What is the New Zealand Privacy Act?

The New Zealand Privacy Act or the Privacy Bill for short is a comprehensive data privacy law that was recently passed in New Zealand in 2020. The Privacy Bill both repeals and replaces the already existing New Zealand Privacy Act of 1993, by creating legislation that addresses new privacy concerns that have arisen amidst our current digital age. In accordance with other privacy laws that have been passed in recent years around the world such as the California Privacy Rights Act or CCPA and the EU General Data Protection Regulation or GDPR, New Zealand’s Privacy Bill also sets forth specific requirements that businesses, individuals, and organizations alike must adhere to when collecting, accessing, using, or disclosing the personal data and information of New Zealand residents.

What is the application and scope of New Zealand’s Privacy Bill?

All agencies, businesses, organizations, and individuals who collect, use, or disclose the personal data or information of New Zealand residents must maintain compliance with the Privacy Bill during the course of their operations. What’s more, the law also contains extraterritorial jurisdiction, mandating that overseas and international companies who conduct business within New Zealand also adhere to the law’s principles and regulations. However, the following parties are exempt from the protections of the Privacy Bill:

• The news media.
• Members of the New Zealand Parliament.
• The Governor-General.
• Ombudsmen and the courts

In addition to governing the information that businesses, individuals, and organizations collect from New Zealand citizens, the New Zealand Privacy Act covers all forms of personal information that may be shared or transferred within New Zealand, including information that businesses and organizations gather from their own employees.

What are the requirements for businesses and organizations under the Privacy Bill?

New Zealand’s Privacy Bill establishes various principles regarding data privacy that businesses and organizations within the country must adhere to when collecting personal data or information from citizens. These principles include the following:

• The purpose of collection of personal information– An agency is only permitted to collect the personal information of New Zealand citizens when said information is needed to fulfill a specific purpose in relation to said agency.
• Source of personal information– Agencies must collect personal information directly from the person concerned. However, there are exceptions to this rule, such as when the person concerned otherwise agrees or their information is already publicly available.
• Collection of information from the subject– Agencies must take reasonable efforts to ensure that all data subjects are aware that their data is being collected, what their data will be used for, whether the supply of such information is voluntary or mandatory, the consequences of refusing to provide said information, as well as the data subject’s right to both access and correct their personal information.
• Manner of collection of personal information– Agencies are not permitted to collect personal information from data subjects in a manner that is intrusive, unlawful, and unfair. Additionally, agencies who collect personal information from young people or children if the manner in which they collect said information is fair, given the circumstances in which such information is collected.
• Storage and security of personal information– Agencies must ensure that the information of data subjects is protected from loss, unauthorized access or disclosure, or misuse.
• Access to personal information– In instances where personal information can be readily retrieved, data subjects are entitled to confirmation concerning whether their information is being held by a particular agency, as well as the right to access said information. There are two exceptions to this rule, instances in which disclosure of personal information would prevent the detection of a criminal offense, or instances in which disclosure would involve the breach of another individual’s privacy.
• Correction of personal information– Data subjects are permitted to request that personal information concerning them that is being held by an agency be corrected. When agencies refuse such requests, the data subject in question is permitted to request that their information be tagged, with a statement explaining that correction was sought but refused.
• The accuracy of personal information must be checked before use– Agencies must not use the information of a data subject without first taking reasonable steps to ensure that said information is accurate, complete, up to date, relevant, and not misleading.
• Agencies may not keep information for longer than is necessary– Agencies must not keep the personal information of data subjects for longer than is necessary to fulfill the function for which said information was collected.
• Limits on use of personal information– Information that is collected from a data subject for one purpose may not be used for any other purpose. There are exceptions to this rule, such as when an agency that a data subject has authorized the further use of their personal information, or in instances when said information has been sourced from publicly available publications.
• Limits on the disclosure of personal data– There personal information of data subjects may not be disclosed, except in certain circumstances. These circumstances include instances in which the disclosure of personal information is directly related to the purpose for which said information is collected, or when the disclosure has been authorized by the data subject concerned.
• Disclosure of personal information outside of New Zealand– Agencies may only disclose the personal information of data subjects in other countries in which laws similar to New Zealand’s Privacy Act are also in place. The only exception to this is when the data subject concerned has been informed that their information will not be protected in accordance with New Zealand law, but have nevertheless expressly consented to such disclosure anyway.
• Unique identifiers– Agencies are prohibited from assigning a unique identifier to an individual, unless doing so is necessary for the said agency to carry out its functions efficiently. When agencies do make use of unique identifiers, they are also prohibited from using a unique identifier that has already been assigned to an individual by another agency, except for certain taxation purposes. Agencies must take reasonable steps to ensure that unique identifiers are not misappropriated or misused.
• Mandatory data breach notifications– Agencies are responsible for reporting data breaches to all individuals affected, as well as the Privacy Commissioner, if said breaches have the potential to cause serious harm to data subjects involved.

What are the penalties for violating the New Zealand Privacy Act?

The New Zealand Privacy Act is enforced by the Privacy Commissioner, and businesses and organizations that are found to be in violation of the law are subject to monetary penalties of up to $10,000 per offense. Furthermore, misleading an agency to gain access to another individual personal information, or having said information altered or destroyed is considered a criminal offense under the law. However, as opposed to allowing New Zealand citizens to bring a private right of action against agencies who violate their data privacy rights, the requirements and mandates of the Privacy Bill are not enforceable in court. Alternatively, individuals who believe their rights have been violated must instead file a complaint with the Privacy Commissioner.

After an individual reports a privacy violation to the Privacy Commissioner, they will then be prompted to fill out a complaint form. This form asks individuals to specify principles of the Privacy Bill they feel have been violated, as well as the extent of said violations. In instances where the Privacy Commissioner cannot solve a data subject’s complaint, they can then escalate their complaint to the Director of Human Rights Proceedings, the Human Rights Review Tribunal, and ultimately, the High Court of New Zealand. Conversely, if it is determined that a data subject’s rights have been infringed upon without the need for escalation, they are entitled to damages of up to $350,000.

The New Zealand Privacy Act was passed to update the level of privacy protection that is afforded to citizens of New Zealand. As the country’s previous Privacy Bill had not been updated since 1993, the New Zealand Privacy Act was passed during a much needed time, as advancements in technology in the last 20 years have contributed to alternative views of personal privacy that had never been considered before in history. As such, residents of New Zealand can be confident in the fact that they have an avenue for recourse in instances in which they feel their personal data privacy rights have been infringed upon.