High-demand foundation guide: it answers the recurring privacy-law questions that apply across New Zealand organisations of every size, before sector-specific codes or use cases are considered.
What is the Privacy Act 2020 and who does it cover?
The Privacy Act 2020 is New Zealand's main law for handling personal information. It came into force on 1 December 2020 and applies broadly across the public, private and not-for-profit sectors. The Act calls covered people and organisations "agencies". Almost every New Zealand business is an agency, whether it is a sole trader, corner dairy, professional practice, charity or large company. There is no turnover-based small-business exemption. The Act can also apply to an overseas agency carrying on business in New Zealand. Limited exclusions and modifications exist, including for personal or domestic affairs in most circumstances, news activities, parliamentary and judicial functions, and sector codes. OPC is the independent privacy regulator; the Ministry of Justice is the department formally responsible for administering the legislation. Every New Zealand business or organisation must appoint a privacy officer, although that person may hold another role or be external.
- New Zealand businesses and organisations — Covered regardless of turnover, headcount or sophistication.
- Overseas agencies — May be covered when carrying on business in New Zealand, including through online activity.
- Limited exclusions and codes — Check statutory exclusions and any applicable privacy code before assuming the general IPPs apply unchanged.
This policy applies to all personal information handled by our business, regardless of format, location, system, customer type or business size. We will comply with the Privacy Act 2020 and any applicable privacy code, and we will maintain an appointed Privacy Officer responsible for coordinating compliance, requests, complaints and breach response.
The 13 Information Privacy Principles — what do they require in plain terms?
The 13 Information Privacy Principles, or IPPs, are a life-cycle rulebook for personal information. In plain terms: IPP 1 says collect only information needed for a lawful purpose; IPP 2 says collect it from the person where reasonably possible; IPP 3 says explain direct collection; IPP 3A, in force from 1 May 2026, generally requires notice after indirect collection unless an exception applies; IPP 4 requires fair, lawful and not unreasonably intrusive collection; IPP 5 requires reasonable security; IPP 6 gives people access; IPP 7 lets them seek correction; IPP 8 requires reasonable accuracy checks before use or disclosure; IPP 9 limits retention; IPP 10 limits new uses; IPP 11 limits disclosure; IPP 12 governs overseas disclosure; and IPP 13 controls unique identifiers. Although IPP 3A is inserted between principles 3 and 4, OPC continues to describe the framework as a set of 13 IPPs. Codes of practice can modify how principles operate for particular information or sectors.
- Collect — IPPs 1, 2, 3, 3A and 4 control purpose, source, notice and manner of collection.
- Hold and maintain — IPPs 5, 8 and 9 cover security, accuracy and retention.
- Give rights and control use — IPPs 6, 7, 10, 11, 12 and 13 cover access, correction, use, disclosure, overseas transfers and identifiers.
We will manage personal information through its full life cycle: collect only what is necessary and lawful; provide required notices for direct and indirect collection; collect fairly; protect it; support access and correction; check accuracy; retain it only as long as necessary; restrict use and disclosure; assess overseas disclosures; and control the creation and use of unique identifiers.
Collection, use and disclosure limits (IPPs 1–4, 10 and 11)
Start with purpose, not data. IPP 1 permits collection only for a lawful function or activity and only where the information is necessary for that purpose. IPP 2 generally favours collecting from the individual, while IPPs 3 and 3A require transparency for direct and indirect collection. IPP 4 controls how collection occurs: it must not be unlawful, unfair or unreasonably intrusive. Once information is held, IPP 10 generally prevents using it for a different purpose and IPP 11 generally prevents disclosure, unless the original purpose, authorisation or another listed exception applies. Consent is useful but is not the only legal pathway, and a broad privacy statement does not cure unnecessary or unfair collection. For marketing, data enrichment, staff monitoring and AI projects, document the purpose, necessity, notice, source and permitted downstream uses before collection begins.
- Purpose and necessity — Write down the lawful business purpose and why each field is needed before collecting it.
