Regulation

New Zealand Privacy Act

The New Zealand Privacy Act 2020 received Royal Assent on June 30, 2020 and became effective on December 1, 2020. The Act replaced the Privacy Act 1993, providing a GDPR-like framework to better protect individuals’ privacy rights.

The New Zealand Privacy Act is a comprehensive law that applies to the following:

All personal information of individuals (other than deceased individuals) collected or stored while in New Zealand.
Actions taken by organizations in New Zealand with respect to collected or stored personal information.
Overseas organizations doing business in New Zealand that collect and store personal information.

Obligations under the New Zealand Privacy Act

Key information privacy principles

Organizations must comply with obligations around 13 information privacy principles, including requirements for personal information collection, use, accuracy, security and storage, complying with rights of access and correction, and reporting personal information breaches.

Appoint a privacy officer

The Act requires organizations to appoint privacy officers to encourage compliance with the information privacy principles and the Act, dealing with requests, and engaging with the Privacy Commissioner.

Unique identifiers and matching programs

Assign unique identifiers only if it is necessary to carry out internal functions more effectively, and where the identity of the individual has been confirmed. Organizations involved in an authorized information matching program need to take reasonable steps, which may include public notification, to ensure affected individuals are notified of the program.

Codes of practice

The Act gives the Privacy Commissioner the power to issue codes of practice for specific industries, agencies, activities or types of personal information such as the Credit Reporting Privacy Code and Health Information Privacy Code.

International data transfer

The European Commission confirmed in January 2024 that New Zealand’s data protection safeguards remain adequate, allowing personal information to continue being transferred between the European Union and New Zealand. Organizations should assess international transfers of personal information to other countries to ensure it is being transferred using mechanisms allowed under the Act.

Webinar

CBPR – Navigating Cross-Border Data Privacy Compliance

In this highly anticipated webinar, we explore the background the future direction and assess the potential business case for companies considering certification under the new Global CBPR System.

Watch now

Achieve compliance

FAQs

How long do organizations have to report a breach?

72 hours for breaches that could cause serious harm to affected individuals.
Can organizations be fined by the Privacy Commissioner for violations?

The Privacy Commissioner has no power to make rulings or determinations, issue fines or bring prosecutions, or direct settlements. However, the Commissioner has been known to ‘name and shame’ organizations that have violated the Act.
What data subjects’ rights are available?

Data subjects have rights of access, information correction, and opting out of direct marketing. The Act does not include a right to be forgotten or data portability.

Related resources

View all resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.