What are my rights under the Privacy Act 2020 in NZ?

The Privacy Act 2020 governs how organisations collect, store, use, and share your personal information in New Zealand.

Your key rights:

Right to access your information (IPP6): Any person can request access to personal information about themselves held by an organisation. The organisation must respond within 20 working days.

Right to correct your information (IPP7): If information about you is inaccurate, you can request it be corrected. The organisation must correct it or attach a note of your requested correction.

Limits on collection (IPP1): Organisations can only collect personal information that is necessary for a lawful purpose connected with their functions. They must collect it directly from you where practicable.

Limits on use (IPP10/11): Information collected for one purpose cannot be used for an unrelated purpose without your consent (with limited exceptions).

Making a complaint: If an organisation breaches the Act, you can complain to the Office of the Privacy Commissioner (privacy.org.nz). If not resolved, the complaint can be referred to the Human Rights Review Tribunal, which can award damages.

Key change in 2020: The Privacy Act 2020 (replacing the 1993 Act) introduced mandatory data breach notification. Organisations must now notify you and the Privacy Commissioner if a breach causes you serious harm.

Source: Privacy Act 2020 — View on legislation.govt.nz