• Leah Norman

Privacy Act 2020

A lot has changed since the Privacy Act first came into effect in 1993, including the evolving use of the internet and data storage. A new Privacy Act 2020 (“the Act”) will come into effect on 1 December.


Anyone who collects, uses and stores personal information must follow new and existing rules in the Privacy Act. This applies to all business types, including sole traders and freelancers/contractors. Common examples of personal information collected by businesses include:

  • names

  • contact details

  • employment records

  • photos of workers or customers used for marketing, eg flyers or social media posts.

Whilst the Act retains the 12 key privacy principles found in the Privacy Act 1993, the additional changes reflect the major developments that have occurred over the last three decades.


The new Act brings New Zealand in line with international privacy and data protection laws.


Key changes:

  1. Notifiable privacy breaches – If a business or organisation has a privacy breach that it believes has caused, or likely to cause serious harm, it must notify the Privacy Commissioner and the affected individuals. The Privacy Commissioner will provide an online privacy breach notification tool to give guidance to assist businesses and organisations with this new obligation.

  2. Compliance notices – The Privacy Commissioner can issue compliance notices to businesses or organisations for a privacy breach. The notice will set out steps required to remedy non-compliance with the Act and will specify a date for making the necessary changes.

  3. Enforceable access directions – The Privacy Commissioner can direct businesses or organisations to provide individuals access to their personal information. Access directions will be enforceable in the Human Rights Review Tribunal.

  4. Disclosure of information overseas – If your business is based overseas, but you deal with individuals in New Zealand, you might be caught by the new Act even if you do not have a physical presence in New Zealand. The change introduces regulations on the disclosure of personal information. Under the new Act, New Zealand business or organisations will need to ensure overseas agencies have similar levels of privacy protection as those in New Zealand. If the overseas service provider does not offer similar protections to those in New Zealand, the individual concerned must be fully informed that their information may not be adequately protected.

  5. New criminal offences – There are two new criminal offences under the new Act. It will now be an offence to:

  6. Mislead an agency to obtain someone else’s personal information; and

  7. Destroy documents that contain personal information knowing it has been requested.

The maximum penalty will be a fine of up to of $10,000.


Every business will also be required to appoint a "Privacy Officer", normally this will be the person in charge of the office. This role involves:

  • a general understanding of how the Privacy Act relates to your business

  • checking personal information is collected responsibly and stored safely

  • making sure any issues or requests for personal information are handled promptly

  • handling privacy complaints made to your business, including working with the Office of the Privacy Commissioner (OPC) on any escalated complaints.


Existing Requirements:


You continue to be required to:

  • Only collect personal information needed for business reasons.

  • Tell people what you collect, including if you use cookies on your website.

  • Store personal information safely and securely.

  • Only keep information while you need it or are legally allowed to keep it.

  • Respond to someone’s request for personal information within 20 working days.

  • Update or correct personal information as required, eg new phone number.

You can only share personal information with others in specific circumstances. For example, it’s justified to give a courier a customer’s details to deliver a parcel. It’s one of the reasons your business gathered the information.


It's a good idea to check your privacy statement is up to date. This should tell people how you collect and use personal information.


With the new Act coming into effect in less than a month, now is the opportune time to review your existing practices and check that your privacy policies are up to date and will comply with the new Act. If you need some guidance or some assistance in how to ensure compliance with Privacy considerations in your workplace, give us a call 0508 924 357.


Disclaimer This article, and any information contained on our website is necessarily brief and general in nature, and should not be substituted for professional advice. You should always seek professional advice before taking any action in relation to the matters addressed.

Recent Posts

See All