Contact Us
Hero Image

The Privacy Act 2020

Important Legislation

24 June 2025 (Last updated 28 July 2025)

Share on:

The Privacy Act 2020 governs how organisations can collect, store, use and share your information.

The Privacy Act 2020 came into effect on 1 December 2020, replacing the Privacy Act 1993. The Act has Privacy Codes of Practice that have privacy rules for personal information in specific areas such as health, telecommunications, and credit reporting.

Changes to the 1993 Act

While the core principles remain similar, the 2020 Act focuses on boosting individual privacy protections considering the landscape and brings NZ regulations closer to international standards. Some of the key changes are:

  • The Privacy Act 2020 applies globally. Any company doing business in New Zealand, regardless of location, must comply with the regulations for handling personal information of New Zealand residents.
  • There is now a requirement for organisations to report privacy breaches that could cause serious harm to individuals.
  • A new principle emphasizes the importance of taking steps to avoid privacy risks before they occur.
  • The Commissioner has greater authority to investigate complaints, issue directions, and enforce compliance with the Privacy Act

The Privacy Act for employers

The Privacy Act has 13 privacy principles that govern how businesses should collect, handle and use personal information.

The principles are:

  • Principle 1- Purpose for collection
  • Principle 2- Source of information- collection from the individual
  • Principle 3- What to tell the individual about collection
  • Principle 4- Manner of collection
  • Principle 5- Storage and security of information
  • Principle 6- Providing people access to their information
  • Principle 7- Correction of personal information
  • Principle 8- Ensure accuracy before using information
  • Principle 9- Limits on retention of personal information
  • Principle 10- Use of personal information
  • Principle 11- Disclosing personal information
  • Principle 12- Disclosure outside New Zealand
  • Principle 13- Unique identifiers

Enforcing the Act

The Office of the Privacy Commissioner (OPC) enforces the Privacy Act. The OPC monitors compliance through audits and advocates for stronger privacy protections. Complaints can be filed with them if anyone suspects mishandling of information. In serious cases, the OPC can issue fines or enforce access to information.

The role of the Privacy Commissioner

The administration of the Privacy Act 2020 falls to the Privacy Commissioner and requires a number of key tasks to be overseen. For employers, the key responsibility that may bring the Commissioner into your workplace is the investigation of complaints on privacy breaches. If an employee becomes aware that their data has been shared or is being managed poorly you may expect a visit or a phone call from the Privacy Commissioner.

The Privacy Commissioner can also issue compliance notices, requiring organisations to take specific actions to address breaches and improve privacy practices.

Is the Privacy Act applicable to my business?

The Privacy Act applies to any person, organisation, or business (referred to in the legislation as an 'agency'), whether it's in the public sector or private sector, that collects and holds personal information about other people. An individual acting in their personal or domestic capacity is not an agency. This includes:

  • government departments and agencies
  • companies
  • small businesses
  • social clubs
  • charities, societies, and community groups
  • other types of organisations

Personal information includes anything that can identify an individual, such as names, addresses, emails, phone numbers, and even opinions about them.

Your business doesn't even need to be physically located in New Zealand. As long as you're collecting information from individuals in New Zealand, the Privacy Act may apply.

There are exceptions to the Act. The Privacy Act does not apply to:

  • courts and tribunals when they are doing their judicial tasks
  • news media when they are gathering and reporting news
  • Members of Parliament (MPs) when they're acting in an official capacity

Privacy policy

The Privacy Act strengthens privacy controls by requiring organisations to be upfront about handling personal information. You will need to have a clear privacy policy and include certain elements such as:

  • Reason for collecting data- Be transparent about the purpose in collecting personal information
  • Individual rights- Clearly describe the rights individuals have under the law, such as accessing and correcting their information
  • Data sharing- Inform consumers if their data is shared with third parties

Handling personal information

Employers often have access to personal and confidential information about their employees. It is important to ensure that you have certain practices around handling personal information such as:

  • storing the information securely
  • only requesting information that is necessary for business such as name, contact information
  • allowing employees to request and view their personal information
  • informing individuals about the information being collected from them and the reasons behind the collection
  • notifying individuals if any personal information is stored or transmitted overseas

Requests for personal information

If an employee requests access to personal information, you must provide it. Principle 6 of the Privacy Act gives people the right to request access to their information. But it is important for business owners and employers to note that people are only able to request information about themselves. The Privacy Act does not allow for information to be requested about another person unless:

  • there is written permission for the information to be sought
  • the person is acting on behalf of the person whose information is being requested

Privacy breaches

A privacy breach occurs when an organisation or individual either intentionally or accidentally:

  • provides unauthorised or accidental access to someone's personal information
  • discloses, alters, loses or destroys someone's personal information

A privacy breach also occurs when someone is unable to access their personal information due to their account being hacked.

Under the Privacy Act 2020, if your organisation has a privacy breach that either has caused or likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able.

What is serious harm?

The unwanted sharing, exposure or loss of access to people's personal information may cause individuals or groups serious harm. Some information is more sensitive than others and therefore more likely to cause people serious harm.

Examples of serious harm include:

  • physical harm or intimidation
  • financial fraud including unauthorised credit card transactions or credit fraud
  • family violence
  • psychological or emotional harm

Best practices for NZ companies

To stay aligned with NZ privacy laws and build trust within your consumers, businesses should consider implementing best practices such as:

  • regularly reviewing and updating privacy policies
  • training staff in recognising privacy breaches and understanding privacy obligations
  • ensuring third party providers comply with New Zealand's privacy standards

Breaching the Act

A data breach can lead to many consequences, depending on the severity of the breach. The Act allows fines of up to NZD 10,000 for failing to notify the Privacy Commissioner about a serious privacy breach. Individuals affected by the breach may also sue the company for compensation.

Privacy policies in your workplace can limit the involvement of the Commissioner in your workplace, and can also help employees feel more confident in your management. For help with policies to improve privacy in your workplace call Peninsula on 0800234036.

The information in the above article has been compiled on the basis of general information current at the time of publication. Please note that the contents of this article and website do not constitute legal advice and are not intended to be a substitute for legal or other professional advice and should not be relied upon as such. Your specific circumstances or changes in circumstances after publication may affect the completeness or accuracy of this information. You should seek legal advice or other professional advice in relation to any particular matters you or your organisation may have. To the maximum extent permitted by law, we disclaim all liability for any errors or omissions contained in this information or any failure to update or correct this information. It is your responsibility to assess and verify the accuracy, completeness, currency and reliability of the information on this website, and to seek professional advice where necessary. Nothing contained on this website is to be interpreted as a recommendation to use any product, process or formulation or any information on this website. For clarity, Peninsula does not recommend any material, products or services of any third parties. 

Related Guide Articles

Important Legislation

Important Legislation

Important Legislation
View all guides

Do you have any questions regarding Important Legislation?

International Sites

United Kingdom

Republic of Ireland

Northern Ireland

Scotland

Canada

Australia

© 2025 Peninsula Employment Services Ltd. Registered Office: 8 Tangihua Street, Auckland CBD 1010

Peninsula Protect is a discretionary risk product issued by Peninsula Mutual Limited ACN 630 256 478 AFS Licence No. 544232. Peninsula Mutual Limited has appointed Peninsula Group NZ Limited NZBN 9429042175179 to distribute the discretionary risk product in New Zealand. To decide if this product is right for you, please read the Peninsula Protect Product Disclosure Statement (PDS) and Target Market Determination.