New Zealand’s new Privacy Act – Key changes to protect personal information

On 1 December 2020, the New Zealand Privacy Act 2020 came into effect. This piece of legislation brings with it a raft of new measures to protect personal data including mandatory data breach notifications, and…

On 1 December 2020, the New Zealand Privacy Act 2020 came into effect. This piece of legislation brings with it a raft of new measures to protect personal data including mandatory data breach notifications, and new civil and criminal penalties.

Who does the new Act affect?

The new Privacy Act will impact all organisations that collect, store or use personal information in New Zealand. This extends to overseas organisations who are carrying on business in New Zealand, regardless of whether the information is held in NZ or not.

Mandatory Data Breach Notifications

One of most notable changes is the introduction of a mandatory data breach regime. This means, that if a breach causes, or is likely to cause significant harm, the organisation is required to notify the Privacy Commissioner and any affected individuals.

One of the interesting features of the new Act is that it extends the definition of a privacy breach to include actions that prevent personal information from temporarily or permanently being accessed. This means that ransomware attacks where personal information is encrypted but not necessarily exfiltrated, may also require that the Commissioner be notified.

To assist in assessing whether notification is required, the Privacy Commissioner has released NotifyUs;
an online questionnaire that helps organisations determine the likely impact of a data breach.

Restrictions on disclosing information overseas

Organisations may now only disclose personal information to a third party or other organisations outside of New Zealand, if the third party is subject to similar safeguards as defined in the new Privacy Act.

If the jurisdiction does not offer these protections, impacted individuals must be notified and must consent prior to the disclosure.

New Regulatory Powers and Penalties

The Privacy Commissioner is now able to issue compliance notices to organisations to compel them to take action or refrain them from doing something, in order to comply with the new Act.

If an organisation refuses an individual access to their information, the Commissioner is now able to direct organisations to do so via an enforceable access direction.

Failure to comply with either an enforceable access direction or compliance notice can result in a fine of up to NZ$10,000.

The Act also introduces new criminal offences. Of note, it is now an offence for organisations to destroy personal information, knowing that a request to access it has been made. Similarly, failing to notify the Commissioner of a notifiable data breach without reasonable excuse, can also result in criminal charges.

Changes introduced in the new Act mean that organisations in New Zealand, or those businesses from abroad who choose to do business in New Zealand, need to take steps to better manage and protect personal information.

Susan Bennett, Executive Director of Information Governance ANZ, points to the continuing significant changes being made in global privacy regulations since the European’s Union GDPR came into force two years ago, and the increasing focus that is being placed on the protection of personal information.  “The New Zealand Privacy Act 2020, bookends a year of further changes in privacy regulations, commencing with the California Consumer Privacy Act  (CCPA) coming into force, the release for comments of the draft Personal Data Protection Law of China,  and the amendments made to South Korea’s Personal Information Protection Act and the Network Act.  Australia is also undertaking a review of the Privacy Act 1988 and a second consultation on outcomes from the preliminary review is due to occur in early 2021.”  

Ms Bennett goes on to explain that “these regulatory developments all highlight the need for organisations to implement good information governance.  In particular, it requires organisations to focus on data minimisation – by collecting and storing personal data that is limited to what is necessary and relevant to fulfil your stated purpose – this means, you do not hold more information than you need for your organisation’s stated purpose. The benefits of robust information governance and data minimisation include increasing customer trust and reducing information security threats and data breach.”

Ultimately, good information governance means understanding the types of information you hold, the repositories in which they are kept and managing the disposal of personal information, planning for data breach incident response, and ensuring roles and responsibilities for protecting and managing information are defined.

It pays to be prepared. Familiarising yourself with the basics of the new Act by taking some of the Commission’s free e-learning modules and working with trusted advisors will help ensure you remain compliant.

Written by:

John Porter | eDiscovery Consultant


Susan Bennett | Executive Director