New Zealand Privacy Act 2020 – An Overview for Businesses

The New Zealand Privacy Act 2020 is the principal data protection regulation in New Zealand. It regulates the use of personal information by businesses and establishes a data protection standard similar to other data protection laws worldwide.

The New Zealand Privacy Act 2020 promotes and protects users’ privacy by providing a framework for organizations to handle their users’ personal information responsibly. It grants several rights to individuals to protect their personal information.

The law also implements several regulations for businesses handling the personal information of New Zealand citizens.

In this article, we will be giving a complete overview of the New Zealand Privacy Act and how it affects your business.

Let’s dive in.

The New Zealand Privacy Act 2020 repeals the Privacy Act 1993. It governs how organizations handle the personal information of New Zealand citizens.

The act aims to establish internationally recognized privacy standards in protecting the personal information of New Zealand citizens with OECD Guidelines and the International Covenant on Civil and Political Rights (ICCPR).

The act came into effect on December 1, 2020, and is regulated by the Office of the Privacy Commissioner in New Zealand.

This act applies to individuals or businesses in New Zealand that deal with the personal information of New Zealand citizens irrespective of their location, whether within or outside New Zealand.

• Personal information: Personal information refers to any information related to an identifiable individual, whether living or deceased. It includes information such as name, address, phone number, email address, date of birth, and information maintained by the Registrar-General under the Births, Deaths, Marriages, and Relationships Registration Act 2021 or any former Act.
• Agency: Agency refers to any person or organization to whom the Act applies. This includes government agencies, businesses, and other organizations that collect the personal information of New Zealand citizens.
• Individual: Individual refers to any natural living person
• Unique identifier: Unique identifier is any information related to an individual other than the name of the individual that can be used to uniquely identify the individual.
• Collect: Collect refers to the process of actively seeking or obtaining personal information. It doesn’t include receiving unsolicited information.
• Publicly available information: Publicly available information refers to personal information that is present in a publicly available publication.

The New Zealand Privacy Act 2020 sets out 13 information privacy principles for businesses handling the personal information of New Zealand citizens. These principles govern how businesses collect, use, store, and share personal information.

1. Purpose of Collection

An organization can collect personal information only for lawful purposes related to its work, and the collection is necessary for that purpose. If the lawful purposes don’t require the organization to know the identity of the individual, they can’t ask for personally identifiable information.

2. Source of Personal Information

If an organization needs to collect personal information about an individual, it must collect the information from the concerned individual. However, there are certain exceptions to this law under reasonable circumstances, as follows:

1. If it doesn’t affect the interest of the individual,
2. If it affects the lawful purpose for which the information is required,
3. If the person allows someone else to give the information instead,
4. If the information is publicly available,
5. If it is necessary:

• to avoid prejudice to the maintenance of the law
• for law enforcement
• for protecting public revenue
• for legal proceedings
• to prevent serious harm to someone’s life or health,

6. If it is not practical to follow the regulations in that situation,
7. If the information won’t identify the person or will only be used for research or statistics that won’t reveal who the person is

3. Collection of Information From Subject

An organization collecting the personal information of individuals should inform them:

• that they are collecting their personal information,
• the purpose of collecting the information,
• who all have access to the information,
• the name and address of the agency collecting and holding the information,
• if collecting the information is required by the law, then inform which law it is, and if giving the information is optional or mandatory
• the consequences of not providing the information
• the person’s rights to access and correct the information under the information privacy principles.

The above information must be provided before collecting their personal information or immediately after collecting it.

Organizations need not have to inform individuals about the data collection in case of the same conditions mentioned in the Information Privacy Principle 2 (Source of Personal Information)

4. Manner of Collection of Personal Information

An organization can collect personal information in such a manner that is fair, lawful and does not interfere with an individual’s privacy, especially when collecting personal information of children.

5. Storage and Security of Personal Information

Organization that collects the personal information of individuals must ensure that the information is secured with proper security measures to prevent loss, unauthorized access, modification, or disclosure, as well as other misuse.

They should also take appropriate measures to prevent the unauthorized use or disclosure of information that needs to be shared with third parties.

6. Access to Personal Information

An individual has the right to know whether an organization has their personal information and the right to access it upon request.

