December 2023

1. Governing Texts

This Guidance Note was last updated on  September 25, 2023, and the information therein should be treated as up to date as of the same.

The key legislation in New Zealand in relation to data protection is the Privacy Act 2020 ('the 2020 Act'), which received Royal Assent on  June 30, 2020. Certain aspects of the 2020 Act came into force on July 1, 2020, with most operative provisions commencing from December 1, 2020, to give organizations time to adopt the new requirements. The 2020 Act built additional protections for the modern era on top of existing provisions contained in the previous Privacy Act 1993 ('the 1993 Act').

New Zealand was one of the first jurisdictions to receive an 'adequacy decision' from the European Commission in 2012. There was some debate as to whether it was likely to retain this following the full implementation of the 2020 Act, as it was possible that the European Commission would have expected the 2020 Act to have more 'teeth' (to be consistent with the significant fines imposed under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')). To date, New Zealand retains its adequacy status. It is likely that the loss of the adequacy decision would cause issues related to existing and new data flows between New Zealand and the EU.

It is of note that in May 2021, the UK's Information Commissioner's Office ('ICO') and the Office of the Privacy Commissioner of New Zealand ('OPC') signed a Memorandum of Understanding, under which they each affirmed their intent to deepen existing relations between the UK and New Zealand and promote exchanges to assist each other in the enforcement of laws protecting personal information. This document records broad principles of collaboration and a legal framework for sharing information (although not personal information) and intelligence between the commissioners. Further, the former New Zealand Privacy Commissioner, John Edwards, became the UK's Information Commissioner in January 2022.

1.1. Key acts, regulations, directives, bills

The 2020 Act retains the 'principle' based approach of the 1993 Act, these principles know as Information privacy principles or IPPs operate in a similar manner to the principles-based approach outlined in GDPR.  However, in contrast to the GDPR, the 2020 Act does not include more prescriptive data protection requirements beyond the IPPs. To date there has been no case law or decisions under the 2020 Act. However, given the substantial crossover with the 1993 Act, we expect the case law and decisions made under that legislation to still provide meaningful direction on the interpretation of the 2020 Act.

The 2020 Act empowers the OPC to issue codes of practice, which comprise part of the privacy law in New Zealand. The intention of these codes is to modify the operation of the act for specific types of information, or for certain industries. Currently, the following codes of practice exist, each having recently been repealed and replaced to closer align with the 2020 Act:

• Credit Reporting Privacy Code;
• Health Information Privacy Code ('the Health Code');
• Telecommunications Information Privacy Code ('the Telecoms Code');
• Civil Defence National Emergencies (Information Sharing) Code;
• Justice Sector Unique Identifier Code; and
• Superannuation Schemes Unique Identifier Code.

In addition to the 2020 Act, the New Zealand courts have developed a tort of privacy (i.e. the right of one person to sue another for breach of privacy). The tort of privacy relates to the public disclosure of private facts, where such disclosure would be considered to be highly offensive to a reasonable person of ordinary sensibilities, balanced against the wider public interest (Bradley v. Wingnut Films Ltd [1993] 1 NZLR 415).

The New Zealand Government ('the Government') has recently closed public consultation on the draft Customer and Product Data Bill ('the Bill') which proposes establishing a new consumer data right to give consumers and businesses greater choice and control over their personal data, with an initial focus on the banking sector. The regime proposed to be implemented by the Bill will allow accredited third parties to make decisions and take certain actions on a customer's behalf, using the customer’s data, where it has been directed to do so by the customer.  Public submissions on the Bill closed on July 24, 2023, the Government is now finalizing consultation and is seeking to introduce the Bill to the House of Representatives by the end of 2023.

1.2. Guidelines

From time to time, the OPC releases non-binding guidance on certain topics. Some useful links are as follows:

• Guidance on agency responsibilities;
• Privacy breach guidelines;
• Summary of the overarching privacy principles; and
• Details on Codes of Practice;
• Privacy Impact Assessment Toolkit – Part 1 – Whether to do a Privacy Impact Assessment ('the Toolkit Part One') and Part 2 - How to do a Privacy Impact Assessment ('the Toolkit Part Two') (please note that these are based on the 1993 Act, but still may be of use);

The OPC also offers free online learning privacy modules and a free privacy statement online generator.

1.3. Case law

New Zealand has a considerable body of common law which includes principles relevant to data protection. As above, New Zealand case law establishes and confirms certain privacy aspects, such as invasion of privacy and breach of confidence. In New Zealand, data protection is typically referred to as 'privacy', and, unless specifically mentioned, our comments are limited to the position with respect to privacy law under the 2020 Act. This is because the 2020 Act regulates the collection, use, storage, retention, transfer, and other means of processing personal data (in New Zealand, 'personal information') about an individual.

Decisions can be found using the following resources:

• Human Rights Review Tribunal's ('HRRT') decisions can be found here; and
• Decisions by tribunals, courts, authorities, and other bodies can be found here.

2. Scope of Application

2.1. Personal scope

The 2020 Act governs the collection, use, and disclosure of personal information by 'agencies'. 'Agency' is broadly defined, and, unlike in the 1993 Act, the 2020 Act splits the definition into 'New Zealand agencies' and 'overseas agencies.' Most organisations will fall within the definition of 'agency'. A 'New Zealand agency' is an individual ordinary resident in New Zealand, a public sector agency, a New Zealand private sector agency, court, or tribunal. There is a list of exemptions, such as for a Member of Parliament acting in their official capacity and the Ombudsman. Similarly, an 'overseas agency' is a person, body corporate or unincorporated body which is not a New Zealand agency, government of an overseas country or entity, or a news entity (to the extent it carries out news activities). Individuals who are not ordinarily resident in New Zealand are also captured by the definition.

