individuals must take the appropriate safeguards that protect the information against loss,  unauthorised access, use, modification, disclosure, or other misuse. Such safeguards include:

• The appropriate technical, physical, and/or organisational security controls;
• All security controls are in place;
• The encryption protocols are being followed.

The Privacy Act also requires that organisations do everything within their power to prevent unauthorised use or unauthorised disclosure of personal information if it is given to any third-party service providers.

E. Outsourcing to Third Parties

Unlike GDPR, the Privacy Act does not define data controllers or data processors. Under the Privacy Act, if an organisation provides a third party with access to personal information for the purpose of safe custody or processing, that third party is deemed to be an agent of the organisation. This applies whether the agent operates within or outside of New Zealand.

For the purposes of the Privacy Act, the personal information is treated as being held by the organisation, not the agent, and the transfer of information is not a use or disclosure by the organisation. This means robust due diligence over any third-party vendors who will store or process personal information is an essential part of ensuring compliance with the Privacy Act.

F. Data Breach Requirements

Like all major data protection laws globally, the Privacy Act requires all organisations to notify both the Office of the Privacy Commissioner and the affected users in the event of a data breach that has or could cause serious harm to an affected individual. The organisation must inform all relevant parties ``as soon as practicable" after becoming aware of a breach. Guidance from the Office of the Privacy Commissioner indicates they expect organisations to notify them of any breach within 72 hours.

Notification to the Office of the Privacy Commissioner must include:

• The number of affected users.
• The identity of the person or organisation that may be in possession of the breached information;
• What steps has the organisation taken in response to the situation;
• Whether affected individuals have or will be contacted;
• The basis for delaying or not notifying an affected individual if notification will be delayed or an exception is being relied upon;
• Details of a person within the organisation to contact related to the breach.

Notification to an affected individual can be direct or via public notice and must include:

• Details of the breach;
• Whether the organisation has identified the individual or organisation that is in possession of the information (without disclosing information that could identify them);
• Steps taken in response to the breach;
• What steps the individual could take to mitigate potential loss or harm (where practicable);
• Confirmation that the Commissioner has been notified;
• That the individual has the right to make a complaint to the Commissioner; and
• Details of a contact person for inquiries.

There are exceptions to this need to inform the affected individuals about the breach in case the notice would:

• ​​Prejudice the security or defence of New Zealand or the international relations of the Government of New Zealand;
• Prejudice the maintenance of the law by any public sector agency, including the prevention, investigation, and detection of offences, and the right to a fair trial;
• Endanger the safety of any person;
• Reveal a trade secret;
• Be contrary to the individual’s interests if they are under the age of 16; or
• Notification would likely prejudice the health of the individual, based on consultation with the individual’s health practitioner.

In the event of a breach by an agent of the organisation, the organisation will be responsible for fulfilling the breach notification obligations. Anything relating to a notifiable privacy breach that is known by any employee or member of the third party will be considered to be known by the principal data collecting organisation.

G. Data Protection Officer Requirement

The Privacy Act requires all organisations subject to it to employ a dedicated Data Protection Officer within their organisation. The term used for a DPO is a "Privacy Officer". The primary responsibility of a Privacy Officer includes the following:

• Encouraging the agency to comply with the IPPs;
• Dealing with requests made to the organisation under this Act;
• Working with the Commissioner about any investigations;
• Ensuring that the organisation complies with the provisions of this Act.

H. Privacy Impact Assessment

There is no legislative requirement for organisations to complete privacy impact assessments. However, they are encouraged as best practice by the Office of the Privacy Commissioner.

I. Cross-Border Data Transfer Requirements

There are provisions within the Privacy Act that allow for the international transfer of data collected inside New Zealand. These include that the transfer is:

• Authorised by the individual;
• To an organisation that is also subject to the Privacy Act;
• To a country that is subject to privacy laws that provide a comparable level of safeguards to those in the Privacy Act;
• To an organisation operating in a prescribed binding scheme or country, or
• To an organisation that is required to protect the information with a comparable level or safeguards to those in the Privacy Act (for example, through an agreement between the parties).

The Privacy Amendment Bill updates Section 18 of the Privacy Act to clarify that the Information Commissioner may assess the privacy laws of a foreign country on an individual basis or as part of a broader bloc of countries (e.g., EEA countries subject to the GDPR). This will allow the Commissioner to advise the Minister of Justice on the adequacy of privacy protections in other jurisdictions, potentially impacting how organisations handle cross-border data transfers.

IV. Data Subject Rights

Similar to other major data protection laws globally, the Privacy Act guarantees all individuals certain rights, known more accurately as Data Subject Rights.

These include the following:

A. Right to Access the Data Subject's Data

Arguably, the most important right a user can have. The Privacy Act ensures that a user can request any website to provide prompt and complete access to all the data collected on the user since the moment they consented to the data processing. In the event of such an access request being made, the organisation must respond to the request within 20 days. If such a request isn’t fulfilled in that timeframe, a user may bring their case to the Privacy Commissioner, who can then issue a binding access determination requiring the organisation to give the user access to the information requested.

