New Zealand’s Privacy Act of 1993 has been replaced by The Privacy Act 2020 or ‘The 2020 Act’. It went into effect in June 2020, barring certain aspects that came into effect later that year. The Privacy Act 2020 mandates that all companies must report data breaches if they pose a threat to anyone’s privacy. The Act also poses fines of up to NZ$10,000 ($7,000 USD) for non-compliance. The Act requires every organization dealing with data to appoint a privacy officer who ensures ethical data extraction and transfer practices.
Personal Information is defined as information about an identifiable individual, and includes information relating to a death (maintained under the Births, Deaths, Marriages and Relationships Registration Act 1995 or 1993 Act).
Similar to the concept of 'data subject' in the GDPR, The 2020 Act recognizes the rights of an 'individual' (a natural person, who is not deceased). Within the context of the use of personal information, The 2020 Act refers to the 'individual concerned', meaning the 'individual' to whom the personal information relates.
The 2020 Act contains 13 Information Privacy Principles (IPP):
The Privacy Act 2020 gives the Privacy Commissioner the power to issue codes of practice that become part of the law. These codes modify the operation of The Privacy Act and set rules for specific industries, organizations, or types of personal information.
There are currently six codes of practice:
Civil Defense National Emergencies (Information Sharing) Code 2020
Credit Reporting Privacy Code 2020
Health Information Privacy Code 2020
Justice Sector Unique Identifier Code 2020
Superannuation Schemes Unique Identifier Code 2020
Telecommunications Information Privacy Code 2020