COVID-19 response

If you are looking for the latest legal information relating current Coronavirus laws in New Zealand, check out our new section: Coronavirus and the Law.

Communtity Law Manual | Privacy & information | Overview of the privacy and information laws

Privacy and information

Overview of the privacy and information laws

A new Privacy Act in 2020

A new Privacy Act comes into force on 1 December 2020. Some of the main changes under the new law are that:

  • agencies must report privacy breaches that cause, or are likely to cause, serious harm (like being hacked) to the Privacy Commissioner and have to tell the people affected
  • the Privacy Commissioner can issue compliance notices to make an agency do or stop doing something. Failure to comply could result in a penalty of up to $10,000
  • New Zealand agencies will have to take reasonable steps to make sure that personal information they send overseas is protected by privacy standards as high as NZ standards
  • the new law applies to businesses whether or not they have a legal or physical presence in New Zealand. This means that international companies carrying on business in New Zealand and holding New Zealanders’ personal information, have to comply with New Zealand law no matter where they or their servers are based.

In this chapter we refer to both the existing Privacy Act 1993 and the new Privacy Act 2020 (effective 1 December 2020). We will cover these changes in more detail in future editions of the manual.

What kinds of information does the Privacy Act apply to?

Privacy Act 1993, s 2; Privacy Act 2020, s 7

The privacy and information rules in the Privacy Act apply only to information about identifiable individual people (but not people who are now dead). The Act calls this “personal information”, using the word “personal” to indicate that it’s information about any individual person, not that it’s particularly private or sensitive information. The Act doesn’t apply to information about organisations – like companies, incorporated societies or charitable trusts.

Privacy Act 1993, s 56; Privacy Act 2020, s 30

The Act also doesn’t apply to information that you collect or keep about someone else for personal, family or household use – for example, when you collect and keep friends’ names and addresses in a personal cell phone, or when you use or give out (“disclose”) that information. So if you give out a friend’s contact details to a third person, you’re not breaching the Privacy Act.

However, this exemption doesn’t protect you when you collect, use or give out the information if this would be highly offensive to an ordinary reasonable person. This new limit to the exemption was introduced in 2015, to stop the exemption from protecting people for things like “revenge porn”.

Privacy Act 1993, s 54; Privacy Act 2020, s 30

The rules in the Privacy Act don’t apply if the Privacy Commissioner has authorised the collection, use or disclosure of information.

Who has obligations under the Privacy Act?

All organisations, businesses and individuals, whether in government or the private sector, must follow the rules in the Privacy Act. So the Act covers, for example, government departments, companies of all sizes, religious groups, schools and clubs. (In setting out the different privacy rules, the Act uses the word “agency” as a general term to refer to all bodies and individuals that have to follow those rules.)

Privacy Act 1993, s 2; Privacy Act 2020 ss7, 8

There are a few organisations and individuals that are exempt from the rules in the Privacy Act. Other rules govern how they manage personal information. Organisations and individuals that are exempt include:

  • the news media, when they’re involved in news activities (such as producing TV programmes, or publishing newspaper articles or letters to the editor). Complaints about the news media are made to the Broadcasting Standards Authority, the New Zealand Press Council or the courts.
  • members of Parliament acting in their official capacity. Complaints about Members of Parliament are dealt with by Parliament or political parties.
  • courts or tribunals when they’re carrying out their judicial functions
  • the Ombudsmen.

How is the Privacy Act affected by other laws?

Privacy Act 1993, s 7; Privacy Act 2020 s 5

Other laws can authorise an organisation or individual to do something that would otherwise breach the Privacy Act. For example, section 15 of the Oranga Tamariki Act 1989 allows anyone to report suspected child abuse to Oranga Tamariki / Ministry for Children (which has replaced Child, Youth and Family) or to the police, without breaching the rules about disclosing personal information.

back to top
Page Reader Press Enter to Read Page Content Out LoudPress Enter to Pause or Restart Reading Page Content Out LoudPress Enter to Stop Reading Page Content Out LoudScreen Reader Support