Recommended NZ | Guide to Money | Gimme: Competitions - Giveaways

Law change: Privacy Act for the digital age - MBIE

Fuseworks Media
Fuseworks Media

When: From 1 December 2020

What: Changes to the Privacy Act mean businesses must:

not destroy personal information if someone asks for information held about them

report serious privacy breaches

check personal information shared with overseas companies will have similar protection to New Zealand.

Overseas businesses operating in New Zealand must meet privacy requirements, including multi-nationals offering services like cloud software or social media.

The revamped Act gives the Privacy Commissioner greater powers. This includes:

ordering a business to give a person their personal information

issuing a compliance notice if a business fails to comply with the Privacy Act.

So it’s a good idea to appoint a privacy officer, eg add privacy duties to a trusted employee’s existing role.

Why: The Privacy Act aims to keep people’s personal information safe and secure. The law updates reflect changes in technology and the ways business is done online and offline.

Anyone who collects, uses and stores personal information must follow new and existing rules in the Privacy Act. This applies to all business types, including sole traders and freelancers/contractors. Common examples of personal information collected by businesses include:


contact details

employment records

photos of workers or customers used for marketing, eg flyers or social media posts.

To meet new requirements in the Privacy Act, here are some of your key responsibilities.

Privacy officer

Decide who in your business will take the lead on privacy matters. This could be you, an office manager, or another trusted worker. This person will be your privacy officer, in addition to their current tasks.

This role involves:

a general understanding of how the Privacy Act relates to your business

checking personal information is collected responsibly and stored safely

making sure any issues or requests for personal information are handled promptly

handling privacy complaints made to your business, including working with the Office of the Privacy Commissioner (OPC) on any escalated complaints.

Learn about privacy requirements with free online training on the Privacy Commissioner website. Modules include:

Privacy 101

Employment and privacy

Reporting privacy breaches

Privacy Act 2020

Requests for personal information

If someone asks for their personal information held by your business, you must respond within 20 working days. Most complaints to the Privacy Commissioner are from people denied access to their personal information.

You and/or your privacy officer should think about how the business stores and handles information:

Could you respond to a request within the time limit?

How do you store personal information?

How secure is it?

You must not delete personal information to avoid the request. This will be illegal in the revamped Privacy Act.

Privacy breaches

Talk with your staff about what to do if there’s a serious privacy breach. Work through various scenarios together, eg accidentally losing personal information vs cyber attack. This helps everyone knows the steps they should take.

An important new step is to report serious breaches to the Privacy Commissioner by phone, email or using the online tool Notify Us:

Sharing information with overseas companies

Under the new Privacy Act, you may only share personal information with an overseas business if they meet New Zealand’s privacy requirements. This does not apply to overseas cloud-based services.

More guidance is being developed to help you understand these requirements.

In the meantime visit the Privacy Commissioner’s website for current guidance, and for contact information if you have questions.

Personal information: What it is, how to protect it

All articles and comments on have been submitted by our community of users. Please notify us if you believe an item on this site breaches our community guidelines.