New Zealand Privacy Act 2020: Guide for Compliance

Table of Contents

Suppose you own a business dealing with personal data inside New Zealand. In that case, it is in your business’s best interest to take note of the updated New Zealand Privacy Act 2020 to avoid finding your business on the wrong side of the law.

This welcomed update to the New Zealand Privacy Act shows how the country is committed to keeping up with the growing and evolving world of data privacy. But what does this update mean for your business?

To help your business stay compliant, we have compiled a complete guide on everything you need to know about the New Zealand Privacy Act 2020 and some steps your business can take to stay compliant.

Let’s dive in.

Key Takeaways

The New Zealand Privacy Act 2020 is a set of principles that govern how businesses collect, process, store and distribute your personal information.

The Office of the Privacy Commissioner (OPC) enforces the principles of the Act and is the highest authority over all decisions

The new privacy breach notification process is the most important update to the Privacy Act.

What is the New Zealand Privacy Act 2020?

What is the New Zealand Privacy Act 2020 (1).jpg

What is the New Zealand Privacy Act 2020 (1).jpg

The New Zealand Privacy Act 2020 is a set of principles that govern how organizations and businesses operating in New Zealand collect, process, store and distribute your personal information.

New Zealand’s amended 2020 Privacy Act replaced the previous Privacy Act 1993 to adapt to modern times. The updated Act came into effect on 1 December 2020, and while it has been amended, it still keeps the principle-based approach of the previous Act, like the GDPR.

However, it should be noted that the GDPR does not apply within New Zealand unless your business is sending information outside of New Zealand or you’re doing business with citizens of the EU.

Before we get further into the guide, it is important to clarify that the New Zealand privacy law states these principles are applied to all agencies. According to the Privacy Act, agencies include businesses, organizations and even individuals that deal with the personal data of citizens of New Zealand.

The Office of the Privacy Commissioner (OPC) is who enforces the principles of the Act and is the highest authority when it comes to dealing with issues of non-compliance.

The OPC wants to make it easy for businesses like yours to stay compliant, so they offer free online learning privacy modules for your employees. These modules will give you an overview of the New Zealand Privacy Act 2020, how to reduce the risk of data breaches, and the reporting process when it does, unfortunately, happen.

Scope of the New Zealand Privacy Act 2020

The New Zealand Privacy Act 2020 applies to all agencies, which means businesses, organizations and individuals that are handling personal information, regardless of whether it’s in the private or public sector.

The Privacy Act was created to govern:

How personal information is collected

How personal is stored

How the personal information is used and disclosed

The Act also governs how the information is stored, which includes making sure it’s stored securely to prevent any data breaches. Access must be given to people looking to view or correct their information.

Businesses that have to follow the Privacy Act include:

Certain government departments and agencies

Private or public companies

An individual who is a resident of New Zealand

Small businesses in the private or public sector

Charities, societies, and community groups

Social clubs

While this has listed an individual under businesses that need to follow the privacy act, this only applies if the individual is not acting in their domestic or personal capacity because then they wouldn’t be classified as an agency.

According to the Act, personal information is defined as “information about an identifiable individual and includes information relating to a death.”

Personal information that is covered by this Act includes:

People’s names

Contact details

Financial health

Purchase records

Home addresses



Religious, cultural or political beliefs

Members of unions

Biometric information

Under the Act, there is no difference between sensitive information and personal data, and all personal data is supposed to be handled as outlined in the ten privacy principles.

Exemptions to New Zealand Privacy Act 2020

Section 8(b) of the Privacy Act outlines a number of businesses or agencies that are exempt from the following principles of the New Zealand Privacy Act 2020.

Exempt agencies include:

Courts and tribunals that are carrying out their judicial tasks

The Sovereign

Member of Parliament in official capacity

Parliamentary Service Commission

House of Representatives


News media when gathering information for reporting


13 Privacy Principles of New Zealand Privacy Act 2020

The New Zealand Privacy Act 2020 has 13 privacy principles that all agencies must follow to remain compliant with New Zealand law.

