SecurityPolicy.com.au
Home/ New Zealand/ Law and Obligations/ Privacy Act 2020 compliance for New Zealand businesses
New Zealand Law and Obligations Law Reviewed 2026-07-13

New Zealand Privacy Act 2020: A Practical Guide for Businesses

1 Dec 2020
Privacy Act 2020 commencement date
13
Information Privacy Principles, including IPP 3A in force from 1 May 2026
20 working days
Usual deadline to decide access and correction requests
$10,000
Maximum fine for specified offences, including unjustified failure to notify OPC of a notifiable breach
Why this guide exists

High-demand foundation guide: it answers the recurring privacy-law questions that apply across New Zealand organisations of every size, before sector-specific codes or use cases are considered.

What is the Privacy Act 2020 and who does it cover?

The Privacy Act 2020 is New Zealand's main law for handling personal information. It came into force on 1 December 2020 and applies broadly across the public, private and not-for-profit sectors. The Act calls covered people and organisations "agencies". Almost every New Zealand business is an agency, whether it is a sole trader, corner dairy, professional practice, charity or large company. There is no turnover-based small-business exemption. The Act can also apply to an overseas agency carrying on business in New Zealand. Limited exclusions and modifications exist, including for personal or domestic affairs in most circumstances, news activities, parliamentary and judicial functions, and sector codes. OPC is the independent privacy regulator; the Ministry of Justice is the department formally responsible for administering the legislation. Every New Zealand business or organisation must appoint a privacy officer, although that person may hold another role or be external.

How this differs by situation
  • New Zealand businesses and organisations — Covered regardless of turnover, headcount or sophistication.
  • Overseas agencies — May be covered when carrying on business in New Zealand, including through online activity.
  • Limited exclusions and codes — Check statutory exclusions and any applicable privacy code before assuming the general IPPs apply unchanged.
PUT THIS IN YOUR POLICY, EXACTLY

This policy applies to all personal information handled by our business, regardless of format, location, system, customer type or business size. We will comply with the Privacy Act 2020 and any applicable privacy code, and we will maintain an appointed Privacy Officer responsible for coordinating compliance, requests, complaints and breach response.

The 13 Information Privacy Principles — what do they require in plain terms?

The 13 Information Privacy Principles, or IPPs, are a life-cycle rulebook for personal information. In plain terms: IPP 1 says collect only information needed for a lawful purpose; IPP 2 says collect it from the person where reasonably possible; IPP 3 says explain direct collection; IPP 3A, in force from 1 May 2026, generally requires notice after indirect collection unless an exception applies; IPP 4 requires fair, lawful and not unreasonably intrusive collection; IPP 5 requires reasonable security; IPP 6 gives people access; IPP 7 lets them seek correction; IPP 8 requires reasonable accuracy checks before use or disclosure; IPP 9 limits retention; IPP 10 limits new uses; IPP 11 limits disclosure; IPP 12 governs overseas disclosure; and IPP 13 controls unique identifiers. Although IPP 3A is inserted between principles 3 and 4, OPC continues to describe the framework as a set of 13 IPPs. Codes of practice can modify how principles operate for particular information or sectors.

How this differs by situation
  • Collect — IPPs 1, 2, 3, 3A and 4 control purpose, source, notice and manner of collection.
  • Hold and maintain — IPPs 5, 8 and 9 cover security, accuracy and retention.
  • Give rights and control use — IPPs 6, 7, 10, 11, 12 and 13 cover access, correction, use, disclosure, overseas transfers and identifiers.
PUT THIS IN YOUR POLICY, EXACTLY

We will manage personal information through its full life cycle: collect only what is necessary and lawful; provide required notices for direct and indirect collection; collect fairly; protect it; support access and correction; check accuracy; retain it only as long as necessary; restrict use and disclosure; assess overseas disclosures; and control the creation and use of unique identifiers.

Collection, use and disclosure limits (IPPs 1–4, 10 and 11)

Start with purpose, not data. IPP 1 permits collection only for a lawful function or activity and only where the information is necessary for that purpose. IPP 2 generally favours collecting from the individual, while IPPs 3 and 3A require transparency for direct and indirect collection. IPP 4 controls how collection occurs: it must not be unlawful, unfair or unreasonably intrusive. Once information is held, IPP 10 generally prevents using it for a different purpose and IPP 11 generally prevents disclosure, unless the original purpose, authorisation or another listed exception applies. Consent is useful but is not the only legal pathway, and a broad privacy statement does not cure unnecessary or unfair collection. For marketing, data enrichment, staff monitoring and AI projects, document the purpose, necessity, notice, source and permitted downstream uses before collection begins.

How this differs by situation
  • Purpose and necessity — Write down the lawful business purpose and why each field is needed before collecting it.
  • Transparency and fairness — Give the required notice and avoid deceptive, coercive or unreasonably intrusive collection.
  • Secondary use and disclosure — Check the original purpose and a specific IPP 10 or 11 ground before reusing or sharing information.
PUT THIS IN YOUR POLICY, EXACTLY

Before collecting personal information, we will define a lawful purpose, confirm that each item is necessary, identify whether collection is direct or indirect, and give any notice required by IPP 3 or IPP 3A. We will collect information fairly and will not use or disclose it for a different purpose unless the Privacy Act 2020 permits that use or disclosure.

IPP 12 — disclosing personal information overseas, including to cloud and AI providers

IPP 12 applies when an agency discloses personal information to a foreign person or entity. The agency must have reasonable grounds for a permitted pathway, such as the recipient being subject to the New Zealand Act, being covered by comparable privacy safeguards, agreeing to comparable safeguards through contract, or receiving the individual's informed authorisation after the person is expressly told that comparable safeguards may not apply. A transfer to a provider that only stores or processes information as the agency's agent may be treated under section 11 as information still held by the New Zealand agency rather than as an IPP 12 disclosure. That distinction does not remove responsibility: IPP 5 and section 11 mean the agency remains accountable for security and the provider's authorised use. Cloud and AI terms should therefore identify hosting and support locations, subprocessors, security controls, deletion and return, incident notice, access assistance, and whether customer data can be used for model training, product improvement or the provider's own purposes. If the provider has independent rights to use or disclose the information, assess IPPs 11 and 12 rather than relying on the processor label.

How this differs by situation
  • Overseas recipient — Confirm which IPP 12 pathway supports disclosure and retain evidence of the assessment.
  • Cloud or AI processor acting only as agent — Section 11 may mean no legal disclosure, but the New Zealand agency remains accountable.
  • Independent provider use — Training, analytics, onward disclosure or other provider purposes can change the analysis and require IPP 11 and 12 review.
PUT THIS IN YOUR POLICY, EXACTLY

We will identify every country and provider involved before sending personal information offshore. We will record whether the recipient acts only on our behalf under section 11 or receives a disclosure governed by IPP 12. Before any overseas disclosure, we will establish a permitted IPP 12 basis and appropriate contractual safeguards. Providers must not use our personal information for their own purposes, including AI model training, unless that use has been separately assessed, authorised and communicated as required by law.

Access and correction rights (IPPs 6 and 7) and response timeframes

People can ask an agency whether it holds personal information about them and request access to it under IPP 6. The agency must make and communicate its decision as soon as reasonably practicable and no later than 20 working days after receiving the request, subject to lawful transfer or extension rules. The information can sometimes follow the decision, but it must be supplied without undue delay. Identity should be checked proportionately before release. IPP 7 lets a person ask for correction. The agency must decide the correction request within 20 working days; if it declines to correct, the person can ask for a statement of correction to be attached so it accompanies future use or disclosure. Access may be withheld only on statutory grounds, and reasons and complaint rights generally need to be explained. New Zealand does not have a broad, automatic right to erasure: deletion questions are usually addressed through correction, retention, purpose and other applicable obligations.

How this differs by situation
  • Requester — May seek confirmation, access and correction of personal information about themselves.
  • Agency — Must log, verify, search, decide and communicate within the statutory timeframe.
  • Refusal, extension or transfer — Use only statutory grounds, keep reasons, and provide required notices and review rights.
PUT THIS IN YOUR POLICY, EXACTLY

We will promptly log every access or correction request, verify identity only to the extent reasonably necessary, and assign an owner. We will make and communicate our decision as soon as reasonably practicable and within 20 working days unless a lawful extension or transfer applies. We will provide approved information without undue delay, record any withholding ground, and attach a requested statement of correction when a correction is declined.

