New Zealand Data Privacy Laws: Privacy Act 2020 Guide (2026)

Overview of New Zealand's Privacy Act 2020

New Zealand's Privacy Act 2020 came into force on December 1, 2020, replacing the Privacy Act 1993 that had governed the country's data protection framework for nearly three decades. The new law was designed to address the realities of a digital economy where personal information crosses borders instantly and data breaches affect millions.

The Act applies to every "agency" that handles personal information. Under New Zealand law, an agency is any person or organization in either the public or private sector. Government departments, private businesses, charities, schools, sports clubs, and sole traders all fall within scope. The definition is deliberately broad to ensure comprehensive coverage.

Personal information means information about an identifiable individual. This includes names, addresses, email accounts, phone numbers, financial records, health data, employment history, photographs, IP addresses, and any other data that can identify a living person.

One of the most significant changes in the 2020 Act is its extraterritorial reach. An overseas business may be treated as carrying on business in New Zealand for the purposes of the Act, even without a physical presence in the country. Any organization that provides services to New Zealanders or collects their personal information is subject to the same legal obligations as a New Zealand-based agency.

The 13 Information Privacy Principles

The heart of the Privacy Act 2020 is its 13 Information Privacy Principles (IPPs). These principles set out exactly how agencies must handle personal information at every stage of its lifecycle. Every organization operating in New Zealand must comply with all 13.

Principles 1 Through 4: Collection Rules

IPP 1 (Purpose of Collection) requires that personal information only be collected for a lawful purpose connected with a function or activity of the agency, and only when the collection is necessary for that purpose. An agency cannot collect data "just in case" or for undefined future use.

IPP 2 (Source of Information) states that personal information should be collected directly from the individual concerned wherever possible. There are exceptions, such as when the individual authorizes collection from another source or when direct collection would prejudice the purpose of collection.

IPP 3 (Collection From the Individual) requires agencies to take reasonable steps to inform individuals of specific matters when collecting personal information directly. This includes the fact of collection, its purpose, the intended recipients, the name and address of the collecting agency, consequences of not providing the information, and the individual's rights of access and correction.

IPP 4 (Manner of Collection) prohibits agencies from collecting personal information by unlawful means or by means that are unfair or unreasonably intrusive in the circumstances.

Principle 3A: The 2025 Amendment (Effective May 1, 2026)

The Privacy Amendment Act 2025, which received Royal Assent on September 23, 2025, introduces a new IPP 3A that takes effect on May 1, 2026. This principle addresses a gap in the original framework by requiring agencies to notify individuals when their personal information is collected indirectly, meaning from a source other than the individual themselves.

Under IPP 3A, an agency that collects personal information from a third party must take reasonable steps to ensure the individual is aware of the same matters required under IPP 3. The Ministry of Justice led the policy development for this reform, which was driven in part by the need to maintain New Zealand's EU adequacy status.

Exemptions to IPP 3A include situations where the information is publicly available, the individual has already been informed, notification would compromise law enforcement, notification would undermine the purpose of collection, or notification would create serious risks to public health, safety, or individual wellbeing.

Principles 5 Through 9: Storage, Access, and Retention

IPP 5 (Storage and Security) requires agencies to protect personal information against loss, unauthorized access, use, modification, or disclosure. Agencies must use security safeguards that are reasonable in the circumstances, taking into account the sensitivity of the information and the harm that could result from a breach.

IPP 6 (Access to Personal Information) gives individuals the right to access their own personal information held by an agency. Agencies must make information available promptly and in a form the person can understand. There are limited grounds for refusal, such as protecting national security, trade secrets, or the privacy of another individual.

IPP 7 (Correction of Personal Information) provides individuals with the right to request correction of their personal information. If an agency does not agree to make a correction, the individual can request that a statement of the desired correction be attached to the information.

IPP 8 (Accuracy) requires agencies to take reasonable steps to ensure that personal information is accurate, up to date, complete, relevant, and not misleading before using it.

IPP 9 (Retention) states that agencies must not keep personal information for longer than is necessary for the purposes for which the information may lawfully be used.

Principles 10 and 11: Use and Disclosure

IPP 10 (Limits on Use) restricts how agencies can use personal information. Information collected for one purpose generally cannot be used for a different purpose unless the individual authorizes it, the information is publicly available, the use is directly related to the original collection purpose, or one of the other statutory exceptions applies.

IPP 11 (Limits on Disclosure) similarly restricts when agencies can share personal information with other people or organizations. Disclosure is permitted when it is one of the purposes for which the information was collected, the individual authorizes it, the information is publicly available, disclosure is necessary to prevent or lessen a serious threat to public health or safety, or other limited exceptions apply.

Principle 12: Cross-Border Disclosure

IPP 12 (Disclosure Outside New Zealand) regulates the transfer of personal information overseas. An agency may only disclose personal information to a foreign person or entity if one of these conditions is met:

• The individual authorizes the disclosure after being expressly informed that the overseas recipient may not be required to protect the information in a comparable way.
• The agency believes on reasonable grounds that the recipient is subject to the Privacy Act (for example, because it carries on business in New Zealand).
• The agency believes on reasonable grounds that the recipient is subject to privacy laws of another country that provide comparable safeguards to the Privacy Act.
• The agency believes on reasonable grounds that the recipient is a participant in a prescribed binding scheme.
• The agency believes on reasonable grounds that the recipient is subject to privacy provisions in a contract that provide comparable safeguards.

The Office of the Privacy Commissioner provides model contract clauses and an IPP 12 Decision Tree tool to help agencies navigate cross-border transfer requirements.

Organizations that store data with overseas cloud providers generally remain responsible for the personal information under Section 11 of the Act and do not need separate cross-border agreements in most circumstances.

Principle 13: Unique Identifiers

IPP 13 (Unique Identifiers) restricts how agencies assign and use unique identifiers such as customer numbers, account numbers, or other codes. An agency must not assign a unique identifier to an individual unless it is necessary for the agency's functions. Agencies must not require individuals to disclose unique identifiers assigned by other agencies unless there is a lawful basis.

Mandatory Breach Notification

Part 6 of the Privacy Act 2020 introduced mandatory breach notification for the first time in New Zealand. Under the previous 1993 Act, breach reporting was voluntary. The 2020 Act made it compulsory.

What Counts as a Notifiable Breach

A privacy breach is notifiable if it has caused, or is likely to cause, serious harm to an affected individual. The agency must assess the likelihood of serious harm by considering several factors under Section 113, including:

• The nature and sensitivity of the personal information involved.
• What has actually happened to the information (stolen, accidentally disclosed, corrupted, etc.).
• Who has received or could receive the information.
• Whether security measures such as encryption protected the information.
• The nature of the harm that could result.

Serious harm includes identity theft, financial loss, physical danger, emotional or psychological harm, employment-related harm, and threats to safety. The Privacy Commissioner's guidance notes that certain categories of information (health records, financial data, information about children, or data relating to family violence victims) warrant heightened concern.

Notification Requirements

When a breach meets the serious harm threshold, the agency must:

1. Notify the Privacy Commissioner as soon as practicable after becoming aware of the breach. The expectation is within 72 hours. The notification must include the nature of the breach, the information affected, the likely consequences, and the steps the agency is taking.

2. Notify affected individuals as soon as practicable. The notification must describe the breach, what information was involved, what the individual can do to protect themselves, and what the agency is doing in response.

Section 117 allows agencies to provide notification on an incremental basis if full information is not yet available, as long as additional details are provided as soon as reasonably practicable.

Section 116 provides limited exceptions to notifying affected individuals, such as when notification would endanger the safety of any person or when it would prejudice a law enforcement investigation.

Penalties for Failing to Notify

Section 118 makes it a criminal offence to fail to notify the Privacy Commissioner of a notifiable breach without reasonable excuse. The penalty is a fine of up to NZD 10,000.

The Office of the Privacy Commissioner

The Office of the Privacy Commissioner (Te Mana Matapono Matatapu) is the independent regulator responsible for administering and enforcing the Privacy Act 2020. The current Privacy Commissioner is Michael Webster.

Powers and Functions

The Commissioner's key powers include:

• Investigating complaints from individuals who believe their privacy has been breached.
• Initiating investigations on the Commissioner's own motion when there are reasonable grounds to suspect an interference with privacy.
• Issuing compliance notices requiring agencies to take specific actions or stop specific conduct that breaches the Act.
• Publishing the names of agencies found to have breached the Act when it is in the public interest (the "name and shame" policy).
• Providing guidance and educational resources on privacy compliance.
• Making codes of practice that modify or supplement the IPPs for specific sectors (such as the Health Information Privacy Code).

Complaint and Enforcement Process

When an individual files a complaint, the Commissioner investigates and attempts to negotiate a settlement between the parties. If settlement fails, the Commissioner may refer the matter to the Director of Human Rights Proceedings, who can bring proceedings before the Human Rights Review Tribunal.

Individuals also have the right to bring proceedings directly to the Tribunal after the Commissioner closes their complaint. They have six months from the date of the Commissioner's closure notice (Section 98 notice) to file a claim.

The Human Rights Review Tribunal is an independent judicial body that can award:

• A declaration that the agency has interfered with the individual's privacy.
• An order restraining the agency from continuing the interference.
• Compensatory damages up to NZD 350,000, including damages for humiliation, loss of dignity, and injury to feelings.
• Costs.

Enforcement Statistics

The 2024/25 Annual Report from the Privacy Commissioner reveals a significant upward trend in enforcement activity. Privacy complaints rose 21% year-over-year, reaching 1,598 cases. Two-thirds of complaints related to access to personal information. Serious privacy breach notifications rose 43%, with the office receiving 864 breach notifications in the 2023/24 year, of which 414 were classified as serious.

Privacy Commissioner Michael Webster has publicly called for legislative reforms including multimillion-dollar civil penalties, a right to erasure, and robust controls on automated decision-making. Unlike Australia, whose Privacy Act imposes fines of up to AUD 50 million for serious violations, New Zealand currently lacks a civil penalty regime for privacy breaches.

Criminal Offences and Penalties

Section 212 of the Privacy Act 2020 establishes criminal offences. A person commits an offence and is liable on conviction to a fine not exceeding NZD 10,000 if they:

• Obstruct, hinder, or resist the Commissioner or any other person exercising powers under the Act without reasonable excuse.
• Fail to comply with a lawful requirement of the Commissioner.
• Make a false statement to the Commissioner or the Tribunal.
• Represent that they hold any authority under the Act when they do not.
• Destroy a document knowing that it is relevant to an investigation.

Section 118 creates a separate offence for failing to notify the Commissioner of a notifiable privacy breach, also punishable by a fine up to NZD 10,000.

Section 197 makes it an offence to breach a transfer prohibition notice, which the Commissioner can issue to prevent personal information from being sent overseas when there is a risk it will not be adequately protected.

While these penalties are low by international standards, the Tribunal's ability to award damages up to NZD 350,000 provides a more significant financial consequence for agencies that interfere with individual privacy.

Cross-Border Data Transfers and EU Adequacy

New Zealand is one of a small number of countries that has received an EU adequacy decision. The European Commission first declared New Zealand's privacy framework adequate on December 19, 2012, allowing personal data to flow from all 27 EU member states to New Zealand without requiring additional safeguards such as Standard Contractual Clauses or Binding Corporate Rules.

Following the passage of the Privacy Act 2020, the European Commission reviewed New Zealand's adequacy status and reaffirmed it. This renewed decision recognizes that the 2020 Act provides a level of data protection comparable to the GDPR.

The adequacy decision is not permanent. The European Commission reviews adequacy decisions periodically. New Zealand's next review is anticipated around 2028 or 2029. The introduction of IPP 3A through the Privacy Amendment Act 2025 was partly motivated by the need to maintain this adequacy status, as the EU expects comparable notification requirements for indirect data collection.

For organizations transferring data from New Zealand to other countries, IPP 12 requires comparable safeguards as described above. The Privacy Commissioner's model contract clauses and decision tree tools provide practical guidance for compliance.

Sector-Specific Privacy Codes

The Privacy Commissioner has the power to issue codes of practice under the Privacy Act that modify the IPPs for specific industries. The most significant codes currently in force include:

• Health Information Privacy Code 2020, which governs health agencies and modifies several IPPs to address the particular needs and risks of health data.
• Telecommunications Information Privacy Code 2020, which applies to telecommunications agencies.
• Credit Reporting Privacy Code 2020, which governs credit reporters and the handling of credit information.
• Justice Sector Unique Identifier Code 1998, which regulates the use of the National Health Index number by justice sector agencies.

These codes have the force of regulation. Breach of a code provision is treated the same as a breach of the underlying IPP it modifies.

Key Differences from GDPR

While New Zealand's privacy framework holds EU adequacy, there are notable differences between the Privacy Act 2020 and the GDPR:

Penalties. The GDPR imposes fines of up to EUR 20 million or 4% of global turnover. New Zealand's maximum criminal fine is NZD 10,000, though Tribunal damages can reach NZD 350,000.

Right to erasure. The GDPR includes an explicit right to erasure (right to be forgotten). The Privacy Act 2020 does not include this right, though the Privacy Commissioner has called for its introduction.

Data Protection Officers. The GDPR requires certain organizations to appoint Data Protection Officers. The Privacy Act 2020 has no such requirement.

Consent as a legal basis. The GDPR sets out six legal bases for processing personal data. The Privacy Act 2020 takes a different structural approach through its 13 principles, which do not map directly to the GDPR's legal bases framework.

Automated decision-making. The GDPR provides specific protections against decisions made solely by automated processing. The Privacy Act 2020 does not contain equivalent provisions, though the Privacy Commissioner has identified this as a priority reform area.

How Businesses Can Comply

Organizations operating in New Zealand or handling the personal information of New Zealanders should take these steps to achieve and maintain compliance with the Privacy Act 2020:

1. Appoint a privacy officer. While not legally required, the Privacy Commissioner recommends that every organization designate a person responsible for privacy compliance.

2. Conduct a privacy impact assessment for any new project, system, or process that involves personal information.

3. Review collection practices to ensure personal information is only collected when necessary and for a lawful purpose.

4. Update privacy policies and notices to reflect IPP 3 requirements, and prepare for IPP 3A compliance by May 1, 2026.

5. Implement a breach response plan with clear procedures for assessing whether a breach meets the serious harm threshold and notifying the Commissioner within 72 hours.

6. Review cross-border data flows and ensure that overseas recipients provide comparable safeguards or that another IPP 12 exception applies.

7. Train staff on their privacy obligations, particularly around access requests, data security, and breach identification.

8. Review retention schedules to ensure personal information is deleted when no longer needed.

The Office of the Privacy Commissioner's website provides free tools including privacy impact assessment templates, self-assessment checklists, and the Poupou Matatapu (Privacy Framework) for organizations building their privacy programs.