New Privacy Laws to protect personal information in force now

Venkat Raman

Venkat Raman

Auckland, December 1, 2020


Image from Privacy Commissioner website


Businesses, sports and other organisations functioning in New Zealand will be required to comply with a wide range of Privacy Laws that have come into force effective today, December 1, 2020.

According to Privacy Commissioner John Edwards that everyone holding or processing personal information of people must ensure their privacy and safety and that breaches could lead to serious punitive action.

He said the new law accord sufficient powers to his office to deal with breaches- powers and delegation that did not exist earlier.

Handling personal details

The Privacy Act 2020 specifies that all organisations- commercial and otherwise- must handle personal information more carefully and ensure that they do not become public if they are deemed for private purposes.

Mr Edwards told Morning Report today that these organisations and those affected will be required to report to the Office of the Privacy Commissioner as soon as a privacy breach that may cause serious harm has occurred. 

“If they lose control of personal information in a way that could cause serious harm, they will be under a legal duty to notify the affected individuals and to notify my Office. Failure to do so is a criminal offence and is punishable by a fine of up to $10,000,” he said.

Under the new laws, the Privacy Commissioner can also issue compliance notices to require information holders to do something or make them stop doing it.

“Those notices, if not observed, can be enforced through the Human Rights Tribunal, and again with a penalty of up to $10,000 for failure to comply,” Mr Edwards said.

Privacy Commissioner John Edwards

Key Changes

Key changes in the Act include (a) Immediate report to the Office of the Privacy Commissioner and the affected persons as soon as a privacy breach that may cause serious harm has occurred (b) New criminal offences that can result in a fine of up to $10,000 for misleading individuals to access information or destroying information while knowing that it has a request for access (c) Compliance notices can be issued to require information holders to do something, or make them stop to comply with the Act (d) Under a new privacy principle, an organisation or business may only disclose personal information to an agency outside New Zealand if the receiving agency is subject to similar safeguards to those in the Privacy Act 2020 (e) The Privacy Commissioner can direct an organisation or business to confirm whether they hold personal information about an individual and to provide the individual with access to that information and (f) An overseas business or organisation that is ‘carrying on business’ in New Zealand will be subject to the Act’s obligations, even if it does not have a physical presence in this country.

Edwards said businesses would not notice a difference if they were already good stalwarts of record-keeping, but resources were available on the privacy commission’s website to help people understand their obligations.

Creating awareness

How can organisations determine which information is private and which can be published?

Mr Edwards agreed that there is need for education and creation of better awareness.

The Office of the Privacy Commissioner has launched a learning tool called, ‘NotifyUs’ on its website to enable organisations to understand their obligations.

“We will be focusing on education, helping agencies to understand their obligations.,” he said.

He said New Zealand sat around in the middle range among privacy regulations in the world.

Stephen Conti, Director of Operations, New Zealand Business Tools, a business advocacy group, expressed concern over the overwhelming level of publicity that the law changes have received.

He said that simple, innocent acts by an employee could become a serious risk.

“Just look at the guard who posted a selfie from the quarantine facility in which he was working but was not aware of a list of names and details in the background. As a result, the employee and the company got into all kinds of trouble,” Mr Conti said.

He said that businesses should re-examine their privacy policies and put in place measures to keep themselves and the data of their customers safe.

As per the Act, it will now be an offence to mislead an agency to access someone else’s personal information; for example, impersonating someone in order to access information that others not entitled to see. It will also be an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it.

The above story has been sponsored by

Related posts

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: