New Zealand Privacy Act 2020

Who is excluded from Privacy Act 2020 compliance? 

Per the definition for ‘agency’ listed above, certain types of entities are excluded from the definition and as such from coverage by the Act, such as members of Parliament, or “a news entity, to the extent that it is carrying on news activities.” In addition to this, Part 3, Sections 25 through 30 list all the exceptions and exemptions from compliance with the IPPs, such as when the Privacy Commissioner may authorize “collection, use, storage, or disclosure of personal information otherwise in breach of IPP 2 or IPPs 9 to 12.”

How can I keep my organization compliant with Privacy Act 2020? 

As stated, Privacy Act 2020 lists 13 Information Privacy Principles (IPPs) that agencies have to observe for compliance. 

Information privacy principle 1 - Purpose of collection of personal information 

Personal information must not be collected by an agency unless:

• the information is collected for a lawful purpose connected with a function or an activity of the agency; and
• the collection of the information is necessary for that purpose.

Information privacy principle 2 - Source of personal information 

If an agency collects personal information, the information must be collected from the individual concerned. However, if the agency has reasonable grounds to believe that any one of the exceptions outlined in the law applies, it is not necessary to comply with this principle. 

Information privacy principle 3 - Collection of information from subject

If an agency collects personal information from the individual concerned, unless exceptions outlined in the law apply, the agency must take any steps that are, in the circumstances, reasonable to ensure that the individual concerned is aware of

• the fact that the information is being collected; 
• the purpose for which the information is being collected; 
• the intended recipients of the information; 
• the name and address of the agency that is collecting the information and of the agency that will hold the information; 
• if the collection of the information is authorized or required by or under law, 
  • the particular law by or under which the collection of the information is authorized or required; and
  • whether the supply of the information by that individual is voluntary or mandatory; and
• the consequences (if any) for that individual if all or any part of the requested information is not provided; and
• the rights of access to, and correction of, information provided by the IPPs.

Information privacy principle 4 - Manner of collection of personal information

An agency may collect personal information only

• by a lawful means; and
• by a means that, in the circumstances of the case (particularly in circumstances where personal information is being collected from children or young persons),—
  • is fair; and
  • does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Information privacy principle 5 - Storage and security of personal information

An agency that holds personal information must ensure that the information is protected, by such security safeguards as are reasonable in the circumstances to take, against loss access, use, modification, or disclosure that is not authorized by the agency, other misuse, and that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorized use or disclosure of the information.

Information privacy principle 6 - Access to personal information

An individual is entitled to receive from an agency upon request confirmation of whether the agency holds any personal information about them and access to their personal information.

Information privacy principle 7 - Correction of personal information

• An individual whose personal information is held by an agency is entitled to request the agency to correct the information.
• An agency that holds personal information must, on request or on its own initiative, take such steps (if any) that are reasonable in the circumstances to ensure that, having regard to the purposes for which the information may lawfully be used, the information is accurate, up to date, complete, and not misleading.

Information privacy principle 8 - Accuracy, etc, of personal information to be checked before use or disclosure

An agency that holds personal information must not use or disclose that information without taking any steps that are, in the circumstances, reasonable to ensure that the information is accurate, up to date, complete, relevant, and not misleading.

Information privacy principle 9 - Agency not to keep personal information for longer than necessary

An agency that holds personal information must not keep that information for longer than is required for the purposes for which the information may lawfully be used.

Information privacy principle 10 - Limits on use of personal information

• An agency that holds personal information that was obtained in connection with one purpose may not use the information for any other purpose unless the agency believes that any one of the exceptions outlined in the law apply.
• In addition to the uses authorized, an intelligence and security agency that holds personal information that was obtained in connection with one purpose may use the information for any other purpose (a secondary purpose) if the agency believes on reasonable grounds that the use of the information for the secondary purpose is necessary to enable the agency to perform any of its functions.

Information privacy principle 11 - Limits on disclosure of personal information

An agency that holds personal information must not disclose the information to any other agency or to any person unless the agency believes that any one of the exceptions outlined in the law apply.