The 2020 Act applies to:

• a New Zealand agency, in relation to any action taken by that agency (whether or not present in New Zealand) in respect of personal information collected or held by that agency;
• an overseas agency, in relation to any action taken by that agency, in the course of carrying on business in New Zealand in respect of personal information collected or held by that agency; and
• an individual who is not ordinarily resident in New Zealand in relation to any action taken by that individual in respect of personal information collected or held while present in New Zealand, regardless of where the information is subsequently held or where the individual to whom the information relates is located.

The 2020 Act generally covers all sectors and organisations. However, certain agencies are excluded from application of the 2020 Act including:

• Members of Parliament;
• courts and tribunals in relation to their judicial functions; and
• the news media when it relates to the collection and reporting of news and current affairs.

New Zealand's intelligence and security agencies are not excluded in their entirety from the application of the 2020 Act. Non-compliance by New Zealand's intelligence and security agencies with certain IPPs is permitted under the 2020 Act to the extent the non-compliance is necessary to enable an intelligence and security agency to perform any of its functions. We note that in September 2022, the Independent Police Conduct Authority ('IPCA') and the OPC released a joint enquiry into police conduct when photographing members of the public, having discovered a general lack of awareness amongst police of their obligations under the Privacy Act in respect of this.

Individuals who collect or hold personal information for their own personal, family, or household affairs are exempt from the IPPs. However, this exception does not apply where the collection, disclosure, or use would be highly offensive to an ordinary reasonable person.

2.2. Territorial scope

Whether an agency is treated as carrying on business in New Zealand is drafted widely, and means that it could be treated as doing so without necessarily (for example) having a place of business in New Zealand, receiving monetary payments or intending to make a profit in New Zealand.

Similarly, the 2020 Act confirms that where the information was or is collected or held, or where the individual concerned is located does not matter for the purposes of the application of the 2020 Act. This means that the 2020 Act will continue to apply to certain personal information even when it is transferred or held outside of New Zealand.

2.3. Material scope

All processing activities are covered by the 2020 Act, insofar as the information concerned is personal information (see definition section below). Where the information is not 'personal information' (i.e. where it is de-identified in such a way in which it cannot be re-identified), it would not likely be captured under the 2020 Act.

In certain places, the 2020 Act expressly specifies that application of a certain provision does not include individuals dealing with personal information held for personal or domestic affairs. For example, the definition of 'notifiable privacy breach' states that a privacy breach where personal information that is the subject of the breach is held by an agency who is an individual and the information is held solely for the purposes of, or in connection with, the individual's personal or domestic affairs, is not a 'notifiable privacy breach', and therefore not reportable to the OPC. Further, the IPPs (see Section on Key Definitions and Section on Principles) only apply in a highly restricted manner to personal information held in respect of an individual's personal or domestic affairs, provided that such exceptions do not apply where the collection, use, or disclosure of the personal information would be highly offensive to a reasonable person.

There are also specific provisions and exemptions which apply in respect of local or overseas government, and in certain circumstances, news media.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

As above, the main regulator for data protection is the OPC. Where there is a suspected breach of the 2020 Act, investigations may be undertaken by the OPC, HRRT, or in some cases, the New Zealand courts.

The OPC has the power to refer a complaint to another person, including the Ombudsman, the Health and Disability Commissioner, the Inspector General of Intelligence and Security, and the IPCA if they decide that the complaint falls more properly within one of those person's jurisdiction.

3.2. Main powers, duties and responsibilities

There are various functions of the OPC prescribed by the 2020 Act, from providing advice to the Government and the Prime Minister on the operation of the 2020 Act, to conducting an audit of personal information held by an agency for compliance with the IPPs where requested to do so by that agency. A new power provided to the OPC under the 2020 Act is the ability to issue a 'compliance notice', to require an agency to do, or stop doing, something to comply with privacy law. The OPC may make such compliance notices public. The HRRT can enforce these compliance notices if required. See further in Section below on Penalties.

4. Key Definitions

Data controller: There is no distinction between a data controller and a data processor. The 2020 Act applies to 'agencies'.

Unlike under the GDPR, there are no express concepts of 'controller' and 'processor,' although there are similar concepts that could be applied by analogy. If an agency ('A') holds information as an agent for another agency ('B'), for example, for safe custody or processing, then the 2020 Act specifies that the personal information is to be treated as being held by B, and not A, unless A is also using or disclosing the information for its own purposes. This provision applies whether A is outside or inside New Zealand, and whether or not the information is held by A internationally or domestically. See further details on this below in Section on Principles and Section on Controller and Processor Obligations.

Data processor: See above.

Personal data: The 2020 Act relates to 'personal information,' which is defined as information about an identifiable individual, and includes information relating to a death (maintained under the Births, Deaths, Marriages and Relationships Registration Act 1995 or the 1993 Act). The collection, use, and disclosure of personal information by agencies is subject to the 13 IPPs set out in Section 22 of the 2020 Act (with 12 IPPs under the 1993 Act). Further information about the requirements of the IPPs is set out in Section 6 of the 1993 Act.

Sensitive data: The 2020 Act has no express concept of 'sensitive data', although it does require an agency to consider whether the data is 'sensitive' when assessing the likelihood of serious harm being caused by a privacy breach. In practice, an agency may be constrained as to which information it may collect, by the IPPs, which only permit agencies to collect information for a 'lawful purpose connected with a function or activity of the agency', and collection is required to be 'necessary' for that purpose. The Health Code has specific rules for agencies in the health sector, and deals with the collection, use, storage, and disclosure of 'health information' by health agencies. In relation to the treatment of 'health information', certain sections of the Health Code replace the IPPs in the 2020 Act with those in the Health Code, while also adding specific requirements for health information.

IPP 4 states that an agency may only collect personal information by a lawful means and means that, in the circumstances of the case (particularly in circumstances where personal information is being collected from children or young persons), are fair and do not intrude to an unreasonable extent upon the personal affairs of the individual concerned. This reference to 'children or young people' is new under the 2020 Act and suggests that a higher level of consideration needs to be given to personal information of younger individuals.

