The New Zealand Privacy Act has been in effect since December 2020. It brought New Zealand law a little closer to the strict standards of the EU General Data Protection Regulation (GDPR).

Key provisions include a broad application that encompasses non-New Zealand businesses, privacy breach notification requirements, and a prohibition on certain transfers of personal information overseas.

This article will outline New Zealand's privacy principles, who the New Zealand Privacy Act applies to, what it requires and how you can comply with it.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Who Does the New Zealand Privacy Act 2020 Apply to?

The New Zealand Privacy Act applies both to domestic and foreign agencies.

Under the Act, an agency is defined as an individual or a private or public organization or business to whom the Act applies:

New Zealand Privacy Act - Definition of New Zealand Agency

Other terms that can be used for agency here include "business," "organization," "entity," or "covered entity."

An agency based outside of New Zealand must comply with the Act if it is "carrying on business in New Zealand in respect of personal information" the agency holds or collects, regardless of:

  • Where the agency:

    • Collected the personal information
    • Holds the personal information
  • Where the individual (whose personal information the agency collected or holds) is located

  • Whether the agency:

    • Is a commercial operation
    • Has a place of business in New Zealand
    • Receives any payment for its goods or services
    • Intends to make a profit

The Act clearly attempts to apply as broadly as possible: any organization doing business in New Zealand must comply with it.

Who is Exempt From the New Zealand Privacy Act 2020?

New Zealand Parliament, courts and tribunals, and news media when acting in relation to collecting and reporting the news are exempt.

How Does the New Zealand Privacy Act 2020 Affect Consumers?

The New Zealand Privacy Act 2020 gives consumers the following rights regarding their personal data:

  • The right to access the data
  • The right to correct the data
  • The right to delete the data
  • The right to have to opt into direct marketing
  • The right to be notified any time their data is involved in a privacy breach
  • The right to file complaints with the Privacy Commissioner

What are the Information Privacy Principles?

Before we look at what's new in the 2020 act, we're going to look briefly at the "information privacy principles," most of which were introduced under the New Zealand Privacy Act 1993.

Note that the Act refers to the people and organizations to which it applies as "agencies." Agencies have responsibility for any personal information (which the Act defines as "information about an identifiable individual") they collect, hold or control.

The Act sets out 13 information privacy principles. One of these principles (number 12) is a new entry under the 2020 act.

  1. Purpose for collection: Only collect personal information if it is necessary to do so for a lawful purpose.
  2. Source of information: Where possible, collect personal information directly from the individual it is about.

  3. What to tell an individual: When you collect personal information, you must tell the individual:

    1. Why you are collecting it
    2. Who will receive it
    3. Whether they have a choice about whether to give it to you
    4. What will happen if they refuse
  4. Manner of collection: Only collect personal information in a lawful, fair, and unintrusive way.
  5. Storage and security: Implement reasonable safeguards to protect personal information.

  6. Access: Provide an individual with access to their personal information unless it would:

    1. Endanger someone's safety
    2. Create a significant likelihood of serious harassment
    3. Prejudice a criminal investigation
    4. Breach someone else's privacy
  7. Correction: Correct an individual's inaccurate personal information on request.
  8. Accuracy: Make sure personal information is accurate, complete, relevant, up-to-date, and not misleading.
  9. Retention: Only keep personal information for as long as you need it.
  10. Use: Only use personal information for the purposes for which you collect it, or in ways that are directly related to the original purpose, unless you have the individual's permission.

  11. Disclosure: Only disclose personal information to a third party if:

    1. You collected the personal information in order to disclose it
    2. You have the individual's authorization
    3. You have anonymized the personal information
    4. Failing to disclose the personal information would endanger someone's health
    5. Failing to disclose the personal information would prejudice the maintenance of the law
  12. Disclosure outside New Zealand: This is a new principle which we'll look at below
  13. Unique identifiers: Only assign a unique identifier to an individual if you need to for operational functions. Don't use the same unique identifier as another covered entity.

Complying with all these principles is essential whenever collecting, storing, or otherwise using New Zealand residents' personal information.

A good way to comply with information privacy principle 3 (what to tell the individual) is to create a Privacy Policy that includes all the necessary information about how and why you process personal information. You can present your Privacy Policy whenever you collect personal information from an individual.

What Does the New Zealand Privacy Act 2020 Require?

Now let's look at the most significant requirements of the New Zealand Privacy Act.

Provide Privacy Breach Notifications

The Act makes some changes to the rules on when agencies must notify people about "privacy breaches."

What is a "Privacy Breach?"

"Privacy breach" means personal information has been subject to unauthorized or accidental:

  • Access
  • Disclosure
  • Alteration
  • Loss
  • Destruction

"Privacy breach" can also mean any action that means a business is permanently or temporarily unable to access personal information. A privacy breach can be caused by a person internal or external to the business, and can be either ongoing or completed.

When Must You Provide a Privacy Breach Notification?

A business must provide a privacy breach notification if it is reasonable to believe that the breach has caused serious harm to an affected individual(s) or is likely to do so.

Here's section 113 of the Act, which outlines how to assess whether a privacy breach is notifiable:

Parliamentary Counsel Office: New Zealand Legislation - Privacy Act 2020 Section 113: Assessment of likelihood of serious harm being caused by privacy breach

When assessing whether the privacy breach is likely to cause serious harm, you can consider the following factors:

  • What you've done to reduce the risk of harm following the breach
  • Whether the personal information is sensitive
  • What type of harm the individuals might experience
  • Who has obtained or might obtain the personal information
  • Whether the personal information is protected by a security measure
  • Any other relevant matters

How Do You Notify the OPC of a Privacy Breach?

If you suffer a notifiable privacy breach, you must notify the New Zealand Office of the Privacy Commissioner (OPC) "as soon as practicable" after you become aware of the breach. You can use the OPC's "NotifyUs" page for this.

Your privacy breach notice must contain:

  • A description of the breach, including:

    • How many individuals are affected
    • Who has accessed the personal information
  • The steps you're taking in response to the breach, including whether you're contacting the affected individuals
  • Details of any public notice you're planning to provide
  • If you're planning not to notify the affected individuals, or you're planning to delay notification, your reasons for this
  • The names of any other agencies you've notified, or are planning to notify, and your reasons for doing so
  • Contact details of someone within your organization who can take inquiries about the breach

How Do You Notify Affected Individuals of a Privacy Breach?

Here's section 115 of the Act, which concerns the notification of individuals affected by a privacy breach:

Parliamentary Counsel Office: New Zealand Legislation - Privacy Act 2020 Section 115: Agency to notify affected individual or give public notice of notifiable privacy breach

You must notify the affected individuals as soon as practicable after you become aware of the breach, unless:

  • It is not "reasonably practicable" to notify the individual, in which case you must give public notice. The OPC suggests that you can do this "through website information, posted notices, or the media." Do not identify any affected individual in your public notice.
  • The individual is under 16 and you believe that notifying them would not be in their best interests.
  • The individual's healthcare provider has advised you that notifying the individual would be harmful to their health.

If either of the latter two points applies, you should consider whether you can notify the individual's representative, if they have one.

Your notice to individuals must contain:

  • A description of the breach, including whether you have identified the person responsible (do not name them unless doing so would prevent a serious threat to life)
  • The steps you're taking in response to the breach
  • What steps the individual can take to mitigate the effects of the breach
  • Confirmation that you have notified the OPC about the breach
  • An explanation of the individual's right to make a complaint to the OPC
  • Contact details of someone within your organization who can take inquiries about the breach

Have a Compliant Privacy Policy

Have and display a compliant Privacy Policy that informs people about the following:

  • What personal data you collect (including cookies) and what legal purpose you collect it for
  • Whether you share personal data with any third parties
  • What rights users have under the law and how they can exercise them
  • How you collect personal data

Here's an example of a Privacy Policy clause discussing user rights:

Bumble Privacy Policy: Your rights clause

Transfer Personal Information Overseas Compliantly

You cannot transfer personal information collected in New Zealand to a third party outside of New Zealand unless the recipient is covered by "comparable safeguards" to those imposed by the act. There are other exceptions which we'll cover below.

