Submit Your Details

Take the first step, complete the form below and we will be in touch to talk about options for you.

All information will be kept confidential.

Privacy Act: 2020

2 Minute Read
Written by Paul Miller
17 November 2020

The new act that comes into effect on 1 December 2020 introduces a number of new privacy protections for individuals and greater obligations for businesses and organisations.  The new Act is to reflect technological changes in the way we do business since the original Act was introduced.

Summary of main changes below:

  • New name:  Privacy Act 2020
  • Effective:  1st December 2020
  • The new Act moves from 12 principles to 13 principles.
  • Businesses and organisations must take reasonable steps to protect unique identifiers from being misused.
  • New (additional) principle 12 is cross-border disclosures – A business in NZ may only disclose personal information that has been collected to an overseas agency if that agency has a similar level of protection to NZ, or the individual is fully informed and authorises the disclosure.
  • Extraterritorial effect – meaning an overseas business or organisation may be treated as carrying on business in NZ for the purposes of its privacy obligations – even if it does not have a physical presence in NZ.
  • Principle 1 – updated to clarify you can only collect information if it is necessary.
  • Principle 4 – new provisions relating to collecting information from children or young people.
  • Mandatory reporting of privacy breaches that have caused serious harm, or are likely to do so.  Reporting to the Office of the Privacy Commissioner and also to the person concerned.  Reporting can be done via the new online tool ‘NotifyUs’ which both assists a business to determine if the privacy breach is reportable and then also allows them to report the breach.
  • New criminal offences.
  • Privacy Commissioner can issue ‘Compliance notices’ to a business or organisation (relating to failure to meeting privacy obligations).
  • Privacy Commissioner can make ‘binding decisions on access requests’ – where an individual requests to access their personal information but is refused on unreasonable grounds.

More information can be found at the Privacy Commissioner’s website.

You may also be interested in…