What SMBs need to know about the New Zealand Privacy Act

The New Zealand Privacy Act 2020, which came into effect on December 1, 2020, is legislation designed to protect the privacy of individuals and regulate the handling of personal information. This law replaced the Privacy Act 1993, introducing several new provisions and enhancing individuals' control over their personal information. Keep reading to unravel the intricacies of this pivotal piece of legislation and align your business practices with the evolving norms of data privacy.

In this blog, we’ll cover

Why was the Privacy Act created?

Purposes of the Privacy Act

In accordance with the official pronouncements from the Ministry of Justice of New Zealand, the Privacy Act of 2020 serves two principal objectives:

  1. Providing a framework for protecting an individual’s right to privacy of personal information, including the right of an individual to access their personal information, while recognising that other rights and interests may at times also need to be taken into account; and
  2. Giving effect to internationally recognised privacy obligations and standards in relation to the privacy of personal information, including the OECD Guidelines and the International Covenant on Civil and Political Rights. 


Who does the Privacy Act apply to?

Who does the Privacy Act apply to

As you navigate the intricacies of the New Zealand Privacy Act 2020, it's imperative to be particularly mindful of its specific application regarding industries and geographical locations.

  • Industries and sectors

    According to New Zealand Legislation, the Privacy Act applies to any person, organisation, or business (referred to in the legislation as an "agency"), whether it’s in the public sector or private sector, that collects and holds personal information about other people. This includes government departments and agencies, companies, social clubs, charities, societies, community groups and other types of organisations.

  • Geographical scope

    The New Zealand Privacy Act 2020 holds extensive geographical implications, encompassing not only New Zealand-based agencies but also international entities and individuals interacting with personal information within the country:
    • A New Zealand-based agency that collects or holds personal information.
    • An overseas agency carrying on business in New Zealand that collects or holds personal information.
    • A person who doesn’t live in New Zealand but is involved with collecting personal information while they are in New Zealand or holding personal information while they are in New Zealand.

How does the Privacy Act affect the collection and use of personal data?

How does the Privacy Act affect the collection and use of personal dataAccording to the New Zealand Commissioner, under the Privacy Act, businesses must follow a set of rules when collecting, holding or using and disclosing personal information.

1. Collecting personal information

  • Only collect the information you need

    The Act requires you only collect personal information that’s necessary for a lawful purpose. Before you collect personal information, think about what information you need to achieve your purpose. You may find you don’t need to collect as much as you originally thought, or you may not need to collect any at all.

  • Collect information directly from the person

    Generally, you should collect information directly from the person it’s about. By doing this, the person will know what information you've got and what you're doing with it.

  • Tell people what you’re doing

    If you're collecting personal information from someone, you need to let them know what you're doing. The best way to do this is usually with a clear privacy statement.

  • Create a privacy statement

    Being open with people about what you’re doing with their information means you won't take them by surprise, and they're less likely to object. Think about how and when it would be best to tell them. New Zealand Privacy Commissioner provides a handy tool to help you compose your privacy statement.

  • Collect information fairly and lawfully

    Make sure you collect personal information in a way that is lawful, fair, and not unreasonably intrusive

2. Holding personal information

  • Store personal information securely

    Make sure that you take reasonable steps to store and use personal information securely. Security includes taking steps to prevent unauthorised or inappropriate access by staff. Have clear policies and guidelines in place that set out acceptable staff behaviour. Depending on the sensitivity of the information, it may be necessary to set up systems that limit or keep track of who accesses it.

  • Give people access to their personal information

    People have a right to access the personal information you hold about them. If someone asks for access to their personal information, you must respond within 20 working days of receiving the request. Your response should include a decision about whether you will be providing the requested information.

  • Let people correct their personal information

    People can ask you to correct their personal information if they think it’s wrong. If you don’t think you need to correct the information, you must still record that the person asked you to correct the information, and note exactly what they thought was wrong. Attach that record to the person's file so that everything is together. Knowing what the person thinks will help anyone else who looks at the record to make better decisions.

3. Using and disclosing personal information 

  • Make sure personal information is accurate 

    Before you use personal information, check if it’s accurate, up-to-date, complete, relevant and not misleading. Incorrect information isn't any use to you, and it could lead you to make wrong decisions about the person involved.
  • Don’t keep personal information for longer than you need 

    The Privacy Act doesn’t specify how long you can keep personal information – only that agencies shouldn’t keep information for longer than they need it. Your agency can set its own policies. Holding more information can be expensive and it also creates a greater risk of a privacy breach. 
  • Disposing of personal information 

    Dispose of personal information securely so that no one can retrieve it. 
  • Use information for the purpose you got it

    Only use personal information for the purpose for which you collected it. Do not use personal information without permission.
  • Only disclose personal information if you have a good reason

    Be careful about disclosing personal information to people, both inside and outside your agency. You can only do this in some situations when:
    • another law requires you to disclose it,
    • it’s one of the purposes for which you got the information,
    • it’s necessary to uphold or enforce the law,
    • it’s necessary for court proceedings,
    • you disclose it in a form that doesn’t identify the person it’s about.
    • it is subject to the Privacy Act because they do business in New Zealand
  • Sending personal information overseas

A business or organisation may only disclose personal information to another organisation outside New Zealand if the receiving organisation:

    • is subject to privacy laws that provide comparable safeguards to the Privacy Act
    • agrees to adequately protect the information
    • is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government. 
  • Unique identifiers

    A business or organisation may only use a unique identifier (such as a driver's licence number) where it is necessary. They must take reasonable steps to protect unique identifiers from misuse. 

