The handling of personal information in New Zealand is governed by the Privacy Act, privacy codes and other legislation.
On 1 December 2020, the Privacy Act 2020 replaced the Privacy Act 1993. The reforms aim to encourage public and private sector agencies to identify risks and prevent incidents that could cause harm.
The major changes include:
The purpose of the Privacy Act is to promote and protect individuals’ privacy by establishing principles on the collection, use, and disclosure of personal information, and access by individuals to the personal information held about them. Personal information can relate to information about customers, clients, employees, and others.
Enforcement of the Act is through the Privacy Commissioner who has the power to investigate any action which appears to interfere with the privacy of an individual, either on a complaint made to the Commissioner or on the Commissioner’s own initiative.
The Government Chief Privacy Officer provides guidance to help government agencies understand and meet their responsibilities under the Act.
Additional guidance is available to help you plan for notifying collections when IPP 3A comes into effect on 1 June 2025.
Expand allAt the core of the Privacy Act are 13 Information Privacy Principles that set out how agencies are to:
IPP 6 provides individuals with the right to access the personal information that an agency holds about them, unless 1 of the Privacy Act exceptions applies.
The Privacy Act provides that an agency must respond to a Privacy Act request within 20 working days after receiving the request, or transfer the request to another agency within 10 working days. On the Privacy Commissioner homepage there’s a response calculator to calculate the date a request is due.
All Privacy Act requests, regardless of how they’re made, trigger the same obligations under the Privacy Act.
The Privacy Act gives the Privacy Commissioner the power to issue codes of practice that become part of the law.
These codes may modify the operation of the Privacy Act for specific industries, agencies, activities or types of personal information.
Codes often modify 1 or more of the IPPs to take account of special circumstances which affect a class of agencies (for example, credit reporters) or a class of information (for example, health information).
The Privacy Commissioner has issued the following 6 codes of practice:
Agencies are often subject to additional legislation governing how they can handle personal information. For example, many agencies are required to retain personal information in accordance with the Public Records Act 2005.
Some legislation provides agencies with a legal basis to collect certain personal information (for example, IRD and Police) while other legislation restricts how agencies may use or disclose personal information.
Legislation specific to an agency, for example, the Tax Administration Act 1994 and the Customs and Excise Act 2018, may also mandate how an agency can collect, use and/or disclose personal information.