The Privacy Act 2020 is New Zealand's primary privacy legislation that governs how organizations and individuals collect, use, disclose, store, and give access to personal information. This Act replaced the previous Privacy Act 1993 and came into effect on December 1, 2020, modernizing New Zealand's privacy law framework to address contemporary digital privacy challenges.
The Act introduces stronger protections for personal information and gives the Privacy Commissioner enhanced powers to protect New Zealand citizens' privacy rights. It places particular emphasis on data breach notification, cross-border data flows, and strengthening the enforcement regime for privacy violations.
Key innovations include mandatory privacy breach notification, new controls on overseas data transfers, and enhanced enforcement powers including compliance orders and penalties for serious breaches.
Information Privacy Principles (IPPs):
Mandatory Breach Notification:
Organizations must notify the Privacy Commissioner and affected individuals about privacy breaches that pose a risk of serious harm
Cross-Border Data Restrictions:
Privacy Impact Assessments:
Required for new projects involving personal informationDocumentation of privacy risks and mitigation measuresSecurity Measures:
Implementation of reasonable security safeguardsAccess controls and authentication mechanismsEncryption requirements for sensitive dataEnforcement Tools:
NZD 10,000 for serious breachesOversight:
If you are featured in the Web of Trust Map and wish to exercise your GDPR rights, including the right to be forgotten, visit the privacy policy page