New Zealand has implemented a much-needed update to its main privacy law, the New Zealand Privacy Act. In effect from December 2020, the amendments bring New Zealand law a little closer to the strict standards of the EU General Data Protection Regulation (GDPR).

Key changes include a broad application that encompasses non-New Zealand businesses, privacy breach notification requirements, and a prohibition on certain transfers of personal information overseas.

This article will outline New Zealand's existing privacy principles, and take a close look at some of the new obligations.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Privacy Principles

Before we look at what's new in the 2020 act, we're going to look briefly at the "information privacy principles," most of which were introduced under the New Zealand Privacy Act 1993.

Note that the Act refers to the people and organizations to which it applies as "agencies." Agencies have responsibility for any personal information (which the Act defines as "information about an identifiable individual") they collect, hold or control.

The Act sets out 13 information privacy principles. One of these principles (number 12) is a new entry under the 2020 act.

  1. Purpose for collection: Only collect personal information if it is necessary to do so for a lawful purpose.
  2. Source of information: Where possible, collect personal information directly from the individual it is about.
  3. What to tell an individual: When you collect personal information, you must tell the individual:

    1. Why you are collecting it
    2. Who will receive it
    3. Whether they have a choice about whether to give it to you
    4. What will happen if they refuse
  4. Manner of collection: Only collect personal information in a lawful, fair, and unintrusive way.
  5. Storage and security: Implement reasonable safeguards to protect personal information.
  6. Access: Provide an individual with access to their personal information unless it would:

    1. Endanger someone's safety
    2. Create a significant likelihood of serious harassment
    3. Prejudice a criminal investigation
    4. Breach someone else's privacy
  7. Correction: Correct an individual's inaccurate personal information on request.
  8. Accuracy: Make sure personal information is accurate, complete, relevant, up-to-date, and not misleading.
  9. Retention: Only keep personal information for as long as you need it.
  10. Use: Only use personal information for the purposes for which you collect it, or in ways that are directly related to the original purpose, unless you have the individual's permission.
  11. Disclosure: Only disclose personal information to a third party if:

    1. You collected the personal information in order to disclose it
    2. You have the individual's authorization
    3. You have anonymized the personal information
    4. Failing to disclose the personal information would endanger someone's health
    5. Failing to disclose the personal information would prejudice the maintenance of the law
  12. Disclosure outside New Zealand: This is a new principle which we'll look at below
  13. Unique identifiers: Only assign a unique identifier to an individual if you need to for operational functions. Don't use the same unique identifier as another agency.

Complying with all these principles is essential whenever collecting, storing, or otherwise using New Zealand residents' personal information.

A good way to comply with information privacy principle 3 (what to tell the individual) is to create a Privacy Policy that includes all the necessary information about how and why you process personal information. You can present your Privacy Policy whenever you collect personal information from an individual.

Changes to the New Zealand Privacy Act

Changes to the New Zealand Privacy Act

Now let's look at the most significant changes to the New Zealand Privacy Act.

Application to Foreign Organizations

The New Zealand Privacy Act is now one of many privacy laws that applies both to domestic and foreign agencies.

An agency based outside of New Zealand must comply with the Act if it is "carrying on business in New Zealand in respect of personal information" the agency holds or collects, regardless of:

  • Where the agency:

    • Collected the personal information
    • Holds the personal information
  • Where the individual (whose personal information the agency collected or holds) is located
  • Whether the agency:

    • Is a commercial operation
    • Has a place of business in New Zealand
    • Receives any payment for its goods or services
    • Intends to make a profit

The Act clearly attempts to apply as broadly as possible: any organization doing business in New Zealand must comply with it.

Privacy Breach Notification

The Act makes some changes to the rules on when agencies must notify people about "privacy breaches."

What is a "Privacy Breach?"

"Privacy breach" means personal information has been subject to unauthorized or accidental:

  • Access
  • Disclosure
  • Alteration
  • Loss
  • Destruction

"Privacy breach" can also mean any action that means an agency is permanently or temporarily unable to access personal information. A privacy breach can be caused by a person internal or external to the agency, and can be either ongoing or completed.

When Must You Provide a Privacy Breach Notification?

An agency must provide a privacy breach notification if it is reasonable to believe that the breach has caused serious harm to an affected individual(s) or is likely to do so.

