Skip to main content

Privacy Act 2020


Firstly, why do we even need a Privacy Act? The reason for this Act is to protect us, the public, and our personal information. This includes information relating to a registered death under Births, Deaths, Marriages and Relationships Registration legislation. Technology is rapidly advancing, and we need to stay ahead of the changes with new legislation in order to stay protected and provide us with some anonymities!

Updates to the old legislation come into effect on the 1st of December 2020, key changes include:

· Consistency with international legislation

The new Act is now in line with that of its overseas counterparts (the EU’s GDPR, California’s CCPA). The Act has introduced a new privacy principle which sets out that if any information is sent overseas, agencies must ensure that the entity receiving that data has privacy regulations and safeguards comparable to that of New Zealand’s.

· Overseas Agencies Must Comply

Any agency carrying on business within New Zealand or that involves the public of New Zealand is subject to the Act – even if they do not have a physical address here. This will involve larger companies to such as Google & Facebook.

· Privacy Commissioner Powers

The Office of the Privacy Commissioner now has more functions and power. Previously this office was used mainly for privacy complaints; however, starting 1st Dec 2020, they can now issue Compliance notices, Access direction orders, or fines for lack of compliance with the act.

· Data Breach Reporting

Agencies are now required to report themselves as soon as practicable to not only the Office of the Privacy Commissioner but also the affected individual if they have a data breach and it is reasonable to believe that the breach is likely to or has already caused serious harm to affected individuals. There are some limited exceptions as to when the affected individual must be notified.

· New Offences

It is now a criminal offence for an agency to access someone else’s personal information without authorisation. This includes impersonating someone in order to access their personal information. It is also a criminal offence for an agency to destroy personal information when an individual has requested access to it. These fines can be up to NZ$10,000.

Other important information to note:

· Every agency in New Zealand must appoint a privacy officer.
· Gender neutral terminology is now used throughout the act.
· News media, MPs, and courts and tribunals have their own exceptions to the act.
· Subject to certain exceptions, every individual has the right to view and change the personal data that is held by any entity.

n.b. an “agency” as referred to in this article, is any business or organisation operating in New Zealand.

For more information on the act head to the privacy act website

Leave a Reply