Support Centre

New Zealand


Law: Privacy Act 2020 ('the Act')

Regulator: The Office of the Privacy Commissioner of New Zealand ('OPC')

Summary: The Act repeals and replaces the Privacy Act 1993 and contains 13 Information Privacy Principles ('IPP') that govern the use of personal information in New Zealand. The Act requires agencies to appoint at least one privacy officer, report data breaches that cause, or are likely to cause, serious harm, and provides data subjects with both the right to access and the right to request correction of their personal information. In addition, the new IPP 12 provides that an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Act. Furthermore, the Act introduces new criminal penalties, punishable with fines of up to NZD 10,000 (approx. €5,870) and allows the OPC to issue compliance notices and enforceable access directions. Notably, New Zealand was the first APAC jurisdiction to be recognised as providing an adequate level of personal data protection by the European Commission.


The Privacy Amendment Bill, No. 292-1 (the Bill), was introduced to the Parliament of New Zealand on September 5, 2023, and seeks to amend the Privacy Act 2020 (the Privacy Act). The Bill, among other things, aims to increase transparency for individuals about the collection of their personal information, better enable individuals to exercise their privacy rights, and introduces provisions relating to the indirect collection of personal information by agencies. OneTrust DataGuidance provides an overview of the Bill.  

The Protected Disclosure Act 2000 ('the Protected Disclosure Act') was passed by the New Zealand Parliament ('Parliament') more than 20 years ago to strengthen whistleblower protection. Following a review of whistleblower protections, the Protected Disclosures (Protection of Whistleblowers) Bill ('the Act') was published and came into effect on 1 July 2022. OneTrust DataGuidance considers the impact of the Act and its key provisions.

The processing of children's personal data, from collection to destruction, generally carries with it special considerations. Indeed, the level of protection afforded to children is often higher, due to in part their capacity to understand the consequences of providing their information and the potential risks associated with their use or misuse. In part two of this series, OneTrust DataGuidance considers the rules in the APAC region which govern children's personal data, featuring perspectives from New Zealand, the Philippines, and Singapore.

For insight into handling children's personal data in Australia, China, India, and Japan, please see part one here.

After more than two years since the outbreak of the global COVID-19 pandemic, challenges and rapidly changing requirements in terms of privacy, data protection, and disclosure of the employees' vaccination status in the context of employment are at the forefront. This Insight series looks across a variety of countries with regards to which information employers can collect, outlining the local requirements in Australia, New Zealand, and Singapore in part one and in China, Japan, India, and Russia in part two.

Personal data covers a wide range of information relating to living, identifiable human beings, including information being particularly sensitive. On 16 December 2021, the Office of the Privacy Commissioner of New Zealand ('OPC') published its guidance 'Sensitive personal information and the Privacy Act 2020'1 ('the Guidance'). The Guidance provides key points on how the Privacy Act 2020 ('the Privacy Act') applies to sensitive personal information. OneTrust DataGuidance explores definitions, principles, exemptions, codes of practice, oversight, compliance, and enforcement mechanisms, as well as approaches outlined in the Guidance.

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Privacy Act 1993 (the Privacy Act) and the Privacy Act 2020 (the Privacy Act 2020).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the Privacy Acts with the  GDPR.

You can access the latest version of the report here.

On 6 October 2021, the Office of the Privacy Commissioner ('OPC') released a position paper ('the Paper') setting out its approach to regulating biometrics under the Privacy Act 2020 ('the Act'). As stated by the OPC, the increasing role of biometric technologies leads to calls for greater regulation of biometrics in New Zealand. In addition, the OPC noted that other countries are also considering how best to regulate these technologies, and some have enacted specific regulatory frameworks for biometrics. OneTrust DataGuidance gives an overview of the key information contained in the paper, the OPC's view on processing biometric information, and an outline of how the Act applies to the same.

The Protected Disclosures Act 2000 ('the Act') was passed by the New Zealand Parliament ('Parliament') more than 20 years ago to strengthen whistleblower protection within the private sector. Since then, the nature of wrongdoing within the workplace has changed considerably and other laws dealing with similar subject matter, including the Privacy Act 2020, have emerged. Following extensive inquiries by the New Zealand Government, the long-awaited Protected Disclosures (Protection of Whistleblowers) Bill 2020 ('the Bill') was introduced in June 2020, with the view of resolving shortcomings in the Act. OneTrust DataGuidance considers the impact of the Bill, highlighting key provisions and its progress thus far.