Public Sector

New Privacy Act 2020 Commencing 1 December 2020 - What You Need To Know

The substantive provisions of the Privacy Act 2020 come into force on 1 December 2020.  This is the first comprehensive reform since the Privacy Act 1993 was enacted and makes New Zealand’s privacy law more consistent with comparable jurisdictions.

For the most part the new Act adds to the obligations in the Privacy Act 1993.  The key additions are:

  1. Information privacy principle (IPP) 1 now expressly states that, if the lawful purpose for which personal information about an individual is collected does not require the collection of an individual’s identifying information (such as name, phone number or age), an agency may not require the supply of such identifying information. 
  2. New IPP 12 concerning the disclosure of personal information to a foreign person or entity.  An agency sharing information with a foreign entity must ensure that the foreign entity is required to provide the same privacy safeguards that would be provided by a New Zealand agency.  In that regard, IPP 5 provides that, if personal information is shared by an agency, it must do everything reasonably within its power to prevent unauthorised disclosure of the information.  This means that the transferring agency’s responsibility for the information continues after it has been transferred.

  3. The mandatory requirement to report a notifiable privacy breach to the Privacy Commissioner where previously this was voluntary.  A notifiable breach is one that it is reasonable to believe has caused serious harm to an affected individual and includes accidental access, disclosure, or loss of personal information.  There is also a requirement to notify the individual who is the subject of the information, so that they can mitigate the effect of the breach if need be.  It is an offence to fail to inform the Privacy Commissioner when there has been a notifiable privacy breach.  The Office of the Privacy Commissioner will be launching an online privacy breach notification tool and updated guidance to help agencies with this new requirement.
  4. The Privacy Commissioner will be able to issue compliance notices describing the steps required for an agency to bring itself into compliance. 

  5. The Privacy Commissioner will be able to direct agencies to provide individuals with access to their personal information.  Access directions will be enforceable in the Human Rights Review Tribunal.

The enactment of the Privacy Act 2020 is a timely reminder to make sure that both staff and elected members are aware of the IPPs and that appropriate protocols are in place for the collection, maintenance and protection of personal information.  Agencies should ensure that they:

  1. Only collect personal information for a lawful purpose connected with a function or an activity of the agency and that the collection is necessary for that purpose (IPP 1);
  2. Take care of personal information once collected, including when sharing that information with third party contractors who will also need to treat that information with the same care;

  3. Follow the processes in Part 4 of the Act when requests for personal information are received;
  4. Dispose of personal information when it is no longer required, unless required by some other enactment to hold onto it for a certain amount of time; and

  5. Appoint a privacy officer in accordance with section 201 of the Act who will be responsible for dealing with requests made under the Act, working with the Commissioner, and ensuring compliance.

The Privacy Commissioner is aiming to release new Codes of Practice prior to the commencement of the Act.

© Brookfields Lawyers 2020 – All Rights Reserved


Need Assistance?


Auckland Office: +64 9 379 9350

Wellington Office: +64 4 499 9824


Contact us today

Signup Today!