Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

The Office of the Privacy Commissioner is launching the ‘Privacy is precious’ campaign today to coincide with Privacy Week, running from 2-6 November 2020.

The national advertising campaign highlights the importance of protecting personal information and promotes the key changes in the Privacy Act 2020, which takes effect on 1 December.

Privacy Week heralds the transition to the new law, which gives people better privacy protections, and organisations and businesses greater obligations when handling personal information. The new Act also gives the Privacy Commissioner greater powers to ensure organisations and businesses comply with the Act.

Privacy Commissioner John Edwards says the 27-year-old Privacy Act 1993 has been modernised to reflect the changes in the wider economy and society to ensure it is fit for the technological world in which we now live.

The Office of the Privacy Commissioner has produced resources and guidance to help people and organisations understand what’s changing in the Privacy Act.

Visit the ‘Privacy is precious’ campaign page.

Key changes in the Privacy Act 2020 include:

Notifiable privacy breaches

The Privacy Act 2020 introduces new privacy breach reporting obligations. If a business or organisation has a privacy breach that it believes has caused (or is likely to cause) serious harm, it will need to notify the Office of the Privacy Commissioner and affected individuals as soon as possible. Use the NotifyUs tool to report a privacy breach.

New criminal offences

The Act introduces new criminal offences. It will now be an offence to mislead an agency to access someone else’s personal information – for example, impersonating someone in order to access information that you are not entitled to see. It will also be an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it. The penalty for these offences is a fine of up to $10,000.

Compliance notices

The Privacy Commissioner will be able to issue compliance notices to businesses or organisations to require them to do something, or stop doing something, to comply with the Privacy Act 2020.

Enforceable access directions

The Privacy Commissioner will be able to direct an organisation or business to confirm whether they hold personal information about an individual and to provide them with access to that information.

Disclosing information overseas

A new privacy principle 12 has been added to the Privacy Act to regulate the way personal information can be sent overseas. Under principle 12, an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Privacy Act 2020.

Extraterritorial effect

An overseas business or organisation that is ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations, even if it does not have a physical presence here. This will affect businesses located offshore.

ENDS

For more information:

Charles Mabbett - charles.mabbett@privacy.org.nz 021 509 735

Alix Chapman - alix.chapman@privacy.org.nz 021 509 389