What are the penalties for not keeping up with the Privacy Act?

New Zealand Privacy Act finesSection 212 states the penalties for failing to comply with the Act. Up to $10,000 fine will be imposed if a person:

  • without reasonable excuse, obstructs, hinders, or resists the Commissioner or any other person in the exercise of their powers under this Act
  • without reasonable excuse, refuses or fails to comply with any lawful requirement of the Commissioner or any other person under this Act
  • makes any statement or gives any information to the Commissioner or any other person exercising powers under this Act, knowing that the statement or information is false or misleading
  • represents directly or indirectly that they hold any authority under this Act when they do not hold that authority
  • misleads an agency by impersonating an individual, or falsely pretending to be an individual or to be acting under the authority of an individual, for the purpose of: 

    • obtaining access to that individual’s personal information 
    • having that individual’s personal information used, altered, or destroyed: 
  • destroys any document containing personal information, knowing that a request has been made in respect of that information under subpart 1 of Part 4.

5 steps to ensure compliance with the Privacy Act

5 steps to ensure complianceEnsuring compliance with the New Zealand Privacy Act 2020 requires systematic and meticulous effort. Here’s a step-by-step guide to help your business align with the Act’s requirements.

  • Step 1: Conduct a comprehensive privacy impact assessment

Identify all the personal information your organisation collects, processes, and stores. Evaluate the privacy risks associated with handling such information. Develop strategies to mitigate identified risks, ensuring the lawful and secure processing of personal information.

  • Step 2: Develop and implement privacy policies and procedures

Draft clear, concise, and comprehensive privacy policies outlining how personal information will be handled. Implement procedures ensuring compliance with the policies and the Act. Communicate policies and procedures to all employees and relevant stakeholders.

  • Step 3: Train and educate employees

Educate employees on the provisions of the Act and the importance of data privacy. Train them on adhering to internal privacy policies and procedures. Regularly update training programs to address evolving privacy risks and legal requirements.

  • Step 4: Secure personal information

Implement robust security measures, including encryption and firewalls, to protect personal information from unauthorised access, disclosure, alteration, and destruction. Conduct regular security audits and vulnerability assessments to identify and address potential security risks. Develop a comprehensive data breach response plan to efficiently address any security incidents.

  • Step 5: Monitor compliance and address non-compliance

    Regularly review policies, procedures, and practices to ensure ongoing compliance with the Act. Address any identified areas of non-compliance immediately, implementing corrective actions to mitigate risks. Keep abreast of any amendments to the Act and adjust policies and practices accordingly to maintain compliance.

Why you should train your end users on the Privacy Act

4 reasons why you should train your end usersTraining end users on the New Zealand Privacy Act is not merely a compliance requirement but a strategic necessity. Our Security awareness training (SAT) --uLearn equips end users with the knowledge and awareness to protect personal information diligently and act responsibly, thereby contributing to the overall security of the organisation. 

  • Identify security blind spots 

Using a short gap analysis questionnaire, we will identify each user's weakest areas of security, and gather results into their unique risk profile. This allows you to identify your staff’s individual security vulnerabilities, thus automating the remedy and addressing any security gaps in handling personal information.

  • Enhance employee's security awareness

    uLearn helps measure, boost, and monitor users' security awareness. Our cybersecurity training courses are designed with up-to-date knowledge to ensure that employees are informed about the latest threats and protective measures.
  • Cost-effective solution 

    Being 100% cloud-based with installation-free and simple configuration, uLearn facilitates easy deployment, allowing organisations to quickly implement robust cybersecurity training aligned with the Act with no upfront cost for hardware or infrastructure.

  • Return on Investment (ROI)

    Organisations can significantly reduce the likelihood of falling victim to cyberattacks, thereby avoiding substantial financial losses and preventing legal penalties and fines.

Empower your workforce today and comply with New Zealand Privacy Act

Don't hesitate to integrate security awareness training into your business practices! The investment in security awareness training is tremendously beneficial to bolster your employees' awareness of the Privacy Act. 

If you fancy discovering more about the Privacy Act, we highly recommend you to try out our premium service for 14 days absolutely free or watch the preview video below. Alternatively, you can take a look at our blog to learn how usecure could help you navigate regulations and standards around the world.