To help with interpretation of 'sensitive' data, the OPC has published a guidance note on how the 2020 Act applies to sensitive personal information. The guidance note suggests that sensitive personal information 'is information about the individual that has some real significance to them, is revealing of them, or generally relates to matters that an individual might wish to keep private'. This is distinct from 'routine' or 'mundane' information about an individual that is not intimate, private, or particularly revealing. While it is suggested that this could include information about a person's race, gender, sex life, sexual orientation, religious beliefs etc, whether personal information is 'sensitive' will depend on the context.

There are other additional rules which apply to specific types of information, outside of the 2020 Act, which is beyond the scope of this Guidance Note. For example, some criminal records may be subject to specific protection under the Criminal Records (Clean Slate) Act 2004 ('Criminal Records Act').

Data subject: Similar to the concept of 'data subject' in the GDPR, the 2020 Act ecognizes the rights of an 'individual' (a natural person, who is not deceased), and, in the context of the use of personal information, the 2020 Act refers throughout to the 'individual concerned', meaning the individual to whom the personal information relates.

Other: As referenced above, the 2020 Act operates on a 'principle' basis, compared to the prescriptive approach which many overseas jurisdictions have adopted with respect to data protection legislation. It is arguable that this is the reason that the 1993 Act was able to remain (generally) 'fit for purpose' over nearly two decades of significant technological change.

The 13 IPPs set out the requirements for the collection, use, and disclosure of personal information. In summary, the IPPs govern:

• IPPs 1-4: the collection of personal information; for example, in what instances it may be collected, where it may be collected from, and how it may be collected;
• IPP 5: how personal information is stored – an agency holding personal information must ensure that it is protected by safeguards as are reasonable in the circumstances to take against loss or misuse;
• IPP 6: how individuals access personal information held about them, including a right to access such personal information;
• IPP 7: how individuals have information about them corrected, including a right to correct information about themselves;
• IPPs 8 – 11: how agencies may use or disclose an individual's personal information; for example, agencies are required to take steps to ensure information is accurate, up to date, complete, relevant, and not misleading, prior to any use or disclosure;
• IPP 12: the disclosure of personal information outside of New Zealand; and
• IPP 13: the use of 'unique identifiers', for example passport numbers.

Health data: The Health Code deals with the health information (the term used for 'health data' in the 2020 Act). Health information is defined as information or classes of information about an identifiable individual which relate to the health of that individual, such as medical history, disabilities, use of health or disability services, donation of body parts or substances, as further specified in Clause 4(1) of the Health Code. It receives the specific protections provided in the Health Code.

Biometric data: In essence, 'biometric information' is defined in the 2020 Act as being a type of personal information which comprises a photograph of all or any part of a person's head and shoulders, impressions of the person's fingerprints, a scan of the person's irises, and/or an electronic record of the personal information which is capable of being used for biometric matching. However, it is of note that this defined term is only used in the context of it being a type of information held by one 'holder agency' (a specified list of governmental departments, such as the Department of Corrections) and accessed by another 'accessing agency' (a similar specific list of government departments), in a manner agreed between the two agencies. In other words, there are no specific provisions relating to biometric data which apply to non-governmental agencies, other than potentially to the extent it falls into another category of personal information, such as health information. The OPC has published a position paper setting out their approach to regulating biometrics under the 2020 Act. The OPC is considering whether there should be a new code of practice to protect people against the misuse of their biometric data.  The code of practice would change the way that the privacy principles in the Privacy Act apply when organisations use technology to analyse biometric information.  

Pseudonymisation: The 2020 Act does not include specific requirements or obligations around pseudonymisation in the same way as the GDPR. We note that in the 2020 Act, IPP 5 requires proper security safeguards be put in place as is reasonable in the circumstances, which may mean that pseudonymisation is sensible in certain contexts.

Generative AI: The OPC has issued guidance on the use of generative artificial intelligence ('AI'), which builds on earlier guidance on the use of AI issued by the OPC.. The guidance note provides information for agencies using generative AI as to how to proactively think about privacy, and interpret the IPPs in respect of using this technology. New Zealand was also part of a group of a number of countries who issued a joint statement on data scraping, which was issued to certain big tech companies.

5. Legal Bases

Rather than having the concept of legal bases as under the GDPR, the 2020 Act requires there is a 'lawful purpose' for collecting, using, holding, or disclosing personal information. This lawful purpose must be connected with a function or an activity of the agency collecting the personal information, and the collection of information must be necessary for that purpose. Similar to the GDPR principle of 'data minimisation', Section 22(2) of the 2020 Act states that if the lawful purpose for which personal information is being collected does not require the collection of identifying information, then the agency may not require the individual to provide its identifying information.

The 2020 Act does not name specific legal bases for collecting, using, or disclosing personal information. Instead, IPP2 requires that (subject to specified exceptions) the personal information must be collected directly from the individual concerned, and, in accordance with IPP3, the individual be made aware of the fact that the information is being collected, the purpose for which it is being collected, the intended recipients, the agency collecting and holding the information, as well as other specified details. These details must be provided prior to the collection of the personal information, or if that is not practicable, as soon as practicable afterwards.

5.1. Consent

The 2020 Act does not rely on consent as many other forms of privacy legislation do. So long as an agency lawfully collected the personal information, is only doing what it intended to do with it as at the time of collection, and is clear about how it is doing so, individual authorisation may not be required. However, we note that consent is required with respect to direct marketing via telecommunications information under the Telecoms Code.

5.2. Contract with the data subject

There is no express lawful basis for collecting information to perform a contract, however, it is likely that this would fall within either IPP1 (the agency performing the contract would collect the information from the individual concerned) or IPP2(2), the individual concerned has authorised the agency with whom it has a contract, and another agency collects information from the individual concerned on behalf of the first agency.

5.3. Legal obligations

See section on Public interest below.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

There is an exception to the IPP2 requirement that the agency collect information from the individual concerned:

• to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution and punishment of offences;
• the enforcement of a law that imposes a pecuniary penalty;
• the protection of public revenue;
• the conduct of proceedings before a court or tribunal, which have commenced or are reasonably in contemplation; or
• to prevent or lessen a serious threat to the life or health of the individual or any other individual.