Purpose for collection

The first principle governs what purposes your business can collect personal information for and that you are only gathering information that is absolutely necessary for the purpose. You should be asking yourself if this information is really needed.

This principle was created to practice data minimization and increase cybersecurity because this is one of the best ways to prevent personal information from being subject to unnecessary like leaked data from a data breach.

Source of information

The second principle of the Privacy Act governs how your business collects personal information, where you can collect the information from and how you can collect it. According to the Act, this is how personal information must be collected:

Only collect information that is needed and is necessary for lawful purposes like product services or employment.

The information needs to be collected directly from the person (data subject). If you cannot gather this personal information directly from the person, you need to obtain consent before approaching third parties.

You need to inform the person you’re collecting data from how and why you’re collecting their information.

What to tell the individual about the collection

The third principle governs how you tell an individual when you’ve collected personal information from a person. You need to let them know why you collected the information, what it will be used for, and to whom it will be given.

One of the best ways to do this is to create a privacy statement to tell people you’re collecting their information, how you’re doing and why you’re doing it.

Manner of collection

All personal information that is collected needs to be done in a manner that is respectful and intrusive. Principle four of the Act states that you may not threaten, coerce or mislead people when collecting their data.

Your business should be paying careful attention to collecting information from young people and minors, making sure you have gathered genuine consent.

Storage and security of information

Principle five ensures that all agencies that have collected personal information have taken the appropriate steps to prevent loss, loss or unauthorized sharing of personal information. The updated laws require businesses to notify the OPC of a breach.

Providing people access to their information

According to principle six, a person has a right to access the collected personal information and ask for that information to be corrected. Typically, there should be no charge to access personal information.

However, there are some instances where businesses or organizations are within their right to withhold access to the information if, for example, it is because of the following:

Threat to the health or safety of the person or the country


Unwarranted disclosure of another person’s affairs

Information used for judicial purposes

International relations

If a business fails to provide access, the person (data subject) can take the matter to the OPC.

Correction of personal information

Principle seven allows people to request that their stored information be corrected and that businesses attach the statement of corrections to their records. Even if the business does not agree with the change, reasonable steps must be taken, and a statement of corrections is needed.

The OPC will handle any disputes.

Ensure accuracy before using information

Before your business uses or shares collected personal information, you need to check that all the gathered information is relevant and accurate. According to principle eight, the information must be up to date and not misleading.

Limits on retention of personal information

Principle nine doubles down on principle one, making it clear that businesses should not keep collected personal information longer than it was originally needed. If the information is no longer needed for the original purpose, a business simply should not keep it.

Use of personal information

Principle 10 governs how businesses use the collected personal information and ensures that it is being used for the original purpose for which it was collected. This principle has exceptions if the person has given consent that the information can be used for other purposes.

Disclosing personal information

Businesses may only share collected personal information for the purpose it was originally intended for. According to principle 11, businesses may only disclose collected information if they were given consent. The information is necessary for safety and security or is being used for judicial purposes.

Disclosure outside New Zealand

Principle 12 is a new principle added in the 2020 update that governs how businesses share collected information with people or organizations outside of New Zealand.

Personal information can only be shared outside of New Zealand:

If the receiving business is subject to the Data Privacy Act

If there are sufficient protection measures

If the receiving business is subject to data privacy laws like the GDPR or the Australia Privacy Act

If none of the above are relevant, then cross-border disclosure can only be done with explicit consent from the individual concerned.

Unique identifiers

Principle 13 gives businesses restrictions on assigning identifying numbers and unique identifiers to individuals. These identifiers should only be assigned when necessary. These include:

IRD numbers

Driver’s license numbers

National Health Index (NHI) numbers

Passport numbers

New Zealand Privacy Act 2020 Checklist

New Zealand Privacy Act 2020 Checklist.png

New Zealand Privacy Act 2020 Checklist.png

To ensure that your business complies with the New Zealand Privacy Act 202, there are some things that your business can do—use our checklist to practice good data protection.

Notify of Data Breaches

The privacy breach notification was one of the biggest changes to the New Zealand Privacy Act 2020. The Privacy Act defines a privacy breach as unauthorized:

Access to personal information

Loss of information

Destruction of information

Disclosure of information

Alteration of information

The Act governs that businesses are only supposed to notify the CPO of a privacy breach that is, according to section 113 of the Act, “likely to cause serious harm.”

When your business is assessing whether the privacy breach is likely to cause harm, you need to consider what you have done to reduce the risk of harm, what type of information was affected and whether it was sensitive information. You need to assess who obtained the individuals’ information.

If you believe the breach can cause harm, you need to notify the CPO. Here’s how:

Use the online “NotifyUs” feature

Provide a description of the breach

List the steps you’re taking in response to the breach

Provide information on your public notice

Provide contact details for people you have notified and for your business

You should also notify the individual as soon as reasonably possible. If you cannot contact them directly, the OPC will guide you on steps to inform your consumers of the data breach. This could include a banner on your website or more.

Ensure Transfers to Secure Locations

Your business needs to ensure that you are sharing collected personal information to secure locations. This means that the receiving business or organization has appropriate safety measures in place and is subject to some kind of data protection law.

While the OPC has released a list of countries that are considered secure locations, you can use the EU’s list that the GDPR accepts for a general idea of which countries have adequate data security measures.

Appoint a DPO if Needed

Section 201 of The New Zealand Privacy Act 2020 requires that businesses appoint a data privacy officer who is knowledgeable in New Zealand’s privacy laws.

This individual is responsible for:

Ensuring the agency complies with the Act (i.e. creating a privacy policy, ensure security of data, ensuring consent, etc.)

Collaborating with the OPC in investigations

Dealing with DSARs

This will help your business stay compliant with the law. This individual does not need to be a citizen or resident of New Zealand.

Respond to DSARs Quickly

Principle six requires all businesses to give people access to their personal information and must respond within one month after receiving access requests. Not responding to DSARs quickly can result in fines or other legal action.

Penalties for Non-Compliance with New Zealand Privacy Act 2020

Should your business not follow the 13 principles provided in the Privacy Act, your business will no longer be compliant with the law and can face penalties. The update to the Act saw increased fines and new offenses to punish businesses that break the rules.

The CPO will issue non-compliant businesses with a compliant notice with steps that need to be taken. Businesses that refuse to comply with the compliance notice can be fined up to $10,000 per violation.

A new offense introduced was fine for misleading an individual or business to gain access to their information. This fine can cost up to $10,000. If your business destroys information after a DSAR has been issued, this is also a $10,000 fine.

Failure to notify the CPO of a data breach can also result in a fine of $10,000.

On top of this, you may face reputation damages and non-compliance with other more stringent privacy laws, which may bear financial penalties far exceeding this.


With the newly added offense and higher fines, you’ll want to avoid putting your business on the wrong side of New Zealand law. This means making sure you are following the provided principles and providing adequate data protection.

These regulations can be complex, so having Captain Compliance, a global compliance services service, on your side is key to remaining compliant in New Zealand.

We offer compliance solutions to help your business comply with all the principles of the New Zealand Privacy Act 2020. Get in touch with Captain Compliance today.


What is a privacy policy in NZ?

In New Zealand, a privacy policy is required to inform people how you plan to collect personal information, why you need it and how it will be used.

Learn how to draft a privacy policy.

Who regulates the Privacy Act in New Zealand?

The Office of the Privacy Commissioner (OPC) regulates the Privacy Act.

Explore why you need a privacy strategy.

Is the NZ Privacy Act 2020 the same as GDPR?

No, the New Zealand Privacy Act 2020 is similar to the GDPR. However, the GDPR has higher penalties, stricter breach notification protocols, and more data subject rights.

Learn more about the GDPR.

What is considered a breach of privacy in NZ?

In New Zealand, a breach of privacy is considered as unauthorized:

Access to personal information

Loss of information

Destruction of information

Disclosure of information

Alteration of information

Learn more about data protection.

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo with a compliance SuperHero or get started today.