- Transparency and fairness — Give the required notice and avoid deceptive, coercive or unreasonably intrusive collection.
- Secondary use and disclosure — Check the original purpose and a specific IPP 10 or 11 ground before reusing or sharing information.
Before collecting personal information, we will define a lawful purpose, confirm that each item is necessary, identify whether collection is direct or indirect, and give any notice required by IPP 3 or IPP 3A. We will collect information fairly and will not use or disclose it for a different purpose unless the Privacy Act 2020 permits that use or disclosure.
IPP 12 — disclosing personal information overseas, including to cloud and AI providers
IPP 12 applies when an agency discloses personal information to a foreign person or entity. The agency must have reasonable grounds for a permitted pathway, such as the recipient being subject to the New Zealand Act, being covered by comparable privacy safeguards, agreeing to comparable safeguards through contract, or receiving the individual's informed authorisation after the person is expressly told that comparable safeguards may not apply. A transfer to a provider that only stores or processes information as the agency's agent may be treated under section 11 as information still held by the New Zealand agency rather than as an IPP 12 disclosure. That distinction does not remove responsibility: IPP 5 and section 11 mean the agency remains accountable for security and the provider's authorised use. Cloud and AI terms should therefore identify hosting and support locations, subprocessors, security controls, deletion and return, incident notice, access assistance, and whether customer data can be used for model training, product improvement or the provider's own purposes. If the provider has independent rights to use or disclose the information, assess IPPs 11 and 12 rather than relying on the processor label.
- Overseas recipient — Confirm which IPP 12 pathway supports disclosure and retain evidence of the assessment.
- Cloud or AI processor acting only as agent — Section 11 may mean no legal disclosure, but the New Zealand agency remains accountable.
- Independent provider use — Training, analytics, onward disclosure or other provider purposes can change the analysis and require IPP 11 and 12 review.
We will identify every country and provider involved before sending personal information offshore. We will record whether the recipient acts only on our behalf under section 11 or receives a disclosure governed by IPP 12. Before any overseas disclosure, we will establish a permitted IPP 12 basis and appropriate contractual safeguards. Providers must not use our personal information for their own purposes, including AI model training, unless that use has been separately assessed, authorised and communicated as required by law.
Access and correction rights (IPPs 6 and 7) and response timeframes
People can ask an agency whether it holds personal information about them and request access to it under IPP 6. The agency must make and communicate its decision as soon as reasonably practicable and no later than 20 working days after receiving the request, subject to lawful transfer or extension rules. The information can sometimes follow the decision, but it must be supplied without undue delay. Identity should be checked proportionately before release. IPP 7 lets a person ask for correction. The agency must decide the correction request within 20 working days; if it declines to correct, the person can ask for a statement of correction to be attached so it accompanies future use or disclosure. Access may be withheld only on statutory grounds, and reasons and complaint rights generally need to be explained. New Zealand does not have a broad, automatic right to erasure: deletion questions are usually addressed through correction, retention, purpose and other applicable obligations.
- Requester — May seek confirmation, access and correction of personal information about themselves.
- Agency — Must log, verify, search, decide and communicate within the statutory timeframe.
- Refusal, extension or transfer — Use only statutory grounds, keep reasons, and provide required notices and review rights.
We will promptly log every access or correction request, verify identity only to the extent reasonably necessary, and assign an owner. We will make and communicate our decision as soon as reasonably practicable and within 20 working days unless a lawful extension or transfer applies. We will provide approved information without undue delay, record any withholding ground, and attach a requested statement of correction when a correction is declined.
Security of personal information (IPP 5) — what "reasonable safeguards" means in practice
IPP 5 is risk-based rather than a single technical checklist. An agency must use security safeguards that are reasonable in the circumstances against loss, unauthorised access, use, modification, disclosure and other misuse. Reasonableness depends on factors such as sensitivity, volume, foreseeable harm, system exposure, available controls and the practical consequences of failure. For an SME, a defensible baseline usually includes an information inventory, least-privilege access, multi-factor authentication, secure password management, timely patching, supported software, encryption where appropriate, tested backups, logging, staff training, secure disposal, incident procedures and supplier controls. A certificate or vendor assurance can support due diligence but does not replace checking the actual scope, configuration and operating controls. Where a service provider holds information, the agency must do what is reasonably within its power to prevent unauthorised use or disclosure.