5.6. Legitimate interests of the data controller

There is no specific lawful purpose that would fall within this category, although it is of note that IPP2 allows an agency an exception to the requirement to collect information from the individual concerned where non-compliance would not prejudice the interests of the individual concerned, the information is publicly available, or that compliance is not reasonably practicable in the circumstances of the particular case.

5.7. Legal bases in other instances

Note that personal information does not need to be collected from the individual concerned where the personal information will not be used in a form in which the individual concerned is identified, or will be used for statistical or research purposes, and will not be published in a form that could reasonably be expected to identify the individual concerned.

Further, telecommunications agencies (as regulated by the Telecoms Code) may only use telecommunications information for direct marketing if the individual has been advised that they may withdraw consent to such direct marketing at any time.

6. Principles

The key obligations of agencies (whether private or public sector) are set out in the IPPs (summarised also in Section on Key Definitions ). In summary, this includes the following key responsibilities:

• agencies may only collect personal information by legal means as necessary for its lawful purposes;
• the information must be collected directly from the individual concerned, unless one of the exceptions applies; for example, where an agency believes on reasonable grounds that the individual has consented to the collection of information from another individual;
• the agency must communicate both the fact of collection, lawful purpose and basis, intended recipients, and other specified information (as set out in the 2020 Act, and as typically done by way of a privacy notice) to the individual at the time of collection, or as soon as practicable following such collection. This includes notifying the individual of the name and address of both the agency collecting the information, and the agency holding the information, the consequences of not providing the information requested, and the individual's rights of access to, and correction of, their personal information. Note that if the information will be used in a form which the individual concerned is not identified or will only be used for statistical or research purposes (and not published in a form which would reasonably be expected to identify the relevant individual), then this information does not need to be provided;
• agencies are also responsible for responding to requests from data subjects in relation to their rights under the 2020 Act, notifying the OPC and, in some cases, the individual concerned, of a notifiable privacy breach;
• agencies are required to maintain personal information so that it is up-to-date, accurate, complete, and not misleading, and not disclose the information unless permitted by law;
• agencies must inform individuals if they are transferring their information outside of New Zealand (see Section on Data transfers below); and
• as above, appropriate safeguards are required to be put in place to ensure that the personal information is protected from unauthorised access, use, or disclosure.

7. Controller and Processor Obligations

As above, while there is not an express distinction between a 'data controller' and 'data processor,' where an agency ('A') is holding personal information on behalf of another agency ('B') (and B is not holding it for its own purposes), then the personal information is not treated as being 'held' by B. This means, in our view, that the agency who 'holds' the personal information (as seen by the 2020 Act), i.e. A, is responsible for the storage and use of the personal information by the agency who in practice holds (but who is not treated as holding under the 2020 Act) the personal information, i.e. B, under IPP 5 (storage and security of information). Accordingly, agencies should ensure they undertake appropriate due diligence on service providers or other agencies who process the information on their behalf. In addition, appropriate contractual provisions should give the agency some comfort that the 2020 Act will be complied with by the relevant service provider in carrying out its obligations. The OPC has produced a set of simple contractual clauses that agencies can adopt to help ensure that A will be subject to appropriate contractual controls. We note that the OPC has made a statement that it expects all businesses or organizations which hold or share data to have two factor authentication in place. In the statement, the Deputy Privacy Commissioner says: "If you are a small business that has a cyber-related privacy breach and don't have at least two factor-authentication in place expect to be found in breach of the Privacy Act."

7.1. Data processing notification

Registration with the OPC is not generally required under the 2020 Act.

The OPC implemented a new 'honour roll' type of system in May 2018, where agencies can be awarded the 'Privacy Trust Mark' for a product or service, which warrants recognition for excellence in privacy. Applications are made to the OPC via their website. To date, only a limited number of agencies have been awarded the Privacy Trust Mark by the OPC, and details of their product or service are published online.

If an agency collects personal information, it is required to take steps which are reasonable in the circumstances to ensure that the individual concerned is aware of the fact that the information is being collected, the purpose for which it is being collected, and the intended recipients, amongst other specified requirements. These steps must be taken prior to collection of information, but if this is not practicable, as soon as practicable after information is collected. The steps need not be taken if the agency has taken those steps on a recent previous occasion in respect of that individual, on the same information or information of the same kind. See further discussion on these requirements above in the section on Principles.

As above, certain privacy breaches are considered 'notifiable' and notice must be given to the OPC (or risk committing an offence under the 2020 Act) and, in most cases, either to the individual affected or public notice.

7.2. Data transfers

The 2020 Act incorporated the new IPP 12, which governs the disclosure of personal information outside of New Zealand. It sets out that an agency ('A') may only disclose personal information to a foreign person or entity ('B') in compliance with the IPPs where one of the specific requirements set out in IPP12 applies. These include:

• where the individual concerned has authorised such a transfer to B, after having been expressly informed by A that safeguards comparable to those in New Zealand (under the 2020 Act) may not apply;
• B is carrying on business in New Zealand and A believes on reasonable grounds that B is subject to the 2020 Act;
• A believes on reasonable grounds that B is:
  • subject to privacy laws that, overall, provide comparable safeguards to the 2020 Act;
  • a participant in a 'prescribed binding scheme', meaning regulations which the Governor General, by Order in Council, may make upon the recommendation of the Minister, where the Minister is satisfied that the relevant binding scheme requires a foreign person or entity to protect personal information in a way that, overall, provides comparable safeguards to those under the 2020 Act; or
  • subject to privacy laws of a 'prescribed country', which, following a similar process as set out above, a country is considered to provide comparable safeguards to those under the 2020 Act; or
• A otherwise believes on reasonable grounds that B is required to protect the information in a way that, overall, provides comparable safeguards to those in the 2020 Act, for example, pursuant to an agreement between A and B.