7. Correction of Personal Information

An individual whose personal information is collected by an organization has the right to request its correction. The organization also has the responsibility to ensure that the information is accurate, up-to-date, complete, and not misleading.

When requesting the correction of the information, individuals can provide a statement of the correction to the organization. It can either be a request for correction or any other statement concerning the correction.

If the organization refuses to correct the information, it must attach the statement of correction to the information and inform the third parties it has shared the information with.

8. Accuracy of Personal Information

Organization collecting the personal information of individuals must ensure that the information is accurate and up-to-date before using or sharing the information.

9. Retention of Personal Information

Organizations collecting personal information should not keep the personal information when it is no longer needed for the lawful purpose it was collected for.

10. Use of Personal Information

Organizations cannot use personal information for purposes other than the original purpose for which it was collected. If you want to use personal information for a different purpose, it must either be directly related to the original purpose or fall within the conditions outlined in Information Privacy Principle 2.

11. Disclosure of Personal Information

An organization should not share or disclose personal information unless;

• the disclosure of personal information is one of the purposes it was collected,
• it is disclosed to the individuals themselves,
• the individual authorizes the disclosure of personal information,
• the information is publically available,
• it comes under the circumstances mentioned under information privacy principle 2.

12. Disclosure of Personal Information Outside New Zealand

An organization can share or disclose personal information outside New Zealand only if,

• the concerned individual gives consent to the disclosure of personal information
• the foreign organization is subject to the act
• the foreign organization is subject to privacy laws similar to the act
• the foreign organization is subject to binding scheme or privacy laws of a prescribed country

13. Unique identifiers

Unique identifiers are those that can be used to uniquely identify an individual. These include passport numbers, driver’s license numbers, and social security numbers.

An organization cannot assign a unique identifier to an individual if another organization has already assigned that identifier to the individual. Organizations should ensure that unique identifiers are only given to individuals whose identity is clear. They also should take necessary steps to reduce the risk of misusing the unique identifiers.

The New Zealand Privacy Act grants the following rights to data subjects regarding their personal information held by businesses.

• Right to be informed: Individuals have the right to know when an organization collects their personal information, why they collect it, how they will use it, who all have access to it, and how long it will be retained.
• Right to access: Individuals have the right to access the personal information an organization holds about them. They can request copies of their personal information collected by an organization.
• Right to correction: Individuals have the right to request the correction of the data held by an organization. They can submit a statement of correction of their personal information and request that the organizations correct, edit, or modify inaccurate or incomplete information about them.
• Right to limit the use and disclosure of information: The New Zealand Privacy Act provides individuals with the right to limit the use of their personal information by organizations. They have granular control of their personal information and can restrict the use of personal information for advertising or marketing purposes.

These are some of the key rights of data subjects outlined under the New Zealand Privacy Act 2020.

The Office of the Privacy Commissioner (OPC) will oversee the implementation of the Privacy Act in New Zealand.

Below are the duties and responsibilities of the Privacy Commissioner under New Zealand Privacy Act 2020:

• Exercise the powers and carry out functions and duties under the act or any other laws.
• Provide advice to Ministers and concerned authorities regarding matters relating to the act.
• Promote understanding of information privacy principles
• Prepare public statements on matters related to individual privacy.
• Listen to public opinion regarding privacy.
• Consult with businesses, agencies, and concerned authorities regarding privacy matters.
• Examine laws and regulations that may affect individual privacy.
• Monitor the use of unique identifiers.
• Inquire into matters where individual privacy will be infringed.
• Research and monitor data processing activities and technology developments that could affect individual privacy.
• Advise individuals on matters related to privacy.
• Conduct personal information audits for organizations.
• Report to the government on matters affecting individual privacy.
• Collect information for performing the duties.

Here are some general guidelines for businesses handling personal information of New Zealand citizens to comply with the New Zealand Privacy Act 2020:

Understand the Act

Understand the scope and requirements of the act. Familiarize yourself with the 13 information privacy principles of the act. These principles are the core of the act and list out the key obligations for businesses.

Create a Privacy Policy

The New Zealand Privacy Act 2020 requires you to disclose the collection and use of personal information to your users. You can create a privacy policy page on your business website to inform users that you collect their personal information, why it is collected, how long it will be retained, and who has access to it. You should also specify the rights of the data subjects regarding their personal information and how they can exercise their rights.