- Governance safeguards — Assign ownership, classify information, train staff, control retention and test incident procedures.
- Technical safeguards — Use MFA, patching, least privilege, secure configuration, backups and monitoring proportionate to risk.
- Service providers — Assess scope and controls, contract for protection, and monitor material changes and incidents.
We will apply security safeguards proportionate to the sensitivity, volume, use and foreseeable harm of the personal information we hold. At minimum, we will control access by role, use multi-factor authentication for sensitive and administrative systems, patch supported systems promptly, maintain recoverable backups, protect devices and data in transit and at rest where appropriate, log material activity, train personnel, dispose of information securely, and assess providers before and during use.
Enforcement — Privacy Commissioner powers: complaints, compliance notices, access directions, the Human Rights Review Tribunal and penalties
OPC can receive and investigate complaints, seek settlement and assurances, conduct inquiries, require information, issue compliance notices for breaches of statutory obligations, and issue binding access directions after investigating an access complaint. Compliance notices can require an agency to stop conduct or take remedial action; access directions can require release of personal information. Appeals and enforcement can go to the Human Rights Review Tribunal. The Tribunal can make declarations, restraining orders, orders requiring remedial action and awards of damages for pecuniary loss, lost benefit, expenses, humiliation, loss of dignity or injury to feelings. New Zealand does not currently have Australia's large tiered civil-penalty model. Instead, specified criminal offences carry fines generally capped at $10,000, while privacy claims can separately result in Tribunal remedies and damages. Examples include failing without reasonable excuse to notify OPC of a notifiable breach, failing to comply with a Tribunal access order, or failing to comply with a Tribunal order enforcing a compliance notice.
- Office of the Privacy Commissioner — Investigates, resolves, directs access, issues compliance notices and can publish regulatory outcomes in appropriate cases.
- Human Rights Review Tribunal — Hears proceedings and appeals, enforces notices or directions, and can award remedies and damages.
- Criminal offences versus civil remedies — Do not confuse specified $10,000 offence fines with Tribunal damages for an interference with privacy.
We will cooperate promptly and truthfully with the Office of the Privacy Commissioner, preserve relevant evidence, meet statutory information requests, and comply with any access direction, compliance notice or Tribunal order unless lawfully appealed. Regulatory correspondence must be escalated immediately to the Privacy Officer and senior management, with legal advice obtained where appropriate.
How the Privacy Act interacts with the notifiable privacy breach scheme
The notifiable privacy breach scheme is part of the Privacy Act 2020. A privacy breach includes accidental or unauthorised access, disclosure, loss, alteration, destruction or an action that prevents access, such as ransomware. The agency must assess whether the breach has caused, or is likely to cause, serious harm to affected individuals. If it meets that threshold, the agency must notify OPC and affected individuals as soon as practicable after becoming aware, subject to limited statutory exceptions for individual notification. OPC interprets prompt reporting as ideally within 72 hours, but the Act's legal wording is "as soon as practicable", not a fixed 72-hour deadline. Use NotifyUs even if the investigation is incomplete and update the notification as facts develop. Failing without reasonable excuse to notify OPC is an offence carrying a maximum $10,000 fine. Cyber incidents can also be reported through the National Cyber Security Centre (NCSC), part of the GCSB, using its current reporting platform for support and national visibility; this is separate from, and does not replace, the Privacy Act notification. The CERT NZ brand and website were retired when integration into NCSC was completed in July 2025.
- Contain and assess — Secure systems, preserve evidence, identify affected information and assess serious harm without waiting for perfect certainty.
- Notify — Notify OPC through NotifyUs and affected people as soon as practicable when the serious-harm threshold is met.
- NCSC — Use the NCSC cyber-incident pathway for technical support or reporting; it does not replace OPC notification.
We will immediately contain and document any suspected privacy breach and assess whether it has caused, or is likely to cause, serious harm. If the breach is notifiable, we will notify the Privacy Commissioner through NotifyUs and notify affected individuals as soon as practicable. We will aim to notify OPC within 72 hours of awareness, without delaying solely because the investigation is incomplete, and will provide updates as facts develop. Cyber incidents may also be reported to NCSC; that report does not replace our Privacy Act notifications.
Common compliance gaps for New Zealand SMEs
The most common practical risk is not the absence of a long legal document; it is the absence of repeatable ownership and records. Typical SME gaps include no appointed or active privacy officer, no inventory of personal information and vendors, collecting fields "just in case", privacy notices that do not match actual systems, missing IPP 3A notices for indirectly sourced data, excessive staff access, weak MFA or patching, indefinite retention, unreviewed cloud and AI terms, no access-request log, and no tested breach plan. A workable minimum is a named privacy officer, a simple data-and-vendor register, purpose and retention rules, current notices, basic cyber controls, a request workflow, an overseas-disclosure assessment, annual staff training and a breach decision record. Government frameworks such as the NZISM and Protective Security Requirements can be useful reference points, but they are not automatically mandatory for every private SME. Sector codes and contractual or regulatory obligations may impose additional requirements.
- Owner-managed and micro businesses — Keep the system small: one accountable privacy officer, one register and a few tested workflows.
- Growing SMEs — Add vendor review, role-based access, retention automation, training evidence and incident exercises.
- Sector and customer overlays — Check privacy codes, professional duties, customer contracts and regulated-sector requirements.
Our minimum privacy control set is: an appointed Privacy Officer; a current register of personal information, purposes, systems, vendors and overseas locations; accurate collection notices; documented retention and deletion rules; role-based access and multi-factor authentication; a 20-working-day request workflow; provider and IPP 12 review; annual staff training; and a tested privacy-breach procedure. We will review this control set at least annually and after material system, provider or legal changes.
What's my next step?
Common misconceptions
- “Small businesses are exempt.” False: New Zealand has no turnover-based small-business exemption; almost all businesses are agencies under the Act. VERIFIED
- “The Australian Privacy Act and APPs apply in New Zealand.” False: New Zealand businesses must start with the Privacy Act 2020 and New Zealand IPPs, while separately checking any overseas laws that apply. VERIFIED
- “Every notifiable breach has a fixed statutory 72-hour deadline.” False: the Act says as soon as practicable; 72 hours is OPC's stated reporting expectation or guidance. VERIFIED
- “Only malicious hacking is a privacy breach.” False: accidental disclosure, loss, unauthorised access, destruction and loss of availability can also be privacy breaches. VERIFIED
- “Consent is required for every collection, use or disclosure.” False: the IPPs use lawful purpose, necessity, transparency and listed exceptions; authorisation is one pathway, not the only one. VERIFIED
- “Using an overseas cloud service is always an IPP 12 disclosure.” Not necessarily: a provider acting solely as an agent for storage or processing may fall under section 11, although the New Zealand agency remains responsible. VERIFIED
- “Publishing a privacy policy proves compliance.” False: compliance depends on actual collection, security, access, correction, retention, use, disclosure and breach practices matching the law and the notice. INFERRED
- “Anyone can demand immediate deletion of all their data.” False: the Act provides access and correction rights and limits unnecessary retention, but not a broad automatic right to erasure. VERIFIED
- “OPC can impose Australian-style multimillion-dollar civil penalties.” False: New Zealand currently relies on regulatory directions, notices, Tribunal remedies and specified offences generally capped at $10,000. VERIFIED
- “NZISM and the Protective Security Requirements are automatically mandatory for every private SME.” False: they are government security frameworks, although an SME may adopt them voluntarily or be required to follow parts through a contract or regulated role. VERIFIED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Appoint a privacy officer | Office of the Privacy Commissioner | Operating a New Zealand business or organisation covered as an agency | Ongoing; appoint and keep the role current | |
