The Privacy Act 2020 — New Zealand's Main Privacy Law

The Privacy Act 2020 replaced the 1993 Act and came into force on 1 December 2020. It applies to almost every organisation and business in New Zealand that collects, uses, or stores personal information about people.

What Is "Personal Information"?

Personal information is any information about an identifiable individual. This includes:

·Name, address, date of birth, NHI number

·Email address, phone number

·Salary and employment information

·Health records

·Photos and CCTV footage

·Location data and IP addresses

·Any combination of information that could identify someone

The 13 Information Privacy Principles (IPPs)

The Act sets out 13 IPPs that organisations must follow:

| # | Principle |

|---|-----------|

| 1 | Only collect information that is necessary |

| 2 | Collect from the individual where possible |

| 3 | Tell people what you're collecting and why |

| 4 | Don't collect information by unlawful means |

| 5 | Keep information secure |

| 6 | Individuals can access their own information |

| 7 | Individuals can correct their information |

| 8 | Only use information for the purpose it was collected |

| 9 | Don't hold information longer than necessary |

| 10 | Use information consistently with the purpose collected |

| 11 | Disclose only where appropriate |

| 12 | Only send information overseas if adequate protection exists |

| 13 | Unique identifiers — restricted use |

What Is a Notifiable Privacy Breach?

Since 2020, organisations must notify both the Privacy Commissioner and affected individuals if a privacy breach:

1.Involves personal information, and

2.Has caused (or is likely to cause) serious harm

Examples of serious harm: identity theft, physical safety risk, significant reputational damage, financial loss.

Timeframe: Notification must happen as soon as reasonably practicable — the Office of the Privacy Commissioner (OPC) expects this within days, not weeks.

Your Rights as an Individual

You have the right to:

·Access personal information an organisation holds about you (IPP 6)

·Correct inaccurate information (IPP 7)

·Ask an organisation to stop using your information in certain circumstances

·Complain to the Privacy Commissioner if your rights are breached

To make an access request, write to the organisation and ask for a copy of all personal information they hold about you. They must respond within 20 working days.

Penalties for Breaches

The Act strengthened penalties from 2020:

·Criminal offence (e.g., misleading an organisation to access someone else's information): fine up to $10,000

·Human Rights Review Tribunal can award damages up to $350,000 for interference with privacy

·Compliance notices can be issued by the Privacy Commissioner

For Businesses — Practical Compliance Steps

1.Privacy policy — publish a clear, accessible policy on your website

2.Consent — get genuine, informed consent before collecting sensitive data

3.Breach response plan — have a written procedure for detecting and reporting breaches

4.Privacy Officer — appoint someone responsible for privacy compliance

5.Data minimisation — only collect what you actually need

6.Overseas transfers — add privacy clauses to contracts with overseas suppliers

Contact the Privacy Commissioner

·Website: privacy.org.nz

·Phone: 0800 803 909

·Online complaint form available at privacy.org.nz

LexNZ provides legal information only — not legal advice. For specific privacy compliance advice, consult a qualified NZ privacy lawyer.

NZ Privacy Act 2020: What Businesses and Individuals Need to Know