Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It’s easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Domestic legislation

The handling of personal information in New Zealand is governed by the Privacy Act, privacy codes and other legislation.

Privacy Act 2020

On 1 December 2020, the Privacy Act 2020 replaced the Privacy Act 1993. The reforms aim to encourage public and private sector agencies to identify risks and prevent incidents that could cause harm.

The major changes include:

notifiable privacy breaches
compliance notices
enforceable access directions
disclosing information overseas
extraterritorial effect
new criminal offences
additional withholding grounds for access requests.

The purpose of the Privacy Act is to promote and protect individuals’ privacy by establishing principles on the collection, use, and disclosure of personal information, and access by individuals to the personal information held about them. Personal information can relate to information about customers, clients, employees, and others. 

Enforcement of the Act is through the Privacy Commissioner who has the power to investigate any action which appears to interfere with the privacy of an individual, either on a complaint made to the Commissioner or on the Commissioner’s own initiative.

The Government Chief Privacy Officer provides guidance to help government agencies understand and meet their responsibilities under the Act.

More information:

Privacy principles and Privacy Act requests

Amendment to the Privacy Act 2020 — IPP 3A

Additional guidance is available to help you plan for notifying collections when IPP 3A comes into effect on 1 June 2025.

IPP 3A — planning for indirect notification requirements

Information Privacy Principles (IPPs)

At the core of the Privacy Act are 13 Information Privacy Principles that set out how agencies are to:

collect personal information (IPPs 1 to 4)
store personal information (IPP 5)
provide access to (IPP 6) and correct (IPP 7) personal information
use (IPPs 8 to 10) and disclose (IPP 11 and 12) personal information
only keep personal information for as long as necessary (IPP 9)
use unique identifiers (IPP 13).

IPP 6 provides individuals with the right to access the personal information that an agency holds about them, unless 1 of the Privacy Act exceptions applies.

13 Information Privacy Principles (IPPs)

Privacy Act requests

The Privacy Act provides that an agency must respond to a Privacy Act request within 20 working days after receiving the request, or transfer the request to another agency within 10 working days. On the Privacy Commissioner homepage there’s a response calculator to calculate the date a request is due.

All Privacy Act requests, regardless of how they’re made, trigger the same obligations under the Privacy Act.

More information:

Office of the Privacy Commissioner — homepage

Office of the Privacy Commissioner — Access to personal information (principle 6)

Privacy codes

The Privacy Act gives the Privacy Commissioner the power to issue codes of practice that become part of the law.

These codes may modify the operation of the Privacy Act for specific industries, agencies, activities or types of personal information.

Codes often modify 1 or more of the IPPs to take account of special circumstances which affect a class of agencies (for example, credit reporters) or a class of information (for example, health information).

The Privacy Commissioner has issued the following 6 codes of practice:

Civil Defence National Emergencies (Information Sharing) Code 2020
Credit Reporting Privacy Code 2020
Health Information Privacy Code 2020
Justice Sector Unique Identifier Code 2020
Superannuation Schemes Unique Identifier Code 2020
Telecommunications Information Privacy Code 2020

Office of the Privacy Commissioner — Codes of practice

Other legislation

Agencies are often subject to additional legislation governing how they can handle personal information. For example, many agencies are required to retain personal information in accordance with the Public Records Act 2005.

Public Records Act 2005

Some legislation provides agencies with a legal basis to collect certain personal information (for example, IRD and Police) while other legislation restricts how agencies may use or disclose personal information.

Legislation specific to an agency, for example, the Tax Administration Act 1994 and the Customs and Excise Act 2018, may also mandate how an agency can collect, use and/or disclose personal information.

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It’s easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you’re unable to turn on JavaScript — email your feedback to info@digital.govt.nz.

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 01 December 2020