Reading time: 6 minutes

The Privacy Act regulates how businesses, governments and organisations (together, agencies) handle personal information. The Privacy Act 2020 replaced the Privacy Act 1993 on the 1st of December 2020. Therefore, there are some key differences, which include:

  • the introduction of a new Information Privacy Principle that sets out how you can disclose personal information outside of New Zealand;
  • a new privacy breach notification scheme; and
  • the inclusion of some overseas agencies within the scope of the Privacy Act

This article will highlight the key features of the new Act and some of the significant changes from the 1993 Act.

The Information Privacy Principles

The New Zealand Information Privacy Principles (IPPs) are a set of 12 guiding principles that govern how you should use, collect and disclose personal information.

For example, IPP 3 outlines what you should notify to an individual before you collect their personal information. This includes the reason why you are collecting it. Additionally, IPP 6 provides individuals with rights to access and correct their personal information.

The Privacy Act 2020 also introduces a new Information Privacy Principle, which has been inserted as the new IPP 12. Therefore, this makes the former IPP 12 (Unique Identifiers) the new IPP 13. 

IPP 12 – Transfers of Personal Information Outside of New Zealand

The new IPP 12 regulates how you can send personal information outside of New Zealand. As an agency, you may only disclose personal information to an entity outside of New Zealand in certain circumstances. These include, if you reasonably believe that the foreign person or entity:

  1. is subject to the New Zealand Privacy Act;
  2. is subject to laws that provide comparable safeguards to the New Zealand Privacy Act;
  3. agrees to protect the information in a way that is comparable with the New Zealand Privacy Act (such as by agreement in a contract); or
  4. is subject to the laws of a country or is a participant in a binding scheme that the New Zealand government has designated as having comparable safeguards to the New Zealand Privacy Act. 

If you do not satisfy any of these requirements, you need to inform the individual that their personal information may not be adequately protected. The individual must then consent to the overseas disclosure.

Will the New IPP 12 Affect Your Business?

The new IPP 12 requirements represent a significant departure from the current privacy landscape in New Zealand, and it will impact many businesses. For example, if your business transfers personal information to international teams, service providers or developers outside of New Zealand, you may be affected.

To date, the New Zealand Government has not whitelisted any countries for having an acceptable privacy regime. However, the European GDPR (data protection law) is one of the strictest privacy regimes worldwide so that may fall within the requirements. 

An Exception to the IPP 12 Requirements

There is one important exception to the requirements in IPP 12. This exception affects agencies that transfer personal information to an overseas recipient, for the recipient to:

  • hold; or 
  • process on behalf of the sender. 

In this case, the transfer will not constitute a disclosure, unless:

  • the overseas recipient uses the personal information for its own purposes; or 
  • discloses the information.

Therefore, the agency does not have to comply with the steps outlined above. In addition, this exception will allow agencies to rely on overseas cloud storage providers, for example, if they do not have data centres within New Zealand. 

Businesses Outside of New Zealand

If your business’ location is outside of New Zealand but you are ‘carrying on a business’ within New Zealand, you will still need to comply with The Privacy Act 2020. While it is not clear what ‘carrying on a business’ means, the Act does specify that organisations still need to comply, even if:

  • they are located outside of New Zealand; or 
  • do not make a profit based on their activities within New Zealand.

Privacy Breach Notification Scheme

The Privacy Act 2020 introduces a privacy breach notification scheme. This scheme specifies what to do if you suffer a privacy breach. For instance, if you believe the breach has caused (or is likely to cause serious harm), then you need to notify the individuals affected and the Office of the Privacy Commissioner as soon as possible. A breach could include: 

  • an intentional hack; 
  • an employee losing a company laptop; or
  • an accidental failure to bcc when sending an email to all clients.

However, not all privacy breaches will attract an obligation to notify. If you think you have experienced a privacy breach it is essential to obtain immediate legal advice. For example, your privacy lawyer can help you assess if you need to notify the breach or take any steps to mitigate its impact. 

Key Takeaways

The Privacy Act 2020 replaced the Privacy Act 1993 on the 1st December 2020. It includes:

  • a privacy breach notification scheme;
  • greater restrictions on agencies when disclosing personal information overseas; and 
  • it can apply to agencies located outside of New Zealand.

LegalVision’s New Zealand privacy lawyers can assist you in developing privacy documentation and assessing the impact of a privacy breach. Call 0800 005 570 or complete the form on this page.

When does the Privacy Act 2020 come into effect?

The Privacy Act 2020 started on the 1st December 2020. It replaces the Privacy Act 1993, with some key differences including the introduction of a new Information Privacy Principle and a new privacy breach notification scheme.

What are the Information Privacy Principles (IPPs)?

New Zealand’s Information Privacy Principles (IPPs) are a set of 12 guiding principles that govern how personal information should be collected, used and disclosed. The IPPs cover many issues such as an individual’s rights of access to personal information held about them and it sets out the types of matters that an individual should be notified about before they provide their personal information to an agency.

What does the new Information Privacy Principle 12 regulate?

New Information Privacy Principle 12 regulates how personal information can be sent outside of New Zealand. There are four conditions provided and one of them must be satisfied for an agency to be able to disclose personal information to an entity outside of New Zealand.

What is the privacy breach notification scheme?

The Privacy Act 2020 introduces a privacy breach notification scheme. It requires an agency who suffers a privacy breach that they believe has caused or is likely to cause serious harm to notify both the individuals impacted by the privacy breach and the Office of the Privacy Commissioner as soon as possible. Not all privacy breaches will attract an obligation to notify. 

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards