The key legislation is the Privacy Act 2020. The Privacy Act 2020 governs the collection, storage and security, accuracy, retention, use and disclosure of personal information. Privacy Codes apply to particular industries, sectors or contexts.

The Privacy Act protects personal information, being information about an identifiable individual.

The Privacy Act applies to:

• New Zealand agencies: in relation to any action taken by the agency in respect of personal information collected or held by the agency. A New Zealand agency being public and private sector agencies and individuals ordinarily present in New Zealand, and a court or tribunal (except in relation to its judicial functions), with some limited exceptions, 
• Overseas agencies: in relation to any action taken in the course of carrying on business in New Zealand in respect of personal information held or collected by that agency. An overseas agency being an overseas person, body corporate, or unincorporated body that is not a New Zealand agency, the Government of an overseas country or an entity performing any public function on behalf of the overseas Government, or a news entity to the extent it is carrying on news activities; 
• Individuals not ordinarily resident in New Zealand: in relation to any action taken in respect of personal information collected while present in New Zealand or held by that individual while present in New Zealand regardless of where the individual to whom the information relates is or was located.

Generally, personal information must be collected from the individual concerned and must only be collected for a lawful purpose connected with a function or activity of the agency. The individual must be aware of certain matters before collection, if it is reasonably practicable.

Subject to specific exceptions, an agency may only use or disclose personal information for the purpose for which it was collected.

Personal information must be protected from loss, unauthorized access, use, modification or disclosure, and other misuse with reasonable security safeguards. Agencies must not keep personal information for longer than is required for the purposes for which the information may lawfully be used.

An individual is entitled to have access to any personal information about them held by an agency, subject to specific grounds for withholding access. An individual may request correction of personal information.

Agencies transferring personal information out of New Zealand must comply with IPP 12 which governs the disclosure of personal information outside New Zealand. The Privacy Commissioner can prohibit the transfer of personal information out of New Zealand in certain circumstances.

An agency must notify the Privacy Commissioner, and any affected individual(s), as soon as practicable after becoming aware of a privacy breach that is likely to cause serious harm to the affected individual (or individuals).

The Privacy Act 2020 establishes the office of the Privacy Commissioner. The functions of the Privacy Commissioner range from promoting privacy to investigating complaints of interference with privacy.

A failure to comply with the Information Privacy Principles may be an actionable interference with privacy if harm is caused to the individual. The Privacy Commissioner has the power to investigate interferences with privacy issue compliance notices and make directions. Complaints may also be referred to the Human Rights Review Tribunal which has jurisdiction to order a range of remedies, including awarding damages of up to NZ $350,000. The Privacy Act also creates offenses for failing to comply with certain requirements. 

Electronic marketing is regulated by general consumer protection legislation. Unsolicited commercial electronic messages are prohibited under the Unsolicited Electronic Messages Act 2007.

Yes, the Privacy Act 2020 came into force on December 1, 2020.