Security of personal information (IPP 5) — what "reasonable safeguards" means in practice

IPP 5 is risk-based rather than a single technical checklist. An agency must use security safeguards that are reasonable in the circumstances against loss, unauthorised access, use, modification, disclosure and other misuse. Reasonableness depends on factors such as sensitivity, volume, foreseeable harm, system exposure, available controls and the practical consequences of failure. For an SME, a defensible baseline usually includes an information inventory, least-privilege access, multi-factor authentication, secure password management, timely patching, supported software, encryption where appropriate, tested backups, logging, staff training, secure disposal, incident procedures and supplier controls. A certificate or vendor assurance can support due diligence but does not replace checking the actual scope, configuration and operating controls. Where a service provider holds information, the agency must do what is reasonably within its power to prevent unauthorised use or disclosure.

How this differs by situation
  • Governance safeguards — Assign ownership, classify information, train staff, control retention and test incident procedures.
  • Technical safeguards — Use MFA, patching, least privilege, secure configuration, backups and monitoring proportionate to risk.
  • Service providers — Assess scope and controls, contract for protection, and monitor material changes and incidents.
PUT THIS IN YOUR POLICY, EXACTLY

We will apply security safeguards proportionate to the sensitivity, volume, use and foreseeable harm of the personal information we hold. At minimum, we will control access by role, use multi-factor authentication for sensitive and administrative systems, patch supported systems promptly, maintain recoverable backups, protect devices and data in transit and at rest where appropriate, log material activity, train personnel, dispose of information securely, and assess providers before and during use.

Enforcement — Privacy Commissioner powers: complaints, compliance notices, access directions, the Human Rights Review Tribunal and penalties

OPC can receive and investigate complaints, seek settlement and assurances, conduct inquiries, require information, issue compliance notices for breaches of statutory obligations, and issue binding access directions after investigating an access complaint. Compliance notices can require an agency to stop conduct or take remedial action; access directions can require release of personal information. Appeals and enforcement can go to the Human Rights Review Tribunal. The Tribunal can make declarations, restraining orders, orders requiring remedial action and awards of damages for pecuniary loss, lost benefit, expenses, humiliation, loss of dignity or injury to feelings. New Zealand does not currently have Australia's large tiered civil-penalty model. Instead, specified criminal offences carry fines generally capped at $10,000, while privacy claims can separately result in Tribunal remedies and damages. Examples include failing without reasonable excuse to notify OPC of a notifiable breach, failing to comply with a Tribunal access order, or failing to comply with a Tribunal order enforcing a compliance notice.

How this differs by situation
  • Office of the Privacy Commissioner — Investigates, resolves, directs access, issues compliance notices and can publish regulatory outcomes in appropriate cases.
  • Human Rights Review Tribunal — Hears proceedings and appeals, enforces notices or directions, and can award remedies and damages.
  • Criminal offences versus civil remedies — Do not confuse specified $10,000 offence fines with Tribunal damages for an interference with privacy.
PUT THIS IN YOUR POLICY, EXACTLY

We will cooperate promptly and truthfully with the Office of the Privacy Commissioner, preserve relevant evidence, meet statutory information requests, and comply with any access direction, compliance notice or Tribunal order unless lawfully appealed. Regulatory correspondence must be escalated immediately to the Privacy Officer and senior management, with legal advice obtained where appropriate.

How the Privacy Act interacts with the notifiable privacy breach scheme

The notifiable privacy breach scheme is part of the Privacy Act 2020. A privacy breach includes accidental or unauthorised access, disclosure, loss, alteration, destruction or an action that prevents access, such as ransomware. The agency must assess whether the breach has caused, or is likely to cause, serious harm to affected individuals. If it meets that threshold, the agency must notify OPC and affected individuals as soon as practicable after becoming aware, subject to limited statutory exceptions for individual notification. OPC interprets prompt reporting as ideally within 72 hours, but the Act's legal wording is "as soon as practicable", not a fixed 72-hour deadline. Use NotifyUs even if the investigation is incomplete and update the notification as facts develop. Failing without reasonable excuse to notify OPC is an offence carrying a maximum $10,000 fine. Cyber incidents can also be reported through the National Cyber Security Centre (NCSC), part of the GCSB, using its current reporting platform for support and national visibility; this is separate from, and does not replace, the Privacy Act notification. The CERT NZ brand and website were retired when integration into NCSC was completed in July 2025.

How this differs by situation
  • Contain and assess — Secure systems, preserve evidence, identify affected information and assess serious harm without waiting for perfect certainty.
  • Notify — Notify OPC through NotifyUs and affected people as soon as practicable when the serious-harm threshold is met.
  • NCSC — Use the NCSC cyber-incident pathway for technical support or reporting; it does not replace OPC notification.
PUT THIS IN YOUR POLICY, EXACTLY

We will immediately contain and document any suspected privacy breach and assess whether it has caused, or is likely to cause, serious harm. If the breach is notifiable, we will notify the Privacy Commissioner through NotifyUs and notify affected individuals as soon as practicable. We will aim to notify OPC within 72 hours of awareness, without delaying solely because the investigation is incomplete, and will provide updates as facts develop. Cyber incidents may also be reported to NCSC; that report does not replace our Privacy Act notifications.

Common compliance gaps for New Zealand SMEs

The most common practical risk is not the absence of a long legal document; it is the absence of repeatable ownership and records. Typical SME gaps include no appointed or active privacy officer, no inventory of personal information and vendors, collecting fields "just in case", privacy notices that do not match actual systems, missing IPP 3A notices for indirectly sourced data, excessive staff access, weak MFA or patching, indefinite retention, unreviewed cloud and AI terms, no access-request log, and no tested breach plan. A workable minimum is a named privacy officer, a simple data-and-vendor register, purpose and retention rules, current notices, basic cyber controls, a request workflow, an overseas-disclosure assessment, annual staff training and a breach decision record. Government frameworks such as the NZISM and Protective Security Requirements can be useful reference points, but they are not automatically mandatory for every private SME. Sector codes and contractual or regulatory obligations may impose additional requirements.

How this differs by situation
  • Owner-managed and micro businesses — Keep the system small: one accountable privacy officer, one register and a few tested workflows.
  • Growing SMEs — Add vendor review, role-based access, retention automation, training evidence and incident exercises.
  • Sector and customer overlays — Check privacy codes, professional duties, customer contracts and regulated-sector requirements.
PUT THIS IN YOUR POLICY, EXACTLY

Our minimum privacy control set is: an appointed Privacy Officer; a current register of personal information, purposes, systems, vendors and overseas locations; accurate collection notices; documented retention and deletion rules; role-based access and multi-factor authentication; a 20-working-day request workflow; provider and IPP 12 review; annual staff training; and a tested privacy-breach procedure. We will review this control set at least annually and after material system, provider or legal changes.

What's my next step?