| Collect only necessary personal information for a lawful purpose and give required notices | Office of the Privacy Commissioner | Direct or indirect collection of personal information | At or before direct collection where practicable; for indirect collection, take reasonable steps within the timing required by IPP 3A, unless an exception applies | A qualifying interference with privacy can lead to OPC action and Human Rights Review Tribunal remedies or damages |
| Protect personal information with reasonable safeguards | Office of the Privacy Commissioner | Holding personal information directly or through a service provider | Continuous, with review after material changes and incidents | A qualifying interference with privacy can lead to OPC action and Human Rights Review Tribunal remedies or damages |
| Respond to personal-information access requests | Office of the Privacy Commissioner | Receipt of a valid request from an individual for their personal information | Decide and respond as soon as reasonably practicable and no later than 20 working days, subject to lawful extension or transfer; provide approved information without undue delay | OPC may issue an access direction; failure without reasonable excuse to comply with a resulting Tribunal access order can attract a fine up to $10,000 |
| Respond to correction requests | Office of the Privacy Commissioner | Receipt of a request to correct personal information | Decide as soon as reasonably practicable and within 20 working days, subject to lawful extension or transfer | A qualifying interference with privacy can lead to OPC action and Human Rights Review Tribunal remedies or damages |
| Limit retention, use and disclosure | Office of the Privacy Commissioner | Retaining, reusing or sharing personal information | Before each materially new use or disclosure and throughout the retention period | A qualifying interference with privacy can lead to OPC action and Human Rights Review Tribunal remedies or damages |
| Assess overseas disclosures under IPP 12 | Office of the Privacy Commissioner | Proposed disclosure of personal information to a foreign person or entity | Before disclosure and when recipient terms, locations, subprocessors or purposes materially change | A qualifying interference with privacy can lead to OPC action and Human Rights Review Tribunal remedies or damages |
| Notify a serious-harm privacy breach | Office of the Privacy Commissioner | A privacy breach that has caused, or is likely to cause, serious harm | Notify OPC and affected individuals as soon as practicable; OPC says notification should ideally occur within 72 hours and can be updated | Failure without reasonable excuse to notify OPC is an offence punishable by a fine up to $10,000 |
| Comply with access directions, compliance notices and Tribunal orders | Office of the Privacy Commissioner and Human Rights Review Tribunal | Receipt of a binding direction, notice or order | By the stated date or as soon as practicable, subject to lawful appeal rights | Failure without reasonable excuse to comply with specified Tribunal orders can attract a fine up to $10,000 |
Sources
- Privacy Act 2020 — latest version primary
- Office of the Privacy Commissioner — We are regulators primary
- Privacy Act 2020 and the Information Privacy Principles primary
- Principle 3A — collection from another source primary
- IPP 3A notification requirements for indirect collection primary
- Principle 5 — storage and security primary
- Principle 12 — disclosure outside New Zealand primary
- What are your privacy rights? primary
- Complying with the Privacy Act primary
- Ask for your information primary
- Responding to requests and complaints well primary
- Sending information overseas primary
- Working with third-party providers primary
- What security safeguards are reasonable? primary
- Make it stronger by using two-factor authentication primary
- OPC privacy regulatory toolkit primary
- Access directions primary
- Privacy Act 2020 turns five — changes are needed primary
- Privacy breaches primary
- NotifyUs privacy-breach reporting primary
- NCSC and CERT NZ integration now complete primary
- NCSC incident reporting for businesses and individuals primary
- NCSC critical controls to protect your organisation primary
- New Zealand Protective Security Requirements — information security primary
- Reddit discussion: company posted private customer details forum
- Reddit discussion: unsolicited marketing and property data forum
- Reddit discussion: overseas AI processing of inspection images forum
- Reddit discussion: security claims and ISO 27001 scope forum
- Reddit discussion: experience reporting to the Privacy Commissioner forum
- Reddit discussion: notifying people affected by a data breach forum
- Reddit discussion: small-company awareness of legal obligations forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.