"Comparable safeguards" include the principles set out in Schedule 8 of the act:

  • Collection limitation: Only collect personal information if it is lawful and fair to do so
  • Data quality: Personal information should be accurate, adequate, and up to date
  • Purpose specification: Specify your purposes for collecting personal information at the time of collection and don't use it for any incompatible further purposes
  • Use limitation: Don't use personal information for unspecified reasons unless you have consent or legal authorization
  • Security safeguards: Protect personal information against privacy breaches
  • Openness: Be transparent about your practices and policies
  • Individual participation: Individuals have the right to receive confirmation that a business holds their personal information
  • Accountability: Businesses are accountable under these principles

You may wish to consider the EU's list of countries in receipt of an "adequacy decision." The EU deems these countries have laws that are "essentially equivalent" to the GDPR.

If you need to transfer personal information to a business in a country that doesn't have "comparable safeguards," you may do so only if one or more of the following applies:

  • You have the authorization of the individual and you have expressly informed them that the country to which you are sending their information does not have comparable safeguards
  • You reasonably believe that the recipient is subject to the New Zealand Privacy Act
  • The recipient is subject to a "prescribed binding scheme" (the OPC will approve prescribed binding schemes in the future)

Here's information privacy principle 12, as it appears in the Act:

Parliamentary Counsel Office: New Zealand Legislation - Privacy Act 2020 Information privacy principle 12: Disclosure of personal information outside New Zealand

Have a Lawful Purpose for Processing Data

Do not collect or use personal data without having a lawful or legal purpose for doing so. While the law doesn't list out specific lawful purposes or examples, it's a best practice to always minimize your collection of personal data to only what you truly need.

Always disclose what data you collect and how you use it within your Privacy Policy, as well as your lawful/legal purpose for doing so.

Here's an example of disclosing this compliantly:

eBay UK User Privacy Notice: Purposes and legal basis for data processing and categories of recipients clause

Appoint a Data Protection Officer

The New Zealand Privacy Act 2020 requires the appointment of a Data Protection Officer (DPO). You are exempt from this requirement if you are an individual and you collect and hold personal data "solely for the purposes of, or in connection with, the individual's personal or domestic affairs."

Data Protection Officers can be dedicated to that role, or they can hold other positions as well, such as being an HR manager. This mostly depends on the size and complexity of the business.

The Data Protection Officer should be familiar with the act and other relevant laws, and should be responsible for training and advising other staff on issues of privacy. The DPO will act as a liaison between the business and the OPC, and will be responsible for dealing with complaints the business receives.

No, the New Zealand Privacy Act 2020 does not require that consent from individuals to process personal data is obtained.

New Zealand Privacy Act 2020 vs. the GDPR

We mentioned that the New Zealand Privacy Act brings Kiwi law a little closer to EU standards. However, the GDPR imposes more extensive obligations on businesses.

Here's a roundup of some of the key differences between the two laws.

GDPR New Zealand Privacy Act
Application
  • Data controllers
  • Data processors (who process on behalf of controllers)
  • Includes public and private entities
  • Includes individuals
  • Applies to controllers and processors based outside of EU
  • Agencies
  • Includes public and private entities
  • Includes individuals
  • Applies to agencies based outside of New Zealand
Principles
  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Security
  7. Accountability
  1. Purpose for collection
  2. Source of information
  3. What to tell an individual
  4. Manner of collection
  5. Storage and security
  6. Access
  7. Correction
  8. Accuracy
  9. Retention
  10. Use
  11. Disclosure
  12. Disclosure outside New Zealand
  13. Unique identifiers
Rights
  • Right of access
  • Right to erase
  • Right to rectification
  • Right to object
  • Right to restrict processing
  • Right to data portability
  • Rights regarding automated decision-making
  • Right of access
  • Right to correct
Data breach requirements
  • Controllers must report a data breach to their Data Protection Authority if it is likely to result in a risk to individuals' rights and freedoms
  • Controllers must report a data breach to the individuals affected if it is likely to result in a serious risk to individuals' rights and freedoms
  • Breaches must be reported within 72 hours
  • Agencies must report a breach to the OPC and to the individuals if it is reasonable to believe it will cause serious harm
International transfers

Transfers of personal data to non-EEA countries are prohibited unless:

  • The recipient is located in a country covered by an "adequacy decision"
  • The transfer is covered by an agreement containing standard contractual clauses and any necessary safeguards
  • The transfer is within a corporate group operating under binding corporate rules
  • Exceptionally, where one of the GDPR's Article 49 derogations applies

Transfers of personal information to agencies outside of New Zealand are prohibited unless:

  • The recipient is in a country with a law that provides comparable safeguards to those imposed by the New Zealand Privacy Act
  • The sender has the authorization of the individual and has expressly informed them that the recipient country does not have comparable safeguards
  • The sender reasonably believes that the recipient is subject to the New Zealand Privacy Act
  • The recipient is subject to a "prescribed binding scheme"
Penalties

Two levels of penalties:

  • Up to 2 percent of annual global turnover or €10 million
  • Up to 4 percent of annual global turnover or €20 million
 Up to $10,000 NZD (approx. $7,200 USD)

How is the New Zealand Privacy Act 2020 Enforced?

The Office of the Privacy Commissioner (OPC) is authorized to enforce the law.

It has the ability to do the following:

  • Monitor compliance with the law
  • Provide guidance on privacy issues
  • Investigate complaints lodged about alleged breaches of privacy
  • Advocate for enhanced privacy rights for people in New Zealand
  • Conduct investigations on issues of systemic privacy hat affect the country on a large scale

The OPC can issue "compliance notices" to agencies failing to comply with the Privacy Act. This notice will require you to do something or stop doing something. It will provide steps you must take to meet your obligations and a deadline by which you must act.

The Act also introduces "access orders." The OPC can force you to provide and individual access to their personal information.

The Human Rights Review Tribunal is granted the authority to oversee complaints that this law has been violated. The Tribunal can also take action to remedy damage from violations or data breaches by compensating individuals impacted by such.

What are the Penalties for Violating the New Zealand Privacy Act 2020?

Violating New Zealand’s Privacy Act 2020 could come with fines of up to $10,000 for individuals, and up to $50,000 for organizations that commit specific violations.

Fines can be levied if any of the following occurs:

  • Failure to comply with a compliance notice
  • Failure to comply with an access order
  • A prohibited cross-border transfer of personal information
  • Failure to properly notify the OPC of a notifiable privacy breach

In certain circumstances, criminal offenses can be lodged. For example, it's criminal under the law to destroy personal information when you know that a request has been made for the information.

Summary

The New Zealand Privacy Act 2020 impacts on any business operating in New Zealand that processes personal information.

Key updates to the law include:

  • Any agency that is "carrying on business" in New Zealand is now covered by the law

  • These agencies, or covered entities, must report privacy breaches:

    • "As soon as is practicable"
    • Whenever it is "reasonable to believe" that the breach might cause a "risk of serious harm"
    • To the New Zealand Office of the Privacy Commissioner (OPC)
    • To the affected individuals

  • Businesses must not transfer personal information to third parties based overseas unless:

    • The recipient country is covered by "comparable safeguards"
    • The recipient is covered by the New Zealand Privacy Act
    • The sender has the individual's authorization and has informed them of the risks
    • The recipient is covered by a "prescribed binding scheme"
  • The OPC may issue fines of up to $10,000 NZD ($7,200 USD) for non-compliance with certain provisions in the act.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy