Facebook LinkedIn Instagram Vimeo WeChat WhatsApp YouTube
Back to Blog

NZ Privacy Act changes – what do you need to know?


Technology has advanced significantly since the introduction of the New Zealand Privacy Act in 1993.

The variety of connected devices we now use to access information every minute of the day has transformed how organisations collect and use personal information.

To align New Zealand with global privacy standards such as GDPR, the New Zealand Privacy Act 2020 came into effect on December 1st 2020.

This updated act ensures organisations are responsible and take good care of the personal information they hold - related to both customers and their employees.

With the introduction of the New Zealand Privacy Act 2020 there are some notable changes that organisations need to be aware of:

1) Appointing a security officer

Organisations will need to appoint at least one privacy officer who is required to have a general understanding of the Act and deal with issues are they arise.

2) Requirements to report privacy breaches

Privacy breaches that cause serious harm, or are likely to do so, must be reported to both the Privacy Commissioner and any potentially affected individuals as soon as they occur. If you are unsure a breach has been committed, the Office of the Privacy Commissioner has launched NotifyUs – an online tool that can help organisations assess whether breach notification is required. Liability for privacy breach notifications now sits with a business or organisation and not individual employees.

3) Strengthening Cross-Border Protections

Organisations must take reasonable steps to ensure information sent or stored offshore is protected with comparable privacy standards.

4) Compliance notices

The privacy commissioner can issue compliance notices to an organisation, requiring them to take action or stop taking a particular action to comply with privacy laws. This may also result in the Privacy Commissioner publishing the identity of the organisation.

5) New criminal offences

It will be a punishable offence to mislead an agency in a way that affects someone else's information and to destroy documents containing personal information if a request has been made for it. This penalty will be a fine of up to $10,000.

6) Complaints to the Human Rights Tribunal

Due to the nature of the offences above, and failure for organisations to act appropriately, the Office of the Privacy Commissioner can make official complaints to the Human Rights Tribunal. This may be heard in open court and have a maximum fine of $230,000 - and generate a significant amount of unwelcome publicity.

7) Identifying information cannot be collected unless required

Organisations are prohibited from obtaining more identifying information from an individual than is necessary for the purpose for which it is being collected.

While this is a summary of the changes, it’s clear the implications of the new law is far reaching. Organisations must be familiar with the Act and how this will affect them. Ensure your organisation reviews the changes to the Act on the Privacy Commissioner site.

If you require further guidance, Parallo can help gauge your level of compliance through our Security Service offerings - contact Parallo or me for more details.

Connect with me on LinkedIn and let’s talk security!

Related Topics