Make sure that the privacy policy page is clear, concise and easy to access on your website. Check out our detailed guide on privacy policy template to learn how to create a privacy policy for your website.

Obtain Consent From Users

Most data protection regulations worldwide, including the New Zealand Privacy Act 2020, mandate obtaining prior consent from users before using their personal information. It’s essential to have a lawful basis and legitimate purpose for collecting users’ personal data.

Be transparent about why you’re collecting personal information and seek consent from users beforehand. Inform them of the consequences if they choose not to give consent.

As required by this act, the consent should be informed and freely given with clear affirmative action. Also, allow users to withdraw or modify their consent at any time.

If your website uses cookies for tracking or analytics, you should implement a cookie consent banner to inform visitors about cookie usage and request their consent.

Refer to our guide on “Best UI/UX Practices for Cookie Consent Banners” to create an effective cookie consent banner for your website.

Minimize Data Collection

Only collect the necessary information from your users. The less data you have, the less complex it is to comply with the act.

Also, do not use personal information for purposes other than the original purpose it was collected unless the new purpose is directly related to the original purpose or authorized by the user.

Appoint a Privacy Officer

Appoint a privacy officer for your business to oversee the data processing activities and ensure compliance with the act. The privacy officer should also address any queries from users related to their privacy. Also, they should work with the Privacy Commissioner for any investigations related to the agency.

Implement Security Measures

You need to ensure that the personal information collected from your users is safe and secure. Implement proper security measures to prevent unauthorized access of user data by third-parties.

Data Breach Response Mechanism

You should have an active data breach response mechanism for your organization. Implement a proper response plan in case of a data breach. Also, inform concerned authorities about the data breach and the steps you have taken within 20 working days. If required, consider informing the affected individuals whose data have been compromised.

If you fail to notify the data breach to the Privacy Commissioner, then you may face fines up to $10,000 NZD.

Regular Review and Updates

Do regular audits of your data processing activities to identify and mitigate any potential risks. Laws and regulations can change over time, so you should make sure that you are up-to-date with the latest regulations. Consider appointing a data protection officer to manage the data processing activities and address matters related to privacy for your business.

These are some general guidelines for your business to comply with the New Zealand Privacy Act 2020. However, we strongly recommend that you seek professional advice to ensure full compliance with the act.

An organization that fails to comply with the regulations of the New Zealand Privacy Act may face fines of up to $10,000 NZD.

Additionally, individuals who knowingly provide false or misleading information to the Commissioner or any authorized person or who knowingly destroy documents containing personal information following a request for that information may also be subject to fines of up to $10,000 NZD upon conviction.

Apart from these, the Privacy Commissioner may issue a compliance notice if they find a violation of this act or breach of code conduct or the information privacy principles outlined in the act.

When Did the New Zealand Privacy Act Come Into Effect?

The New Zealand Privacy Act 2020 came into effect on December 1, 2020. It replaced the previous Privacy Act 1993.

What Are the Consequences of Not Notifying a Data Breach?

If an organization fails to notify a data breach to Privacy Commissioner without reasonable excuses, it will be fined up to $10,000 NZD.

Do I Need to Appoint a Data Protection Officer (DPO)?

Yes. The New Zealand Privacy Act 2020 requires organizations to appoint privacy officers to oversee the data processing activities, ensure compliance with the act, and address any privacy-related queries from users.

Additionally, other privacy laws, such as GDPR, may necessitate the appointment of a data protection officer, particularly if your organization operates internationally and handles personal information from users outside New Zealand.

Where Can I Find More Information About the New Zealand Privacy Act?

Refer to the official text here to find out more information on the New Zealand Privacy Act 2020.

The New Zealand Privacy Act 2020 is a comprehensive data protection regulation that imposes 13 principles for protecting the personal information of New Zealand citizens. The act was introduced to replace the Privacy Act of 1993 and establish a more secure framework for addressing the privacy concerns of the current digital age.

We hope this article has helped you understand the New Zealand Privacy Act 2020 and how to comply with it. If you find it helpful, please let us know in the comments.

Disclaimer: This article was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice, we recommend you contact a professional.