Top
Top

Global Data Privacy Guide

New Zealand

(Asia Pacific) Firm Simpson Grierson

Contributors Karen Ngan
Jania Baigent

Updated 01 Mar 2022
What is the key legislation?

The key legislation is the Privacy Act 2020. The Privacy Act 2020 governs the collection, storage and security, accuracy, retention, use and disclosure of personal information. Privacy Codes apply to particular industries, sectors or contexts.

What data is protected?

The Privacy Act protects personal information, being information about an identifiable individual.

Who is subject to privacy obligations?

The Privacy Act applies to:

  • New Zealand agencies: in relation to any action taken by the agency in respect of personal information collected or held by the agency. A New Zealand agency being public and private sector agencies and individuals ordinarily present in New Zealand, and a court or tribunal (except in relation to its judicial functions), with some limited exceptions, 
  • Overseas agencies: in relation to any action taken in the course of carrying on business in New Zealand in respect of personal information held or collected by that agency. An overseas agency being an overseas person, body corporate, or unincorporated body that is not a New Zealand agency, the Government of an overseas country or an entity performing any public function on behalf of the overseas Government, or a news entity to the extent it is carrying on news activities; 
  • Individuals not ordinarily resident in New Zealand: in relation to any action taken in respect of personal information collected while present in New Zealand or held by that individual while present in New Zealand regardless of where the individual to whom the information relates is or was located.
What are the principles applicable to personal data processing?

Generally, personal information must be collected from the individual concerned and must only be collected for a lawful purpose connected with a function or activity of the agency. The individual must be aware of certain matters before collection, if it is reasonably practicable.

How is the processing of personal data regulated?

Subject to specific exceptions, an agency may only use or disclose personal information for the purpose for which it was collected.

How are storage, security and retention of personal data regulated?

Personal information must be protected from loss, unauthorized access, use, modification or disclosure, and other misuse with reasonable security safeguards. Agencies must not keep personal information for longer than is required for the purposes for which the information may lawfully be used.

What are the data subjects' rights?

An individual is entitled to have access to any personal information about them held by an agency, subject to specific grounds for withholding access. An individual may request correction of personal information.

Are there restrictions on cross-border data transfers?

Agencies transferring personal information out of New Zealand must comply with IPP 12 which governs the disclosure of personal information outside New Zealand. The Privacy Commissioner can prohibit the transfer of personal information out of New Zealand in certain circumstances.

Are there any notification requirements for data breaches?

An agency must notify the Privacy Commissioner, and any affected individual(s), as soon as practicable after becoming aware of a privacy breach that is likely to cause serious harm to the affected individual (or individuals).

Who is the privacy regulator?

The Privacy Act 2020 establishes the office of the Privacy Commissioner. The functions of the Privacy Commissioner range from promoting privacy to investigating complaints of interference with privacy.

What are the consequences of a privacy breach?

A failure to comply with the Information Privacy Principles may be an actionable interference with privacy if harm is caused to the individual. The Privacy Commissioner has the power to investigate interferences with privacy issue compliance notices and make directions. Complaints may also be referred to the Human Rights Review Tribunal which has jurisdiction to order a range of remedies, including awarding damages of up to NZ $350,000. The Privacy Act also creates offenses for failing to comply with certain requirements. 

How is electronic marketing regulated?

Electronic marketing is regulated by general consumer protection legislation. Unsolicited commercial electronic messages are prohibited under the Unsolicited Electronic Messages Act 2007.

Are there any recent developments or expected reforms?

Yes, the Privacy Act 2020 came into force on December 1, 2020. 

Global Data Privacy Guide

New Zealand

(Asia Pacific) Firm Simpson Grierson

Contributors Karen Ngan Jania Baigent

Updated 01 Mar 2022