The Privacy Amendment Bill clarifies that organisations may refuse access requests if disclosure would be contrary to the interests of an individual under the age of 16 or another individual to whom the information relates, who is also under 16. It also enables organizations to refuse access to personal information where disclosure poses a serious threat to an individual’s life, health, or safety, risks significant harassment, or involves information about a victim of an offense who would suffer distress or harm.

Access may also be denied if, after consultation with a health practitioner, disclosure would likely prejudice an individual's health. The amendment clarifies that these protections extend not only to the individual requesting access but also to others whose information may be affected.

B. Right to Rectify/Correct the Data Subject's Data where Inaccurate or Incomplete

A user has the right to request that any data collected on them that becomes outdated, incomplete, or inaccurate can be easily corrected once requested. The Privacy Amendment Bill now explicitly states that organisations must respond to correction requests under IPP 7 and Section 62 of the Privacy Act as soon as reasonably practicable, but no later than 20 working days after receiving the request.

V. Regulatory Authority

Under the Privacy Act, the Office of the Privacy Commissioner was established. Like many data protection agencies worldwide, the Privacy Commissioner is the primary office in charge of ensuring organisations operating in New Zealand or dealing with information on individuals in New Zealand are compliant with the law.

However, it does differ from other agencies because it seeks to educate agencies and organisations in breach of the law rather than taking punitive measures. For this reason, the Office of the Privacy Commissioner regularly publishes guidelines and recommended practices that can help organisations of all kinds comply with the Privacy Act.

Under the Privacy Act, the Privacy Commissioner has a number of specific powers, including to:

• Investigate complaints or data breaches;
• Issue a compliance notice requiring an organisation to stop or change its business practices;
• Compel an organisation to release information that is subject to a request for access; and
• Issue codes of practice in relation to the Information Privacy Principles for specific industries (i.e., health care, telecommunications, credit reporting agencies).

VI. Penalties for Non-Compliance

Penalties for breaching the Privacy Act of 2020 are a little more complicated than many other data protection laws. The focus within the Act is on civil remedies for affected individuals and there are also limited financial penalties for certain offences.

In the event that an organisation breaches one of the Information Privacy Principles and causes harm to an individual or fails to comply with data subject rights requirements, then they can be deemed to have interfered with the privacy of the individual.

In the event of a complaint of an interference with privacy, the Privacy Commissioner will act as mediator between the organisations and affected individual(s). The Privacy Act expects that an organisation will remedy the interference, which could be anything from an apology to a financial settlement. In the event that a settlement cannot be reached, the Commissioner has the ability to refer matters to the New Zealand Human Rights Review Tribunal, which can award damages up to $350,000 to an individual. Class actions can also able to be taken against an organisation under the changes made under the Privacy Act 2020.

There are also specific offences under the Privacy Act:

• Obstructing, hindering or resisting the Privacy Commissioner;
• Refusing or failing to comply with a lawful requirement of the Privacy Commissioner;
• Making false or misleading statements to the Privacy Commissioner;
• Impersonating an individual to obtain access to, use, alter or destroy that individual’s personal information;
• Destroying a document containing personal information that is subject to a request for access; or
• Failing to comply with a compliance notice issued by the Privacy Commissioner.

These are criminal offences that can result in conviction and a fine of up to NZD 10,000 per offence.

VII. How Can an Organisation Operationalize the Law

While any data protection-related regulation globally ensures the users' right to adequate privacy online, it does present a conundrum for organisations. For starters, complying with various regulations can be a challenge since each legislation has different requirements that an organisation must be careful to consider.

A few simple steps can go a long way in guaranteeing the ideal platform to ensure compliance with any data protection regulation globally. However, it does not necessarily have to be an arduous task. For organisations aiming to achieve compliance with New Zealand's Privacy Act of 2020, here's what they can do to start:

• Have an easy-to-read privacy policy that clearly communicates all the data subjects' rights without leaving any room for ambiguity;
• Hire Privacy Officers who understand the Privacy Act, both legally and strategically, to aid your data processing strategies and tactics;
• Ensure all the company's employees and staff are acutely aware of their responsibilities under the law;
• Conduct regular data protection impact assessments as well as data mapping exercises to ensure maximum efficiency in your compliance efforts;
• Implement robust vendor due diligence processes for third-party agents;
• Notify the relevant authorities of a data breach as soon as possible.

VIII. How Securiti Can Help

Data compliance and governance have taken an immensely pivotal role when it comes to cementing customers' trust towards any website and organisation. Today's customers online are more educated about their digital rights, especially regarding their right to privacy online. Laws being enacted around the world reflect this rising trend. It is now becoming a legal requirement for businesses of all sizes to consider data protection a serious responsibility towards their customers.

The New Zealand Privacy Act 2020 is just one example of that. Fortunately, Securiti’s suite of automation modules offers a comprehensive solution for organizations seeking to ensure compliance with the New Zealand Privacy Act 2020.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.