Privacy Act 2020

The Privacy Act 2020 came into effect on 1 December 2020

It is the first significant update to the Privacy Act since 1993 and contains a number of changes that need to be complied with by all organisations that do business in New Zealand.

The changes


Updates introduced by the Privacy Act 2020 include:

  • 1. Mandatory reporting of privacy breaches: All organisations that do business in New Zealand will be required to inform the Privacy Commissioner and affected individuals when a privacy breach causes harm or poses a risk of harm to people. Not notifying the Commissioner will be an offence.
  • 2. Collection limitation and safeguards for children: To discourage the collection of personal information by default without considering whether it is necessary to do so, organisations in New Zealand may not require personal information unless it is necessary for the lawful purpose for which the information is collected. Organisations must also have regard to an individual’s age and vulnerability when deciding how to collect information.
  • 3. More explicit provisions for transferring information overseas: There is a new IPP 12 that relates only to information being disclosed overseas. Organisations would only be able to disclose personal information to an overseas person or agency if:
    1. the individual concerned authorised the disclosure
    2. the overseas person was in a prescribed country or binding scheme, or
    3. the organisation believed on reasonable grounds that the overseas person was required to protect the information in a way that, overall, provides comparable safeguards to those in the bill.
  • 4. Compliance notices and more offences: The Privacy Commissioner can issue a compliance notice to make an organisation do something, or stop doing something, to comply with privacy law. Compliance notices may be enforced by the Human Rights Review Tribunal. The bill creates new criminal offences with conviction and a fine up to $10,000 for:
    1. misleading an organisation to obtain access to someone else’s personal information
    2. destroying a document containing personal information, knowing that a request has been made for it.
  • 5. More explicit provisions for agent accountability: Organisations would remain accountable for information held by another agency as its agent. This includes cloud providers and information sent overseas for storage or processing on behalf of the organisation.


Privacy Act 2020These changes introduced through the Privacy Act 2020 will have a significant impact on privacy compliance obligations. If you would like help to ensure you are ready to meet your obligations under the Privacy Act, please contact us at

Want to know more about how we can help?