Note that the OPC has the right to prohibit a transfer of personal information from New Zealand to another country if it is satisfied on reasonable grounds that there will not be comparable safeguards in place or if it would contravene basic principles of national application as per the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (repeated in Schedule 8 of the 2020 Act).

A key development from the previous legislation is that the 2020 Act now clarifies that where an overseas service provider is engaged by a New Zealand agency, that service provider will be required to comply with New Zealand privacy laws.

In some instances, however, disclosure to an offshore data storage provider (or any other service provider which holds personal information overseas on behalf of the principal entity) will not be considered to be an 'offshore' disclosure for the purposes of the 2020 Act (or, in fact, a disclosure at all), so long as the offshore service provider does not use the applicable personal information for its own purposes. In our view, the reason for this is that many major cloud service providers do not have data centres in New Zealand.

This exception, set out in Section 11(5) of the 2020 Act, states that the transfer of personal information by an agency ('B') to another agency ('A') in the manner set out below does not constitute a disclosure or use of the information by B, and the transfer of personal information, and any information derived from the processing of that information, to B by A, is not a use or disclosure of the information by A, provided that A does not use or disclose the information for its own purposes.

7.3. Data processing records

While there is no specific requirement to keep records of processing activities under the 2020 Act, in practice, we would expect agencies to keep appropriate records, particularly in respect of health information or direct marketing consent, to be able to establish compliance if (for example):

• an investigation by the OPC was conducted;
• a notifiable privacy breach occurred, and the agency needed to be able to comply with its obligations; or
• an individual wished to exercise its rights of access to or correction of information.

Similarly, agencies have an obligation to keep personal information up-to-date, which would be difficult if no records are kept. The OPC publishes useful guidance around demonstrating compliance with the IPPs.

7.4. Data protection impact assessment

While privacy impact assessments ('PIAs') are not mandatory under the 2020 Act, they are a useful exercise for agencies to understand whether they are meeting their obligations under the 2020 Act, particularly when undertaking a novel use of personal information. To assist in determining whether a PIA may be appropriate, the OPC recommends organisations conduct a threshold assessment or 'Brief Privacy Analysis', for which the OPC has provided a template in the Toolkit (available here). From this initial analysis, the agency can consider whether or not a full PIA is required and why.

The OPC recommends that a PIA is undertaken where, for example, there is a project which may involve personal information about identifiable individuals, surveillance or intrusion into a person's space or bodily privacy, a substantial change to an existing process or system that involves personal information, or a change in the way personal information is stored or secured. It should be regularly refreshed as privacy risks or the regulatory context changes.

7.5. Data protection officer appointment

The 2020 Act requires that any agency appoint a 'privacy officer' (either from within or outside the agency) unless the agency is an individual collecting and holding personal information solely for the purposes of, or in connection with, the individual's personal or domestic affairs.

A privacy officer is responsible for encouraging the agency to comply with the IPPs, dealing with requests made under the 2020 Act, assisting with any investigations by the OPC, and ensuring the agency complies with the provisions of the 2020 Act. The OPC suggests that the person responsible will depend on the size and type of organisation; for example, larger organisations may require a dedicated privacy officer, while others may be able to appoint an individual who is more generally in charge of legal or HR-related compliance duties (please see Your Responsibilities - Privacy Officers for more information). Whist under the 2020 Act there is no specific criteria for who qualifies for appointment as a privacy officer, the OPC recommends that the appointed privacy officer:

• is familiar with the 2020 Act and other relevant legislation;
• is responsible for dealing with complaints;
• trains staff how to deal with privacy properly; and
• advises managers on ensuring business practices align with privacy requirements (as such requirements change over time); and
• acts as the organisation's liaison with the OPC.

7.6. Data breach notification

A mandatory reporting requirement was introduced under the 2020 Act, meaning that agencies are now required to report privacy breaches where it is reasonable to believe that such a breach poses a risk of serious harm to an affected individual, or is likely to do so (except where a specific limited exception applies - see below).

A notifiable privacy breach occurs where there has been:

• unauthorized or accidental access to or disclosure, alteration, loss, or destruction of, the personal information, where it is reasonable to believe that such breach has caused serious harm to an affected individual or individuals or is likely to do so, it does not matter whether the affected individual(s) are inside or outside of New Zealand; or
• an action that prevents the agency from accessing the information on either a temporary or permanent basis, where it is reasonable to believe that such breach has caused serious harm to an affected individual or individuals or is likely to do so, it does not matter whether the affected individual(s) are inside or outside of New Zealand.

The OPC Guidance on Privacy Breaches states that examples of serious harm would include:

• physical harm or intimidation ;
• Financial fraud including unauthorised credit card transactions or credit fraud; or
• family violence, psychological, or emotional harm.

To date, no guidance has been released from the OPC as to how to determine whether it is 'reasonable to believe' that a breach may cause 'serious harm'. Using guidance published by the Australian counterpart to the OPC (the Office of the Australian Information Commissioner ('OAIC')), which currently has a similar regime in place, we expect that this may constitute an 'objective assessment, determined from the viewpoint of a reasonable person in the entity's position'. In the same way, interpretation of 'or is likely to do so' could rely on the position outlined by the OAIC, in respect of the similar 'likely to occur' contained in the Australian law. The OAIC suggests that this means 'more probably than not (rather than possible)'.

The 2020 Act sets out factors the agency must consider when assessing the likelihood of serious harm being caused by a privacy breach, which include:

• any action taken by the agency to reduce the risk of harm following the breach;
• whether the personal information is sensitive in nature;
• the nature of the harm that may be caused to affected individuals;
• the person or body that has obtained or may obtain personal information as a result of the breach (if known); and
• whether the personal information is protected by a security measure.

A guidance note released by the OPC, plus the 'Notify Us' tool available on the OPC's website, are aimed to help agencies assess whether or not notification is required, and may help with the assessment of the likelihood of serious harm occurring.