Here's section 113 of the Act, which outlines how to assess whether a privacy breach is notifiable:

Parliamentary Counsel Office: New Zealand Legislation - Privacy Act 2020 Section 113: Assessment of likelihood of serious harm being caused by privacy breach

When assessing whether the privacy breach is likely to cause serious harm, you can consider the following factors:

  • What you've done to reduce the risk of harm following the breach
  • Whether the personal information is sensitive
  • What type of harm the individuals might experience
  • Who has obtained or might obtain the personal information
  • Whether the personal information is protected by a security measure
  • Any other relevant matters

How to Notify the OPC

If you suffer a notifiable privacy breach, you must notify the New Zealand Office of the Privacy Commissioner (OPC) "as soon as practicable" after you become aware of the breach. You can use the OPC's "NotifyUs" page for this.

Your privacy breach notice must contain:

  • A description of the breach, including:

    • How many individuals are affected
    • Who has accessed the personal information
  • The steps you're taking in response to the breach, including whether you're contacting the affected individuals
  • Details of any public notice you're planning to provide
  • If you're planning not to notify the affected individuals, or you're planning to delay notification, your reasons for this
  • The names of any other agencies you've notified, or are planning to notify, and your reasons for doing so
  • Contact details of someone within your organization who can take inquiries about the breach

How to Notify Affected Individuals

Here's section 115 of the Act, which concerns the notification of individuals affected by a privacy breach:

Parliamentary Counsel Office: New Zealand Legislation - Privacy Act 2020 Section 115: Agency to notify affected individual or give public notice of notifiable privacy breach

You must notify the affected individuals as soon as practicable after you become aware of the breach, unless:

  • It is not "reasonably practicable" to notify the individual, in which case you must give public notice. The OPC suggests that you can do this "through website information, posted notices, or the media." Do not identify any affected individual in your public notice.
  • The individual is under 16 and you believe that notifying them would not be in their best interests.
  • The individual's healthcare provider has advised you that notifying the individual would be harmful to their health.

If either of the latter two points applies, you should consider whether you can notify the individual's representative, if they have one.

Your notice to individuals must contain:

  • A description of the breach, including whether you have identified the person responsible (do not name them unless doing so would prevent a serious threat to life)
  • The steps you're taking in response to the breach
  • What steps the individual can take to mitigate the effects of the breach
  • Confirmation that you have notified the OPC about the breach
  • An explanation of the individual's right to make a complaint to the OPC
  • Contact details of someone within your organization who can take inquiries about the breach

Transferring Personal Information Overseas

Transferring Personal Information Overseas

The Act introduces new rules about transferring personal information out of New Zealand. This is a new "information privacy principle."

Here's information privacy principle 12, as it appears in the Act:

Parliamentary Counsel Office: New Zealand Legislation - Privacy Act 2020 Information privacy principle 12: Disclosure of personal information outside New Zealand

You cannot transfer personal information collected in New Zealand to a third party outside of New Zealand unless the recipient is covered by "comparable safeguards" to those imposed by the act. There are other exceptions which we'll cover below.

"Comparable safeguards" include the principles set out in Schedule 8 of the act:

  • Collection limitation: Only collect personal information if it is lawful and fair to do so
  • Data quality: Personal information should be accurate, adequate, and up to date
  • Purpose specification: Specify your purposes for collecting personal information at the time of collection and don't use it for any incompatible further purposes
  • Use limitation: Don't use personal information for unspecified reasons unless you have consent or legal authorization
  • Security safeguards: Protect personal information against privacy breaches
  • Openness: Be transparent about your practices and policies
  • Individual participation: Individuals have the right to receive confirmation that an agency holds their personal information
  • Accountability: Agencies are accountable under these principles

The OPC hasn't yet provided a list of countries with "comparable safeguards." However, you may wish to consider the EU's list of countries in receipt of an "adequacy decision." The EU deems these countries have laws that are "essentially equivalent" to the GDPR.

If you need to transfer personal information to an agency in a country that doesn't have "comparable safeguards," you may do so only if one or more of the following applies:

  • You have the authorization of the individual and you have expressly informed them that the country to which you are sending their information does not have comparable safeguards
  • You reasonably believe that the recipient is subject to the New Zealand Privacy Act
  • The recipient is subject to a "prescribed binding scheme" (the OPC will approve prescribed binding schemes in the future)

Enforcement Powers

The OPC can issue "compliance notices" to agencies failing to comply with the Privacy Act. This notice will require you to do something or stop doing something. It will provide steps you must take to meet your obligations and a deadline by which you must act.

The Act also introduces "access orders." The OPC can force you to provide and individual access to their personal information.

An agency can face a fine of up to $10,000 NZD (approx. $7,200 USD) if it:

  • Fails to comply with a compliance notice
  • Fails to comply with an access order
  • Makes a prohibited cross-border transfer of personal information
  • Fails to properly notify the OPC of a notifiable privacy breach

New Zealand Privacy Act 2020 vs. the GDPR

New Zealand Privacy Act 2020 vs. the GDPR

We mentioned that the New Zealand Privacy Act brings Kiwi law a little closer to EU standards. However, the GDPR imposes more extensive obligations on businesses.

Here's a roundup of some of the key differences between the two laws.

GDPR New Zealand Privacy Act
Application
  • Data controllers
  • Data processors (who process on behalf of controllers)
  • Includes public and private entities
  • Includes individuals
  • Applies to controllers and processors based outside of EU
  • Agencies
  • Includes public and private entities
  • Includes individuals
  • Applies to agencies based outside of New Zealand
Principles
  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Security
  7. Accountability
  1. Purpose for collection
  2. Source of information
  3. What to tell an individual
  4. Manner of collection
  5. Storage and security
  6. Access
  7. Correction
  8. Accuracy
  9. Retention
  10. Use
  11. Disclosure
  12. Disclosure outside New Zealand
  13. Unique identifiers
Rights
  • Right of access
  • Right to erase
  • Right to rectification
  • Right to object
  • Right to restrict processing
  • Right to data portability
  • Rights regarding automated decision-making
  • Right of access
  • Right to correct
Data breach requirements
  • Controllers must report a data breach to their Data Protection Authority if it is likely to result in a risk to individuals' rights and freedoms
  • Controllers must report a data breach to the individuals affected if it is likely to result in a serious risk to individuals' rights and freedoms
  • Breaches must be reported within 72 hours
  • Agencies must report a breach to the OPC and to the individuals if it is reasonable to believe it will cause serious harm
International transfers

Transfers of personal data to non-EEA countries are prohibited unless:

  • The recipient is located in a country covered by an "adequacy decision"
  • The transfer is covered by an agreement containing standard contractual clauses and any necessary safeguards
  • The transfer is within a corporate group operating under binding corporate rules
  • Exceptionally, where one of the GDPR's Article 49 derogations applies

Transfers of personal information to agencies outside of New Zealand are prohibited unless:

  • The recipient is in a country with a law that provides comparable safeguards to those imposed by the New Zealand Privacy Act
  • The sender has the authorization of the individual and has expressly informed them that the recipient country does not have comparable safeguards
  • The sender reasonably believes that the recipient is subject to the New Zealand Privacy Act
  • The recipient is subject to a "prescribed binding scheme"
Penalties

Two levels of penalties:

  • Up to 2 percent of annual global turnover or €10 million
  • Up to 4 percent of annual global turnover or €20 million
Up to $10,000 NZD (approx. $7,200 USD)

Summary

The New Zealand Privacy Act 2020 impacts on any business operating in New Zealand that processes personal information.

Key updates to the law include:

  • Any agency that is "carrying on business" in New Zealand is now covered by the law
  • Agencies must report privacy breaches:

    • "As soon as is practicable"
    • Whenever it is "reasonable to believe" that the breach might cause a "risk of serious harm"
    • To the New Zealand Office of the Privacy Commissioner (OPC)
    • To the affected individuals
  • Agencies must not transfer personal information to third parties based overseas unless:

    • The recipient country is covered by "comparable safeguards"
    • The recipient is covered by the New Zealand Privacy Act
    • The sender has the individual's authorization and has informed them of the risks
    • The recipient is covered by a "prescribed binding scheme"
  • The OPC may issue fines of up to $10,000 NZD ($7,200 USD) for non-compliance with certain provisions in the act.