Latest Posts
Instagram Algorithm 2025: What the Head of Instagram Just Revealed
April Fool’s Day Social Media: Brilliant (and Bizarre) Brand Examples
How to get ‘Good’ Instagram Reels Music even with a Business Instagram Account
A Step-By-Step Guide to Creating an Instagram Carousel Post Using Canva
Six Social Media Strategies for 2025
All About the Instagram Algorithm
Alternatives to ChatGPT for using AI in your Business
Five Tips to Simplify your Social Media Marketing
How to Start a Podcast: A Beginner’s Guide (With the Tools I Actually Use)
30 One-Sentence Social Media Tips
Email Marketing

What you should know about The Privacy Act 2020

By Jodine McIntyre No Comments

The Privacy Act 2020 came into effect on 1 December 2020, replacing the Privacy Act 1993 in New Zealand. This updated legislation introduced several key changes that agencies (public or private) must comply with.

So what will this new legislation mean for New Zealand agencies? (And by agency I mean “any person or body of persons, whether corporate or unincorporate, and whether in the public sector or the private sector.”)

While the principle-based approach of the previous Act remains, several significant updates have changed how agencies must manage personal information. Let’s break down the key changes:

Mandatory Privacy Breach Notifications

Agencies are now required to report privacy breaches that may cause serious harm. For example, if you lose a USB stick containing your customers’ personal details, you must notify both the affected individuals and the Privacy Commissioner.

To determine whether a breach causes “serious harm,” you should consider factors such as:

  • The sensitivity of the information
  • How many people now have access to it
  • The security of the information (e.g. whether the USB stick was encrypted)

A decision-making tool is available on the Privacy Commissioner’s website to help you assess whether a breach qualifies as serious harm.

Compliance Notices

The Privacy Commissioner now has the authority to issue compliance notices without waiting for complaints. This means the Commissioner can proactively check if your agency is complying with the Act. If non-compliance is found, a notice will be issued, and failure to comply can result in a NZ$10,000 fine.

New Criminal Offences

Two new criminal offences are now introduced under the Privacy Act 2020:

  • Impersonating someone to obtain personal information (which wasn’t already a criminal offence)
  • Destroying information after being asked to provide it to an individual

Both offences will be punishable by fines of up to NZ$10,000.

Extraterritoriality

If your agency shares personal information with overseas service providers, you’ll need to ensure they offer comparable privacy protections to New Zealand-based agencies. For example, if you’re a tourism provider in New Zealand sending personal data to a company in Papua New Guinea, you must ensure the data is secure.

You will need to include specific clauses in your contracts to ensure these protections, and the Privacy Commissioner will provide downloadable contract clauses to assist with this.

However, this doesn’t apply to cases where data is processed on your behalf (e.g. using services like MailChimp or Shopify for data storage). Even in these cases, you have a responsibility to do your due diligence to ensure the services you’re using have adequate security measures in place.

Additionally, New Zealand’s privacy laws now apply to overseas agencies doing business in New Zealand.

Key Steps for Maintaining Compliance with the Privacy Act 2020

  • Ensure you have a Privacy Officer. This is a requirement under the NZ Privacy Act 2020, though it’s often overlooked.
  • Have an up-to-date Privacy Statement: While this is a current requirement, many businesses in New Zealand still don’t have an adequate statement in place. If you need one, you can use the free Priv-o-matic Privacy Statement Generator, if you don’t have one!
  • Need help or have specific questions? Head to the Privacy Commissioner’s website and use the AskUs tool , a comprehensive knowledge database to answer your queries.
  • Brush up on your privacy knowledge. The eLearning site of the Office of the Privacy Commissioner offers a wealth of online training to help you stay informed and compliant with privacy regulations.

Final Thoughts

The Privacy Act 2020 has been in effect since 1 December 2020, bringing key changes that agencies must now comply with. Stay updated on the new obligations, especially regarding breach notifications, compliance, criminal offences, and overseas data sharing.

Disclaimer: This article is not intended as legal advice. For specific legal guidance regarding compliance with the Privacy Act 2020, please consult with a legal professional.

By Jodine McIntyre

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *