Three things IT teams should know about the NZ Privacy Act 2020

NZ Oct 27, 2020

If you work in IT, you should be aware that a new Privacy Act comes into effect on 1 December.  The new act responds to major changes in society and the growth of the Internet over the last 27 years.  The act focusses on protecting people’s Personally Identifiable (PI) information.

Personally identifiable information includes any piece of information that relates to a living, identifiable human being.  This includes people's names, contact details, financial health, purchase records:  anything that you can look at and say, "this is about an identifiable person".  It may also include IP addresses, invoice or ID numbers, and data stored in cookies.

Listed below are three changes that IT teams should know about.  You can find more details on these at

1.       Mandatory notification of privacy breaches. If a business or organisation has a privacy breach (this may be any data breach) that is likely to cause anyone serious harm, it is legally required to notify the office of the privacy commissioner (OPC) and any affected persons as soon as practicable.
The OPC promises further guidance to assess ‘serious harm’, but if the breach might reasonably result in identify theft, financial loss, loss of business or employment opportunities, or significant humiliation or loss of dignity then it should be considered ‘serious’.  Stay tuned.

2.       Limits on disclosing information overseas.  Under new privacy principle 12, an organisation or business may only disclose personal information outside of New Zealand if it is reasonably satisfied the recipient is subject to similar safeguards to those in the NZ Privacy Act.  If not, the individual to whom the PI relates must be advised and agree to the disclosure before it occurs.
Note that SaaS vendors are typically exempt from this provided they do not use the information for its own purposes.  Therefore, Office 365, Xero, and other mainstream paid SaaS agencies are okay; however, watch out for ‘free’ services such as Mailchimp and free Google Analytics.  Remember, if you’re not paying for the product you (or your data) are the product.

3.       Know what PI data you have and know where you keep it.  The OPC is getting hotter on the privacy act request process.  Individuals have a right to know what information you hold about them, and the new act gives the OPC powers to force you to act.  If you might reasonably face privacy requests then make sure you are organised and have a process to handle them.
This is also important because, if one of your SaaS vendors suffers a data breach, you need to take action subject to the breach notification requirement.

Do you comply with the new act?  Consider taking the FREE Privacy Act 2020 readiness assessment at  The team there does an excellent job.

Remember, just because you feel you have nothing to hide doesn’t mean you want a camera in your bathroom.  The Internet has hidden ‘cameras’ everywhere and we all leave digital footprints.  If anything, improvements to privacy law at least let us know where those cameras are.

Peter Brook

Peter is our vBridge Operations and Information Security Manager. He has over 20 years experience in many NZ organisations including PGG Wrightson, CDHB, Lyttelton Port Company and Spark Digital.