Common misconceptions

  • “Small businesses are exempt.” False: New Zealand has no turnover-based small-business exemption; almost all businesses are agencies under the Act. VERIFIED
  • “The Australian Privacy Act and APPs apply in New Zealand.” False: New Zealand businesses must start with the Privacy Act 2020 and New Zealand IPPs, while separately checking any overseas laws that apply. VERIFIED
  • “Every notifiable breach has a fixed statutory 72-hour deadline.” False: the Act says as soon as practicable; 72 hours is OPC's stated reporting expectation or guidance. VERIFIED
  • “Only malicious hacking is a privacy breach.” False: accidental disclosure, loss, unauthorised access, destruction and loss of availability can also be privacy breaches. VERIFIED
  • “Consent is required for every collection, use or disclosure.” False: the IPPs use lawful purpose, necessity, transparency and listed exceptions; authorisation is one pathway, not the only one. VERIFIED
  • “Using an overseas cloud service is always an IPP 12 disclosure.” Not necessarily: a provider acting solely as an agent for storage or processing may fall under section 11, although the New Zealand agency remains responsible. VERIFIED
  • “Publishing a privacy policy proves compliance.” False: compliance depends on actual collection, security, access, correction, retention, use, disclosure and breach practices matching the law and the notice. INFERRED
  • “Anyone can demand immediate deletion of all their data.” False: the Act provides access and correction rights and limits unnecessary retention, but not a broad automatic right to erasure. VERIFIED
  • “OPC can impose Australian-style multimillion-dollar civil penalties.” False: New Zealand currently relies on regulatory directions, notices, Tribunal remedies and specified offences generally capped at $10,000. VERIFIED
  • “NZISM and the Protective Security Requirements are automatically mandatory for every private SME.” False: they are government security frameworks, although an SME may adopt them voluntarily or be required to follow parts through a contract or regulated role. VERIFIED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Appoint a privacy officer Office of the Privacy Commissioner Operating a New Zealand business or organisation covered as an agency Ongoing; appoint and keep the role current
Collect only necessary personal information for a lawful purpose and give required notices Office of the Privacy Commissioner Direct or indirect collection of personal information At or before direct collection where practicable; for indirect collection, take reasonable steps within the timing required by IPP 3A, unless an exception applies A qualifying interference with privacy can lead to OPC action and Human Rights Review Tribunal remedies or damages
Protect personal information with reasonable safeguards Office of the Privacy Commissioner Holding personal information directly or through a service provider Continuous, with review after material changes and incidents A qualifying interference with privacy can lead to OPC action and Human Rights Review Tribunal remedies or damages
Respond to personal-information access requests Office of the Privacy Commissioner Receipt of a valid request from an individual for their personal information Decide and respond as soon as reasonably practicable and no later than 20 working days, subject to lawful extension or transfer; provide approved information without undue delay OPC may issue an access direction; failure without reasonable excuse to comply with a resulting Tribunal access order can attract a fine up to $10,000
Respond to correction requests Office of the Privacy Commissioner Receipt of a request to correct personal information Decide as soon as reasonably practicable and within 20 working days, subject to lawful extension or transfer A qualifying interference with privacy can lead to OPC action and Human Rights Review Tribunal remedies or damages
Limit retention, use and disclosure Office of the Privacy Commissioner Retaining, reusing or sharing personal information Before each materially new use or disclosure and throughout the retention period A qualifying interference with privacy can lead to OPC action and Human Rights Review Tribunal remedies or damages
Assess overseas disclosures under IPP 12 Office of the Privacy Commissioner Proposed disclosure of personal information to a foreign person or entity Before disclosure and when recipient terms, locations, subprocessors or purposes materially change A qualifying interference with privacy can lead to OPC action and Human Rights Review Tribunal remedies or damages
Notify a serious-harm privacy breach Office of the Privacy Commissioner A privacy breach that has caused, or is likely to cause, serious harm Notify OPC and affected individuals as soon as practicable; OPC says notification should ideally occur within 72 hours and can be updated Failure without reasonable excuse to notify OPC is an offence punishable by a fine up to $10,000
Comply with access directions, compliance notices and Tribunal orders Office of the Privacy Commissioner and Human Rights Review Tribunal Receipt of a binding direction, notice or order By the stated date or as soon as practicable, subject to lawful appeal rights Failure without reasonable excuse to comply with specified Tribunal orders can attract a fine up to $10,000

Sources

  1. Privacy Act 2020 — latest version primary
  2. Office of the Privacy Commissioner — We are regulators primary
  3. Privacy Act 2020 and the Information Privacy Principles primary
  4. Principle 3A — collection from another source primary
  5. IPP 3A notification requirements for indirect collection primary
  6. Principle 5 — storage and security primary
  7. Principle 12 — disclosure outside New Zealand primary
  8. What are your privacy rights? primary
  9. Complying with the Privacy Act primary
  10. Ask for your information primary
  11. Responding to requests and complaints well primary
  12. Sending information overseas primary
  13. Working with third-party providers primary
  14. What security safeguards are reasonable? primary
  15. Make it stronger by using two-factor authentication primary
  16. OPC privacy regulatory toolkit primary
  17. Access directions primary
  18. Privacy Act 2020 turns five — changes are needed primary
  19. Privacy breaches primary
  20. NotifyUs privacy-breach reporting primary
  21. NCSC and CERT NZ integration now complete primary
  22. NCSC incident reporting for businesses and individuals primary
  23. NCSC critical controls to protect your organisation primary
  24. New Zealand Protective Security Requirements — information security primary
  25. Reddit discussion: company posted private customer details forum
  26. Reddit discussion: unsolicited marketing and property data forum
  27. Reddit discussion: overseas AI processing of inspection images forum
  28. Reddit discussion: security claims and ISO 27001 scope forum
  29. Reddit discussion: experience reporting to the Privacy Commissioner forum
  30. Reddit discussion: notifying people affected by a data breach forum
  31. Reddit discussion: small-company awareness of legal obligations forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.