Data Privacy in New Zealand

New Zealand’s Privacy Act of 2020

New Zealand’s Privacy Act of 1993 has been replaced by The Privacy Act 2020 or ‘The 2020 Act’. It went into effect in June 2020, barring certain aspects that came into effect later that year. The Privacy Act 2020 mandates that all companies must report data breaches if they pose a threat to anyone’s privacy. The Act also poses fines of up to NZ$10,000 ($7,000 USD) for non-compliance. The Act requires every organization dealing with data to appoint a privacy officer who ensures ethical data extraction and transfer practices.

Key Definitions

Personal Data

Personal Information is defined as information about an identifiable individual, and includes information relating to a death (maintained under the Births, Deaths, Marriages and Relationships Registration Act 1995 or 1993 Act).

Data Subject

Similar to the concept of ‘data subject’ in the GDPR, The 2020 Act recognizes the rights of an ‘individual’ (a natural person, who is not deceased). Within the context of the use of personal information, The 2020 Act refers to the ‘individual concerned’, meaning the ‘individual’ to whom the personal information relates.

Key Principles of The 2020 Act

The 2020 Act contains 13 Information Privacy Principles (IPP):

Purpose of Collection

Organizations must not collect personal information unless the information is collected for a lawful purpose connected with a function or an activity of the agency and the collection of the information is necessary for that purpose. The organization must focus on data minimization and refrain from collecting information that identifies an individual.

Source of Personal Information

The 2020 Act dictates that organizations must collect information directly from the source (the individual that particular data is about). If that is not possible, organizations can collect it from other sources in certain situations, for instance:

  • If the person concerned authorizes collection from someone else
  • If the information is collected from a publicly available source
  • If collecting information from the person directly is not practicable or would undermine the purpose of collection
  • If collecting information from the person directly is not practicable or would undermine the purpose of collection

Collection of Information from Subject

Organizations should disclose the reason for collecting personal information and data. They must also make clear why and how they intend to use the data. Organizations need to disclose the intended recipients of the information along with the name and address of the agency that is collecting the information, and the agency that will hold the information. They also need to mention the particular law by or under which the collection of the information is authorized and whether giving it is voluntary or involuntary.

Manner of Collection

Personal information must be collected in a way that is lawful, fair and reasonable in the circumstance. Involuntary collection of data is considered an unfair and unlawful practice under The Privacy Act 2020. The law also mandates organizations take particular care and precaution while collecting information from children and young individuals, including consent of the adult individual and guardians in the case of minors.

Storage and Security of Personal Information

Organizations and agencies that collect data must ensure the information is protected by taking such security safeguards as are reasonable in the circumstances to prevent loss and access, use, modification, or disclosure that is not authorized by the agency as well as other misuse. In case of a serious breach, the organization or agency must notify the Office of the Privacy Commissioner within 72 hours.

Access to Personal Information

The Privacy Act 2020 gives individuals the right to access their personal information as well as, upon request, receive confirmation of whether the agency holds any personal information about them. In most cases, organizations and agencies are not allowed to charge the individual when they request access to their own personal information. Under certain circumstances, agencies and organizations can withhold information if it may cause serious threat to life, health or safety of individuals, harassment, prejudice against physical or mental health, security and defense, evaluation data, protection of victims, international relations, prejudice against maintenance of law, or breach of legal professional privilege.

Correction of Personal Information

The Privacy Act 2020 gives individuals the right to correct their personal information. The law requires any agency or organization that holds personal information must take reasonable steps to ensure the information is accurate, up to date, complete, and not misleading. If the agency or organization does not agree that the information needs to be corrected, the individual can ask that the agency or organization attach a statement of correction to its records, and the agency or organization should take reasonable steps to do so.

Accuracy of Personal Information

The Privacy Act 2020 states that an organization or agency must check before using or disclosing personal information that it is accurate, up to date, complete, relevant and not misleading.

Retention of Personal Information

The law does not allow organizations and agencies to hold personal information for longer than necessary.

Limits on Use of Personal Information

Under The Privacy Act 2020, organizations and agencies can only use the data for the sole purpose it was collected. There are limits to using personal data for different purposes. In addition to uses authorized under The Privacy Act 2020, an intelligence and security agency that holds personal information obtained in connection with one purpose may use the information for any other purpose (a secondary purpose) if the agency believes use of the information for the secondary purpose is necessary to enable the agency to perform any of its functions.

Disclosure of Personal Information

The law dictates that any organization or agency that holds personal information must not disclose the information to any other agency or organization or to another person unless the agency believes the disclosure of information is in connection with the purpose for which the information was collected. An organization may disclose personal information when:

  • Disclosure is one of the purposes for which the organization got the information
  • The person concerned authorizes the disclosure
  • The information is to be used in a way that does not identify the person concerned
  • Disclosure is necessary to avoid endangering someone’s health or safety
  • Disclosure is necessary to uphold or enforce the law

Disclosure Outside New Zealand

Any organization or agency may only disclose personal information to a foreign person or entity if:

  • The receiving organization is subject to The Privacy Act because they do business in New Zealand
  • The receiving organization will adequately protect the information, e.g. by using model contract clauses, or is subject to privacy laws that provide comparable safeguards to The Privacy Act
  • If the above terms are not applicable, then the agency or organization may only make a cross-border disclosure with the permission of the person concerned

Unique Identifiers

The Privacy Act 2020 states any organization or agency can only assign unique identifiers to people when it is necessary for its functions. It otherwise restricts assigning identifying numbers and other unique identifiers to individuals to safeguard their privacy. An organization or agency cannot assign a unique identifier to a person if that unique identifier has already been given to that person by another organization. Organizations and agencies must also take reasonable steps to protect unique identifiers from misuse and make sure they verify someone’s identity before assigning a unique identifier.

Codes of Practice

The Privacy Act 2020 gives the Privacy Commissioner the power to issue codes of practice that become part of the law. These codes modify the operation of The Privacy Act and set rules for specific industries, organizations, or types of personal information. There are currently six codes of practice:

  • Civil Defense National Emergencies (Information Sharing) Code 2020
  • Credit Reporting Privacy Code 2020
  • Health Information Privacy Code 2020
  • Justice Sector Unique Identifier Code 2020
  • Superannuation Schemes Unique Identifier Code 2020
  • Telecommunications Information Privacy Code 2020

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

Ready to get started?

Request a demo