If the breach meets the definition of 'notifiable privacy breach' as described above, then the breach is considered 'notifiable' and the agency must report the breach to (a) the OPC and (b) an affected individual (subject to certain factors set out below), as soon as practicable after becoming aware that a notifiable privacy breach has occurred. In this regard, it will not matter whether the breach is:

• caused by a person inside or outside the agency;
• attributable (in whole or part) to any action by the agency; or
• ongoing.

The OPC has released guidance on its website which suggests that, unless there are extenuating circumstances, the OPC should be notified of a notifiable privacy breach within 72 hours. If it is not reasonably practicable to give an affected individual notice, the agency must give public notice of the breach in accordance with the 2020 Act, unless an exemption applies, or a delay is permitted.

Exemptions

Certain exemptions allow an agency to not notify an affected individual, nor give public notice of a notifiable privacy breach, where the agency believes on reasonable grounds, that the notification or notice would be likely to:

• prejudice security or defence, or international relations;
• prejudice maintenance of the law by any public sector agency;
• endanger the safety of any person; and/or
• reveal a trade secret.

Further, notification is not required to the affected individual nor is public notice (relating to a particular individual) where:

• the individual concerned is under the age of 16 and the agency believes notification would be contrary to that individual's interests; or
• if after consultation is undertaken by the agency with the individual's health practitioner (where practicable), the agency believes the notification or notice would likely prejudice the health of the individual. Additional provisions apply where this exemption is relied upon, including requiring the agency to consider whether appropriate to notify a representative of that individual, instead of the individual himself/herself. A 'representative' in the context of this section of the 2020 Act means, in respect of someone under the age of 16, a parent or guardian, and in respect of someone aged 16 or over, means an individual appearing to be lawfully acting on that individual's behalf or in that individual's interest.

Note that Section 116(5) of the 2020 Act imputes a 'reasonable' requirement whereby the agency must 'believe on reasonable grounds' that the relevant exemption applies.

Delay in notification

Agencies are permitted to delay notifying an individual (or representative) or delay giving public notice of a notifiable privacy breach (but note that it may not delay notifying the OPC), only:

• where the agency believes on reasonable grounds, that a delay is necessary because notification or public notice may have risks for the security of personal information held by the agency and those risks outweigh the benefits of informing affected individuals; and
• for a period during which the agency believes on reasonable grounds those risks continue to outweigh those benefits.

Sector obligations

The above requirements apply across all sectors. The assessment as to whether a breach is 'notifiable' may differ based on sectoral concerns. For example, a breach involving health information may more easily meet the threshold of 'serious harm' compared to other types of data.

7.7. Data retention

Personal information may not be kept indefinitely. IPP 9 requires agencies not to retain personal information for longer than is necessary for the purposes for which it may lawfully be used. Provided there is an ongoing legal purpose for retaining the personal data, the agency may continue to do so. However, once no such legal purpose exists, the personal data must be erased (or properly de-identified).

7.8. Children's data

The new IPP4 expressly states that agency may only collect personal information which, in the circumstances of the case (particularly where personal information is being collected from children or young people) is fair, and does not intrude to an unreasonable extent upon the personal affairs of the individual concerned. This means that agencies should take particular care when they collect information from children. Note that the 2020 Act does not define the age until which a person is considered a child, but we consider this would likely be 16 years old.

This is because there is also a ground for refusing a request for information by, or on behalf of, an individual under the age of 16, where it would be contrary to the child's interests for the information to be released. The Privacy Commissioner has suggested that agencies should take a 'practical approach' when considering how to treat personal information relating to children, particularly where the children are not old enough to act on their own behalf. In such cases, it may be appropriate to treat the child's parent or guardian as their representative.

It is also of note that the Health Code provides for parents and guardians of individuals (under the age of 16) to request their child's health information, although this does not apply to personal information more generally. There are withholding grounds which apply, so a request may not be granted in every case. The OPC announced in September 2023 that it is opening consultation on the children and young person's privacy project, pursuant to which the OPC will consider whether it should recommend any changes to the 2020 Act, or issue any additional guidance to ensure appropriate protections are being afforded to children and young people's data.

7.9. Special categories of personal data

As referenced in Section on Key Definitions above, some criminal records may be subject to specific protection under the Criminal Records Act. However, there are no specific provisions relating to personal data otherwise.

Health information is governed by the specific provisions of the Health Code, and may only be processed for the purposes set out within that code. Similarly, the other codes provide for specific treatment of other types of information (such as credit reporting information under the Credit Reporting Privacy Code), but this is outside the scope of this Guidance Note.

For completeness, we note that the IPPs clarify that information may only be collected to the extent it is reasonably necessary for the purpose for which it is collected (IPP 1). This, combined with the IPPs' requirements to only collect personal information to the extent it is lawful and fair (see IPP 4), may provide a natural restriction on the use of more 'sensitive' personal data.

Employment

There are few additional requirements with respect to processing information relating to employees or employment. In practice, we would expect most agencies to maintain employee privacy notices, setting out the purposes for which employees' information is used. A lawful purpose is required as with other personal information, and generally employers can only collect personal information about employees for valid work-related purposes, or where directed to by law. The same data subject rights apply in respect of employees (e.g. access to, or correction of, personal information).

Note that the 2020 Act specifically states that personal information is considered to be held by an agency if it is held by an employee (or officer or member) of that agency in their capacity as employee (or officer or member) of that agency (subject to specified exceptions). There are also provisions relating to liability (or excusal from) with respect to employees in relation to notifiable privacy breaches.

Use of unique identifiers

IPP 13 (previously IPP 12 under the 1993 Act) prohibits an agency ('A') assigning a unique identifier (being a means of identifying a specific individual other than their name) to an individual which, to its knowledge, is the same unique identifier as has been assigned to that individual by another agency ('B'), except in specific circumstances, being:

• where A and B are associated persons within the meaning set out in the Income Tax Act 2007; or
• the unique identifier is used by A for statistical and research purposes only.

Note that there are some further restrictions on the use of Government mandated unique identifiers. For example, an individual's 'NHI' number (national health index), may only be used by agencies which are approved to use that number in accordance with the Health Code (such agencies are named in Schedule 2 to the Health Code).

7.10. Controller and processor contracts

As above, a 'data processor' is not clearly defined in the 2020 Act, but we understand it to be an agency that processes personal information on behalf of another agency, and not for its own purposes. However, the IPPs (and primary rights and responsibilities under the 2020 Act) are drafted in such a way as, in most cases, to apply to all agencies, regardless of whether they are dealing with personal information on their own behalf, or on behalf of others. Please see Section on Principles above.

As outlined above, there is generally no separation of data controllers and data processors in New Zealand. Regardless, it is usually recommended that any third-party service provider arrangement (or any other data-sharing arrangement) is documented. Such an agreement should detail responsibilities with respect to notifiable privacy breaches and responding to data subject requests, as well as compliance with the 2020 Act. See also Section below on Data transfers, regarding agreements between two entities in respect of the transfer of personal information outside of New Zealand.

8. Data Subject Rights

8.1. Right to be informed

As referenced above, under IPP 3 the agency collecting the personal information in question has, except where an exception applies, the obligation to make the individual concerned aware of the fact that their information is being processed, the intended recipients, the name and address of the agency holding the personal information, the law under which the personal information is collected (and whether it is voluntary or mandatory), the consequences if the personal information is not required and the rights of access to and correction of such information. Typically, such information is provided in the form of a privacy policy. If the nature of how the agency deals with the information changes, then the agency should update the individual concerned.

8.2. Right to access

The right to access information - the right to both:

• confirmation as to whether (or not) an agency holds information about that person; and
• access to such personal information, where such personal information may be readily retrieved.

8.3. Right to rectification

The right to correction of information - the right to request correction of information. The agency must, on request or of its own initiative, take steps that are reasonable in the circumstances to ensure (having regard to the purposes for which the information may lawfully be used), the information is accurate, up to date, and not misleading.

8.4. Right to erasure

Similarly, there is no 'right to be forgotten' or 'right to erasure' in New Zealand. It is arguable that an individual may request their information to be corrected (as described above), and such a correction may constitute deletion of information, but this is not typically what is thought of when referring to a right to be forgotten. However, of note in this area is the Harmful Digital Communications Act 2015, which aims to deter, prevent, and mitigate harm to individuals caused by digital communications (often known as 'cyber-bullying'), and provide victims with efficient means of redress. This can involve a court takedown order, requiring harmful digital communications to be removed.

8.5. Right to object/opt-out

There is no express right to object to processing in New Zealand. If the information had yet to be provided by the individual, then they may refuse to provide the relevant information (provided it is being collected directly), or otherwise complain of an interference to privacy to either the OPC or the agency itself.

Object to direct marketing

While there is not a specific right to object to direct marketing under the 2020 Act, it is worth noting that the Unsolicited Electronic Messages Act 2007 ('UEMA') prohibits the sending of unsolicited electronic messages (such as SMS or email) for direct marketing purposes. Additionally, under the Telecoms Code, telecommunication information may only be used for direct marketing if the individual has authorised the use of its information for direct marketing and been advised that such authorisation may be withdrawn at any time (Rule 10 of the Telecoms Code).

8.6. Right to data portability

Note that there is no broad right to data portability in New Zealand. For completeness, there is 'number portability' whereby local and mobile numbers may be transferred, which is regulated under different legislation outside the scope of this Guidance Note (the Telecommunications Act 2001). In addition, the draft Customer and Product Data Bill referenced above may change this position.

8.7. Right not to be subject to automated decision-making

The 2020 Act does not specifically address automated decision making. There are provisions around data-matching although this relates to the public sector. It requires that certain controls be put in place before data matching can occur.

8.8. Other rights

In September 2023, Parliament introduced a new Privacy Amendment Bill ('the Amendment Bill') into Parliament.  The Amendment Bill seeks to increase transparency around the collection of personal data and how it is used.  At the moment, there is no requirement for an agency (whether public or private) to notify an individual when it indirectly collects personal data about an individual.  The Amendment Bill seeks to address this and, if passed, will impose a requirement on agencies to notify individuals unless there is an exception. It is likely that public submissions will be able to be made on the proposed changes in 2024.

9. Penalties

Fines for offences under the Act have been raised to NZD 10,000 (approx. $5,980). It is possible that further reform will happen in this area, as the OPC (as part of the consultation process in respect of the 2020 Act) had proposed maximum penalties of NZD 100,000 (approx. $59,800) for individuals and NZD 1 million (approx. $5,980,000) for corporations.

Criminal offences

The 2020 Act creates new criminal offences (vis-à-vis the 1993 Act) of:

• misleading an agency to obtain access to someone else's personal information; and
• destroying a document containing personal information, knowing that a request has been made for it.

Notifiable privacy breach

Failure to notify an affected individual of a notifiable privacy breach, or give public notice of a notifiable privacy breach in accordance with the 2020 Act (where required), may be considered an 'interference with privacy,' and therefore eligible for a complaint to the OPC under the 2020 Act.

Complaints to the OPC/Human Rights Proceedings/HRRT

On receipt of a complaint, or of its own initiative, the OPC can decide whether or not to investigate a complaint, and/or whether to refer (part or all of) the complaint to another person, which may include an overseas privacy enforcement authority. The OPC implemented a 'naming policy' in 2014 as a deterrent, where it can reveal names of organisations that have breached the law (in that case, the 1993 Act).

The OPC may use their powers to explore the possibility of settlement and assurance with or without investigating a complaint, and/or refer a complaint to the Director of Human Rights Proceedings. The Director may choose to refer the matter to the HRRT. The HRRT may award damages in respect of the interference with the privacy of an individual to appropriately compensate them for the humiliation, loss of dignity, and injury to feelings caused by serious breaches, as well as the loss of any benefit (monetary or other) that the individual might reasonably have expected to obtain if the interference had not occurred.

The HRRT is able to award damages to a maximum of NZD 350,000 (approx. $209,220). If the OPC believes that there is no substance to a complaint submitted to it and dismisses it, the complainant may still be able to file proceedings with the HRRT (a separate body). However, under the 2020 Act, in some situations a decision by the OPC is final and no proceedings may be commenced in the HRRT by the parties in respect of that determination.

A key change introduced by the 2020 Act is the ability for individuals to commence class actions in the HRRT. Now, in certain specified circumstances, including where the Director of Human Rights Proceedings or the OPC decides not to further investigate a complaint or commence proceedings (as the case may be), a representative lawfully acting on behalf of a class of aggrieved individuals may commence proceedings in the HRRT.

Specific time periods apply within which proceedings to the HRRT must be commenced (whether by class action or otherwise); however, the Chairperson of the Human Rights Review Tribunal may agree to extend such periods if satisfied that 'exceptional circumstances' prevented proceedings being commenced within the specified timeframe.

Other enforcement actions

Agencies commit an offence and are liable on conviction to a fine not exceeding NZD 10,000 (approx. $5,980) for the following offences:

• failure to comply with an 'access order', which is granted where an agency fails to comply with an access direction and an aggrieved individual successfully applies to the HRRT for an access order requiring the agency to comply with the access direction;
• failure to notify the OPC of a notifiable privacy breach (note that it is not clear from the legislation whether 'a breach' is calculated on the basis of the number of individuals involved or the breach as a singular event);
• failure to comply with a 'compliance notice' issued by the OPC following enforcement proceedings successfully against the agency in the HRRT, as referenced above, a compliance notice is a new power the OPC enjoys to issue a notice to require an agency to do, or stop doing, something under the 2020 Act; and
• failure to comply with a transfer prohibition notice, which is a notice prohibiting the transfer of personal information from New Zealand to another country.

There are also additional offences relating to the obstructing or hindering of the exercise of powers under the 2020 Act, giving false or misleading statements, impersonating other individuals in order to obtain access or changes to that person's information, or representing authority while not holding such authority.

Note that various other sanctions may apply to improper use of information under other legislation, but we have only covered the 2020 Act for the purposes of this Guidance Note. For example, under the Crimes Act 1961, criminal penalties are available in respect of the unlawful interception of private communications, as well as certain unlawful monitoring and surveillance activities.

Further reform

As stated above, the OPC was seeking for the 2020 Act to have bigger 'teeth' in terms of enforcement. The increase of fines from the old 1993 Act from NZD 2,000 (approx. $1,200) to NZD 10,000 (approx. $5,980) is much less of a deterrent than it seems that the OPC was hoping for. It remains to be seen whether this, combined with other potential 'gaps' in the new legislation (such as the right to data portability and the right to erasure), leaves New Zealand's adequacy decision on solid ground.

9.1 Enforcement decisions

According to its 2022 Annual Report, the OPC received 657 privacy breach notifications, which was up from 544 notifications the year before,  and received 486 complaints, which was down from 561 in 2020-2021. In the first half of the 2022-2023 financial the OPC received 207 privacy breach notifications which met the serious harm threshold  a 41% increase from the 147 such notifications received in the previos year. In particular, the following recent decisions are of note:

• In 2023, the OPC received several complaints about property ownership information published on WhatDoesMyLandlordOwn.org.nz (WDMLO).  The complaints concerned inaccurate identification of the individuals who owned the properties.  WDMLO obtained a license to use publicly available information from the Toitū Te Whenua Land Information New Zealand (LINZ) Data Service and combined two different data sets available from LINZ. The information published by WDMLO included full names and private physical addresses, and identified how many other properties the person owned.  The complainants reported emotional and reputational harm. The OPC found that the algorithm used by WDMLO to combine the data sets caused individuals to be identified as owners of properties when they were not and consequently found WDMLO in breach of IPP 8.  The OPC was not satisfied by steps taken to satisfy this issue. WDMLO's LINZ license was subsequently revoked.
• In 2022, a complaint was made by an employee ('Employee 1') to his employer about the behaviour of a colleague ('Employee 2').  The employer instructed an independent investigator to investigate and produce a report.  Each employee asked their trade union to support throughout, but  Employee 1 was aggrieved because he received less financial support than Employee 2.  The trade union delivered its own report on the levels of financial support that both employees received during the investigation but in doing so included a copy of the employer's investigation with its findings into Employee 1's original complaint.  Employee 1 complained to the OPC.  The OPC advised that the trade union's use of the employment dispute report was not directly related to the purpose for which they obtained it, contrary to IPP 10.  Further, the OPC was satisfied that the breach of this principle caused Employee 1 emotional harm.
• Also in 2022, a person A complained to the OPC after the police refused to provide them with copies of comments made by their former partner about them. Person B had been interviewed by the police when Person A applied for a gun license because they were in a relationship at the time.  Person A wanted a copy of the notes to be used in a family court proceeding where Person B had raised criminal allegations.  The police refused to release the information.  Person A complained to the OPC alleging issues under IPP 6 which gives the right to request access of your own personal information held by an agency.  However, this right is not absolute and the OPC agreed with the police that in the circumstances the sharing of the information would (i) likely cause significant distress to Person B; (ii) be an unwarranted disclosure of person B’s information; and (iii) likely prejudice the maintenance of the law given that Person B gave the information during a police interview.
• In 2021, the OPC issued its first compliance notice under the 2020 Act to the Reserve Bank of New Zealand. The compliance notice was issued as a result of a cyber-attack on the bank in December 2020, causing a significant breach to one of the bank's security systems. The Privacy Commissioner stated that the security breach "raised the possibility of systemic weakness in the bank's systems and processes for protecting personal information". An independent review revealed multiple breaches of IPP 5 requiring agencies that hold personal data to have reasonable security safeguards in place to protect privacy. The purpose of the compliance notice was to ensure that the bank reports to the OPC demonstrating an improvement to their privacy policies and procedures in order to make their systems more secure. The Reserve Bank made  the changes recommended by the OPC and on September 1, 2022 the OPC announced the closure of this compliance notice.