Changes to the Privacy Act



The Privacy Act 2020 replaced the Privacy Act 1993, and came into force on 1 December 2020. The exponential change in the use of technology in society since 1993 together with globalisation, was a driving force for the necessary change to New Zealand’s privacy laws.

The central information privacy principles within the Act regarding how agencies collect, use, disclose and store personal information, fundamentally remain the same, with exceptions. However, enforcement of and penalties under the Act, particularly by the Privacy Commissioner, are now extended and strengthened. This article touches on the more salient changes to the Act.

Breach notification – Where an agency (generally a business or organisation) breaches privacy that causes serious harm to someone or is likely to cause serious harm, it must notify the Privacy Commissioner immediately and any persons affected by the breach. Under the 1993 Act, this was not mandatory, only encouraged. Now, where agencies do not comply, they can be fined up to $10,000. Online tools are available for agencies to lodge such notifications.

Compliance notices – If an agency is not meeting its obligations under the Act, the Privacy Commissioner may serve a compliance notice to that agency to do something or to stop doing something.

Access requests – The Act makes it easier and more efficient for people to access information about themselves that is held by an agency. Generally, complaints regarding privacy often arise where an agency refuses to provide information held about a person, to that person, upon their request. The Privacy Commissioner can now make binding decisions relating to complaints such as these.

Information sent overseas – Agencies can only send personal information overseas provided there are either protections in place that comply with the Privacy Act 2020, the overseas privacy safeguards are similar to the Privacy Act 2020, or the relevant individual to which the personal information relates to, authorises such disclosure. Overseas businesses may be subject to the Privacy Act even if they do not have a physical office in New Zealand. There may be exemptions to this depending on how the personal information is used, i.e. with cloud-based businesses, however, this is yet to be contested.

New offences – Four new offences have been introduced under the Act which may result in a fine of up to $10,000, namely:

  1. Impersonating someone or claiming to have someone’s authority to obtain personal information or destroying/altering the personal information.
  2. Destroying a document after someone has specifically requested it.
  3. Breaching the Privacy Commissioner’s compliance order.
  4. Failing to report a serious breach notification.

Where you wish to discuss or learn further about your privacy rights as an individual or your obligations as a business owner, it is suggested to get in touch with a lawyer. If you are a business owner and you have not already reviewed your privacy terms and conditions, now is the time to do this and ensure that you have protocols in place to provide personal information to customers carefully and efficiently, if requested.