Privacy Act


Changes to the Privacy Act come into effect 1 December 2020


On the 1st December changes to the Privacy Act will come into place and are likely to have an impact on your business. We recommend reviewing your privacy policies now to ensure you won't be caught out by these changes:



Why is it changing?


The Privacy act 2020 modernises our current privacy laws last set in 1993, to reflect how technology and data is used now as it has transformed significantly since 1993.



What is changing?


  • Introduction of mandatory breach reporting:
    Businesses will need to report serious privacy breaches where there is a risk of harm, such as leaked personal information published online or identity theft, to the privacy commissioner as well as notify impacted individuals. The liability for breach notifications sits with the business or organisation, and not the individual employees.
  • New criminal offences:
    The Privacy Act 2020 enforces penalties of up to $10,000 for certain privacy breaches. Individuals affected by the breach may also appeal to the Human Rights Review Tribunal which can award up to $350,000 per person affected.
  • Compliance notices:
    The Privacy Commissioner will be able to issue compliance notices to businesses or organisations to require them to do something, or stop doing something, in order to comply with the Privacy Act.
  • Enforceable access directions:
    The Privacy Commissioner will be able to direct agencies to provide individuals access to their personal information.
  • Disclosing information overseas
    An organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Privacy Act, unless the relevant individual has authorised disclosure outside New Zealand.
  • Extraterritorial effect: The new Privacy Act now clearly states that it has extraterritorial effect. This means that an overseas business or organisation that is 'carrying on business' in New Zealand will be subject to the Act’s privacy obligations, even if it does not have a physical presence here.


What do I need to do?


We recommend assessing your privacy policies, consider the following points and explore ways in which you can minimize your risk.

  • What information do we store on our customers? Is it relevant and do we need this information?
  • Where is the information stored?
  • Who has access to the information?
  • Who is responsible for the information?
  • Does our organisation have a way of knowing if/when it gets breached?


And as always, if you have any specific issues in this area or any other, our Advice Service is here to help and can be contacted by email or phone 0800 472 472 (1800 128 086 from Australia).





Included in the 12th October 2020 edition of Talking Shop.