The key legislation is the Privacy Act 2020. The Privacy Act 2020 governs the collection, storage and security, accuracy, retention, use and disclosure of personal information. Privacy Codes apply to particular industries, sectors or types of personal information.

There have been relatively few decisions directly applying the Privacy Act (or its predecessor, the Privacy Act 1993) as the process for dealing with privacy complaints typically involves individuals making a complaint to the Privacy Commissioner who will work with the relevant parties to reach a resolution. However, the Supreme Court has considered privacy-related issues in two notable cases, being R v Alsford [2016] NZSC 21 [15 March 2016] and Tamiefuna v R [2025] NZSC 40 [16 April 2025].

In R v Alsford, the Supreme Court clarified the law in 
relation to voluntary requests for personal information by law enforcement agencies. In that case, the police made requests to three electricity providers for power consumption data in an investigation of suspected cannabis cultivation. Under privacy principle 11(e)(i) of the Privacy Act 1993, the disclosure of personal information is permitted where necessary to avoid prejudice to the “maintenance of the law”. It was found that one of the three requests did not provide sufficient information to justify the resulting disclosure, and therefore breached principle 11(e)(i) of the Privacy Act 1993. However, the case affirmed law enforcement agencies are allowed to seek personal information from service providers on a voluntary basis when making a lawfulness assessment, as long as they indicate why the police are requesting the information. 

in Tamiefuna v R, the Supreme Court held that a photo taken of Tamiefuna during an unlawful and unreasonable search was inadmissable as evidence in his trial for aggravated robbery. Tamiefuna was subject to a random stop and pulled over in his vehicle. His photo was taken and uploaded to the national intelligence database. The clothing in the photo of Tamiefuna matched the clothing in CCTV footage taken three days earlier after an aggravated robbery. This became a key piece of evidence in his trial, but it was found that the police did not comply with principles 1, 3 and 9 of the information privacy principles in the Privacy Act 1993. This is because the information was not collected for a lawful purpose, the person concerned was not informed about the collection and its legal basis, and the retention of this information was unlawful. Thus, in addition to a breach of his right to be free from unreasonable search and seizure under section 21 of the Bill of Rights Act, the evidence was inadmissible under s 30 of the Evidence Act 2006.

Outside of the courts, the Human RIghts Review Tribunal (HRRT) also plays a significant role in settling privacy disputes. The case of Hammond v Credit Union Baywide [2015] NZHRRT 6 is important as it has set the bench mark for awards of compensation in privacy breach cases. The HRRT awarded over $168,000 in damages to Ms Hammond following a serious breach of principle 11 of the Privacy Act 1993, which states an agency that holds perosnal information shall not disclose the information to a person or body or agency. Ms Hammond's former employer unlawfully obtained and distributed a private Facebook photo she had posted as part a deliberate campaign to harm her reputation and empolyment prospects.

The Privacy Act does not make specific reference to "sensitive data" and instead applies broadly to all "personal information". The Privacy Act defines personal information as information about an identifiable individual, and includes information relating to a death that is maintained by the Registrar-General pursuant to the Births, Deaths, Marriages and Relationships Registration Act 1995. While "sensitive data" is not expressly addressed, the sensitivity of data will be relevant to the steps/manner an agency would be expected to take in complying with its obligations under the Privacy Act.                                                                                                

The Privacy Act protects personal information, being information about an identifiable living individual.

 The Privacy Act applies to: 

- New Zealand agencies: in relation to any action taken by the agency in respect of personal information collected or held by the agency. A New Zealand agency being public and private sector agencies and individuals ordinarily present in New Zealand, and a court or tribunal (except in relation to its judicial functions), with some limited exceptions;

- Overseas agencies: in relation to any action taken in the course of carrying on business in New Zealand in respect of personal information held or collected by that agency. An overseas agency being an overseas person, body corporate, or unincorporated body that is not a New Zealand agency, the Government of an overseas country or an entity performing any public function on behalf of the overseas Government, or a news entity to the extent it is carrying on news activities;  and

- Individuals not ordinarily resident in New Zealand: in relation to any action taken in respect of personal information collected while present in New Zealand or held by that individual while present in New Zealand regardless of where the individual to whom the information relates is or was located. 
 

The Privacy Act does not define "data processing".

Generally, personal information must be collected from the individual concerned and must only be collected for a lawful purpose connected with a function or activity of the agency. The individual must be aware of certain matters before collection, if it is reasonably practicable to do so.

Subject to specific exceptions, generally an agency may only use or disclose personal information for the purpose for which it was collected.

Personal information must be protected from loss, unauthorised access, use, modification or disclosure, and other misuse with reasonable security safeguards. Agencies must not keep personal information for longer than is required for the purposes for which the information may lawfully be used.

An individual is entitled to request access to any personal information about them held by an agency. Access should generally be given, subject to specific grounds for withholding access. An individual may also request correction of personal information.

Not applicable.

There are no specific provisions in the Privacy Act addressing how authorisation from an individual to the use or disclosure of the personal information is obtained but we understand the Office of the Privacy Comissioner is likely to expect some affirmative action including authorisation. 

Under the Privacy Act, the Commissioner may authorise collection, use, storage, or disclosure of personal information otherwise in breach of IPP 2 or IPPs 9 to 12. An application must be made to the Commissioner who may grant an authorisation if satisfied.

Yes. Agencies transferring personal information out of New Zealand must comply with IPP 12 which governs the disclosure of personal information outside New Zealand. The Privacy Commissioner can prohibit the transfer of personal information out of New Zealand in certain circumstances. 

There are also potential restrictions on the transfer of personal information outside of New Zealand when that information has been received in New Zealand from another jurisdiction and is to be transferred to a third jurisdiction which does not have comparable safeguards.

Not applicable.

An agency must notify the Privacy Commissioner, and any affected individual(s), as soon as practicable after becoming aware of a privacy breach that is a "notifiable privacy breach" (NPB). A NPB is a privacy breach that is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to so so.

Although the Privacy Act does not specify a particular timeframe, the OPC has issued guidance stating that it would expect to receive the notification no later than 72 hours after an agency becomes aware of a NPB.

The Privacy Act 2020 establishes the office of the Privacy Commissioner. The functions of the Privacy Commissioner range from promoting privacy to investigating complaints of interference with privacy.

A failure to comply with the Information Privacy Principles may be an actionable interference with privacy if harm is caused to the individual. The Privacy Commissioner has the power to investigate claims of an interference with privacy, issue compliance notices and make certain directions. Complaints may also be referred to the Human Rights Review Tribunal which has jurisdiction to order a range of remedies, including awarding damages of up to NZ $350,000. The Privacy Act also creates offences for failing to comply with certain requirements (such as breach notification obligations).

Electronic marketing is regulated by general consumer protection legislation. Unsolicited commercial electronic messages are prohibited under the Unsolicited Electronic Messages Act 2007.

New Zealand data protection law generally covers all sectors and organisations, however, certain agencies are excluded from application of the Act including: members of Parliament, courts and tribunals in relation to their judicial functions, and the news media when it relates to the collection and reporting of news and current affairs. The Privacy Commissioner can also issue codes of practice that modify the operation of the Privacy Act and set rules for specific industries, organiasations, or types of personal information.

Section 201 of the Privacy Act provides that it shall be the responsibility of each agency to appoint one or more individuals (within or outside the agency) whose responsibilities include encouraging the agency to comply with the IPPs of Privacy Act, working with the Privacy Commissioner in relation to investigations, dealing with privacy requests made to the agency, and otherwise, ensuring compliance by the agency with the Privacy Act.

The Privacy Act does not expressly require agencies holding or processing personal information to maintain specific internal records relating to the personal information they hold. However, personal information held by an agency must not be kept for longer than is required for the purposes for which the information may lawfully be used.

It is not mandatory to undertake a Data Protection Impact Assessment ("DPIA")  in New Zealand, but considered best practice to do so when undertaking a project that may have significant privacy implications. The Privacy Commissioner has published a Privacy Impact Assessment Toolkit that provides some guidance to assist agencies in determining whether a DPIA is appropriate. See: https://www.privacy.org.nz/responsibilities/privacy-impact-assessments/  

The Privacy Act provides that, where personal information is held by an agency ("A") on behalf of another agency ("B"), the personal information will be treated under the Privacy Act as being held by B. In such case, the transfer of the information by B to A will not constitute disclosure by B and, similarly, the transfer of the information by A to B will not constitute disclosure by A. This applies whether or not the third party is located overseas. 

Note however that if A also uses or discloses the personal information for its own purposes, it will be treated as being held by both A and B. 

If it is necessary for the personal information to be processed by a third-party service provider, the agency must do everything reasonably within its power to prevent unauthorised use or unauthorised disclosure of the personal information by that service provider.
                                                                                                                                                                            Under the Privacy Act there is a general restriction against disclosure for any purpose that is not one of the purposes in connection with which the information was obtained.

The Privacy Commissioner has the power to undertake investigations if they have received a complaint from an individual(s) or if they consider there has been an interference with privacy. If the Privacy Commissioner cannot settle the matter between the parties and determines there is substance to the complaint, the Privacy Commissioner  can refer the matter to the Human Rights Review Tribunal (HRRT). If the Privacy Commissioner determines there is no substance to the matter, individuals may still file proceedings with the HRRT on their own account. The HRRT has jursidcition to award damages of up to NZD 350,000.

The Privacy Commissioner also has the power to issue compliance notices to agencies if the Privacy Commissioner believes there is a breach of the Privacy Act or a breach of an IPP. If an agency does not comply with the compliance notice, the Privacy Commissioner may take enforcement proceedings to the Tribunal in which the agency may be liable to a fine of up to NZD 10,000.

The Privacy Commissioner has a policy under which agencies found to have breached the Privacy Act may be named publicly - often referred to as the "name and shame policy". This power will be exercised where the Privacy Commissioner believes it is in the public interest to identify the agency.

Section 212 of the Privacy Act contains a number of criminal offences subject to a fine of up to NZD 10,000.  

Agencies are expected to comply with the Privacy Act at all times. As stated previously, it is a requirement for an agency to appoint a privacy officer to ensure ongoing compliance with the Privacy Act.

As above, while not mandatory, privacy impact assessments are encouraged by the Privacy Commissioner as a way for organisations to assess and address privacy risks when they’re collecting, using, or sharing personal information. 

Yes, in September 2023, the New Zealand Government introduced the Privacy Amendment Bill 292-1 (2023) (the Bill), which will amend the Privacy Act. The Bill is intended to establish a new IPP 3A, which requires agencies that collect personal information about individuals indirectly to make those individuals aware of such collection and provide them with relevant information. Although the Bill has not yet passed, Parliament had indicated that IPP 3A will come into force on 1 May 2026.

The Privacy Commisioner also released on 6 August 2025 a new Biometric Processing Privacy Code 2025 (Code). The Code, issued under the Privacy Act, introduces 13 rules that modify or replace the corresponding 13 Information Privacy Principles from the Privacy Act. The Code will apply to all organisations (including businesses, government agencies and NGOs) that collect biometric information for processing by an automated biometric system. The Code will come into force on 3 November 2025, but agencies already undertaking biometric processing activities will have until 3 August 2026 to comply with the new rules.