We aim to respond to all messages within 1 business day. You'll be hearing from us soon!
In the meantime, perhaps you'd like to learn more...
New Zealand’s new Privacy Act comes into effect on 1 December 2020, replacing the Privacy Act 1993. The new Act offers further protection for individuals and spells out new obligations that must be met by businesses and organisations doing business in New Zealand.
What’s Different in the New Privacy Act?
The following summary outlines the key changes. Click on the links to be directed to more information that will help to further explain your obligations under the Act.
Mandatory Notifiable Privacy Breaches
If a business or organisation experiences a privacy breach that has caused serious harm to someone (or is likely to do so), it will need to notify both the affected people (so that they can take action to protect themselves) and the Office of the Privacy Commissioner as soon as practicable. It is an offence to fail to notify the Privacy Commissioner of a notifiable privacy breach. Failure to notify could incur a fine of up to $10,000.
More information:
https://www.privacy.org.nz/assets/Privacy-Act-2020-Information-Sheets/Privacy-Act-2020-Information-sheet-2-breach-notifications.pdf
Report Privacy Breaches (NotifyUs Tool):
https://www.privacy.org.nz/privacy-for-agencies/privacy-breaches/notify-us/
Compliance Notices
The Privacy Act 2020 allows the Privacy Commissioner to issue compliance notices to businesses and organisations that are not meeting their obligations under the Act. Refusing to comply with a compliance notice is an offence and can attract a $10,000 fine.
More information:
https://privacy.org.nz/assets/Privacy-Act-2020-Information-Sheets/Privacy-Act-2020-information-sheet-4.pdf
Privacy Act 2020 - Privacy Principles
We thought it worthwhile to include summaries of all the Principles contained within the Privacy Act 2020 so that you can make sure your business or organisation is compliant. The Privacy Act 2020 has 13 Privacy Principles that govern how you should collect, handle and use personal information. Principles 1, 4 and 13 are all updated from the 1993 Act and Principle 12 is a new addition. These are highlighted within the text below.
The following information has been gathered directly from the Office of the Privacy Commissioner website.
Principle 1 – Purpose for Collection (Updated)
You can only collect personal information if it is for a lawful purpose and the information is necessary for a lawful purpose connected with what your organisation does. You should practice data minimisation and not require identifying information if it is not necessary for your purpose.
The new Act has clarified that you can only collect identifying information if it is necessary – if you don’t need it, you shouldn’t collect it.
More information: https://privacy.org.nz/privacy-act-2020/privacy-principles/1/
Principle 2 – Source of Personal Information
You should generally collect personal information directly from the person it applies to. Where that is not possible, you can collect it from other people in certain situations. For instance, if:
More information: https://privacy.org.nz/privacy-act-2020/privacy-principles/2/
Principle 3 - What to tell an individual
When you collect personal information, you must take reasonable steps to make sure that the person knows:
More information https://privacy.org.nz/privacy-act-2020/privacy-principles/3/
Principle 4 – Manner of Collection (Updated)
You may only collect personal information in ways that are lawful, fair and not unreasonably intrusive.
Organisations must now take particular care when collecting personal information from children and young people.
More information https://privacy.org.nz/privacy-act-2020/privacy-principles/4/
Principle 5 - Storage and Security
You must make sure that there are reasonable security safeguards in place to prevent loss, misuse or disclosure of personal information. This includes limits on employee browsing of other people’s information – if they are not entitled to do so as part of their job.
More information https://privacy.org.nz/privacy-act-2020/privacy-principles/5/
Principle 6 – Access to Personal Information (New Access Directions)
People have a right to ask you for access to their personal information. In most cases you must promptly give them their information. Sometimes you may have good reasons to refuse access. For example, if releasing the information could:
More information https://privacy.org.nz/privacy-act-2020/privacy-principles/6/
If an organisation refuses or fails to provide access to personal information without a proper basis, the Commissioner may now compel the agency to give this information to the individual concerned.
More information here: https://privacy.org.nz/assets/Privacy-Act-2020-Information-Sheets/Privacy-Act-2020-information-sheet-6.pdf
If a business or organisation destroys personal information to avoid handing it over to a person that has requested the information, this will be a criminal offence and the business or organisation can be fined up to $10,000.
More information here: https://privacy.org.nz/assets/Privacy-Act-2020-Information-Sheets/Privacy-Act-2020-information-sheet-4.pdf
Misleading an agency to get personal information (e.g. impersonation) is also now a criminal offence under the Privacy Act 2020 and can attract a $10,000 fine.
More information here: https://privacy.org.nz/assets/Privacy-Act-2020-Information-Sheets/Privacy-Act-2020-information-sheet-4.pdf
Principle 7 – Correction of Personal Information
A person has a right to ask an organisation or business to correct their information if they think it is wrong. Even if you don’t agree that it needs correcting, you must take reasonable steps to attach a statement of correction to the information to show the person’s view.
More information https://privacy.org.nz/privacy-act-2020/privacy-principles/7/
Principle 8 - Accuracy
Before using or disclosing personal information, you must take reasonable steps to check it is accurate, complete, relevant, up to date and not misleading.
More information https://privacy.org.nz/privacy-act-2020/privacy-principles/8/
Principle 9 – Retention of Information
You must not keep personal information for longer than is necessary. Information can only be held for as long as needed to achieve the purpose in which the information was collected for.
More information https://privacy.org.nz/privacy-act-2020/privacy-principles/9/
Principle 10 – Limits on Use
You can generally only use personal information for the purpose you collected it. You may use it in ways that are directly related to the original purpose, or you may use it another way if the person gives you permission, or if the information won’t identify the person concerned, or for certain law enforcement purposes.
More information https://privacy.org.nz/privacy-act-2020/privacy-principles/10/
Principle 11 – Limits on Disclosure
You may only disclose personal information (share, transfer, give a copy) in limited circumstances. For example, if:
You should get consent to share wherever possible.
More information https://privacy.org.nz/privacy-act-2020/privacy-principles/limits-on-disclosure-of-personal-information-principle-11/
Principle 12 – Overseas Disclosure (New)
Cross border disclosure - you can only send personal information to someone overseas if the information will be adequately protected. For example:
Further information about cross-border disclosure is provided here:
https://privacy.org.nz/privacy-act-2020/privacy-principles/12/
https://privacy.org.nz/publications/guidance-resources/disclosing-personal-information-outside-new-zealand/
Principle 13 – Unique Identifiers (Updated)
A unique identifier is a number or code that identifies a person in your dealings with them, such as an IRD or driver’s licence number. You can only assign your own unique identifier to individuals where it is necessary for operational functions. Generally, you may not assign the same identifier as used by another organisation.
More information https://privacy.org.nz/privacy-act-2020/privacy-principles/13/
If you assign a unique identifier to people, you must make sure that the risk of misuse is minimised to reduce the frequency and impact of identity theft.
How Do You Ensure You're Compliant?
The following action steps are provided to assist you in ensuring to are meeting your obligations under the new Privacy Act 2020, but they do not constitute legal advice. We suggest that you seek legal advice to ensure you are taking the right steps to become and remain compliant.
Essential Resources for Businesses and Organisations
Privacy Act Resources – Office of the Privacy Commissioner website
Free Online Privacy Education - Office of the Privacy Commissioner website
Full Privacy Act 2020 - Legislation New Zealand
Protecting Customer and Employee Information – Business.govt.nz
Cyber Security Resources – Cert NZ
Lastly, if your business is operating with the European Economic Area you may also need to make sure you are compliant with the requirements of the General Data Protection Regulation (GDPR). Check out our blog post for more information.
Written by Karyn Ogier
Here from the very beginning, Karyn was originally a co-founder of Apex Digital and carried the Strategy & Marketing Director title for more than two decades. Karyn switched gears at the end of 2018 when she returned to study in a new field. Now in a contract Content Writer capacity, she has a wealth of knowledge in the industry and has been...We aim to respond to all messages within 1 business day. You'll be hearing from us soon!
In the meantime, perhaps you'd like to learn more...