Domestic legislation
The handling of personal information in New Zealand is governed by the Privacy Act, privacy codes and other legislation.
Privacy Act 2020
On 1 December 2020, the Privacy Act 2020 replaced the Privacy Act 1993. The reforms aim to encourage public and private sector agencies to identify risks and prevent incidents that could cause harm.
The major changes include:
- notifiable privacy breaches
- compliance notices
- enforceable access directions
- disclosing information overseas
- extraterritorial effect
- new criminal offences
- additional withholding grounds for access requests.
The purpose of the Privacy Act is to promote and protect individuals’ privacy by establishing principles on the collection, use, and disclosure of personal information, and access by individuals to the personal information held about them. Personal information can relate to information about customers, clients, employees, and others.
Enforcement of the Act is through the Privacy Commissioner who has the power to investigate any action which appears to interfere with the privacy of an individual, either on a complaint made to the Commissioner or on the Commissioner’s own initiative.
The Government Chief Privacy Officer provides guidance to help government agencies understand and meet their responsibilities under the Act.
More information:
- Privacy Act 2020
- Office of the Privacy Commissioner
- Government system leads
- Office of the Privacy Commissioner — Key changes in the Privacy Act 2020
- Office of the Privacy Commissioner section-by-section comparison of the 2 Acts
- Office of the Privacy Commissioner — Reporting privacy breaches (NotifyUs)
- Office of the Privacy Commissioner — Privacy Act 2020 training module
Privacy principles and Privacy Act requests
Amendment to the Privacy Act 2020 — IPP 3A
Additional guidance is available to help you plan for notifying collections when IPP 3A comes into effect on 1 June 2025.
Privacy codes
The Privacy Act gives the Privacy Commissioner the power to issue codes of practice that become part of the law.
These codes may modify the operation of the Privacy Act for specific industries, agencies, activities or types of personal information.
Codes often modify 1 or more of the IPPs to take account of special circumstances which affect a class of agencies (for example, credit reporters) or a class of information (for example, health information).
The Privacy Commissioner has issued the following 6 codes of practice:
- Civil Defence National Emergencies (Information Sharing) Code 2020
- Credit Reporting Privacy Code 2020
- Health Information Privacy Code 2020
- Justice Sector Unique Identifier Code 2020
- Superannuation Schemes Unique Identifier Code 2020
- Telecommunications Information Privacy Code 2020
Office of the Privacy Commissioner — Codes of practice
Other legislation
Agencies are often subject to additional legislation governing how they can handle personal information. For example, many agencies are required to retain personal information in accordance with the Public Records Act 2005.
Some legislation provides agencies with a legal basis to collect certain personal information (for example, IRD and Police) while other legislation restricts how agencies may use or disclose personal information.
Legislation specific to an agency, for example, the Tax Administration Act 1994 and the Customs and Excise Act 2018, may also mandate how an agency can collect, use and/or disclose personal information.
Utility links and page information
Last updated