Information privacy principle 12 - Disclosure of personal information outside New Zealand

An agency may disclose personal information to a foreign person or entity in reliance on IPP 11 only if one of the following apply: 

• the individual concerned authorizes the disclosure after being expressly informed that the receiving agency may not be required to protect the information in a way that, overall, provides comparable safeguards to those in this Act; 
• the receiving agency is carrying on business in New Zealand and, in relation to the information, A believes on reasonable grounds that B is subject to this Act; 
• the agency disclosing the data has reasonable grounds to believe that the receiving agency is subject to privacy laws that, overall, provide comparable safeguards to those in this Act;
• the agency disclosing the data has reasonable grounds to believe that the receiving agency is a participant in a prescribed binding scheme, or is subject to privacy laws of a prescribed country;
• the agency disclosing the data has reasonable grounds to believe that the receiving agency is required to protect the information in a way that, overall, provides comparable safeguards to those in this Act (for example, pursuant to an agreement entered into between the two agencies).

Information privacy principle 13 - Unique identifiers

• An agency may assign a unique identifier to an individual for use in its operations only if that identifier is necessary to enable the agency to carry out one or more of its functions efficiently.
• An individual may not be assigned a unique identifier if, to the agency’s knowledge, the same unique identifier has been assigned to the individual by another agency. The exception to this is when the two agencies are associated as defined in subpart YB of the Income Tax Act 2007, or the unique identifier is used for statistical or research purposes and no other purpose.
• The same unique identifier may not be assigned to an individual by another agency for the purpose of communication between two agencies that use the same unique identifier for the individual.
• An agency must take any reasonable steps necessary to ensure that a unique identifier is assigned only to an individual whose identity is clearly established; and the risk of misuse of a unique identifier by any person is minimized (for example, by showing truncated account numbers on receipts or in correspondence).
• An agency may not require an individual to disclose any unique identifier assigned to that individual unless the disclosure is for one of the purposes in connection with which that unique identifier was assigned or is for a purpose that is directly related to one of those purposes.

In the event of a data breach Act 2020 mandates that the agency has an obligation to “notify the Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred” and also “must notify an affected individual as soon as practicable after becoming aware that a notifiable privacy breach has occurred,” unless exceptions in Part 6, Section 116 apply. However, “if it is not reasonably practicable to notify an affected individual or each member of a group of affected individuals, the agency must instead give public notice of the privacy breach.”

Another obligation of agencies is outlined by Part 9, Section 201 where it states that “an agency must appoint as privacy officers for the agency one or more individuals (within or outside the agency) whose responsibilities include:

• encouraging the agency to comply with the IPPs;
• dealing with requests made to the agency under this Act;
• working with the Commissioner in relation to investigations conducted under Part 5 in relation to the agency
• ensuring that the agency complies with the provisions of this Act.”

What data access rights does Privacy Act 2020 grant? 

Individuals are granted several data access rights as follows: 

• The Right to be Informed, as referenced by IPP 3, which can be complied with via a Privacy Policy on the agency’s website;
• The Right to Access, based on IPP 6;
• The Right to Correct, based on IPP 7.

Under New Zealand’s privacy law, there is no Right to Delete, Right to Data Portability, the Right to Object, or the Right to not be subject to automated decision-making. 

How should organizations address data subject access requests under Privacy Act 2020?

The Act does not offer many specifics on how requests have to be handled. The two requests it does discuss are the request for access and the request to correct. In both cases the following have to be observed: 

• the request “may be made only by the individual concerned or that individual’s representative”;
• a requestor may ask that their request be treated as urgent, but they must state the reason why it should be treated as such;
• if the agency receives an urgent request it must consider it as well as the reason stated for its urgency when determining the priority to be given to responding to it; 
• in the case of a normal request, the agency must, as soon as it has decided to grant the request, and as soon as is reasonably practicable, and in any case not later than 20 working days after the day on which the request is received, respond to the request;
• an agency is allowed to extend the deadline for answering a request if the request is of such a nature that it cannot be reasonably answered to within the original timeframe. However, any extension “must be for a reasonable period of time having regard to the circumstances.”

Charges may be imposed by agencies, but these have to be reasonable and take into account the cost of the labor and materials involved or any costs involved in answering an urgent type of request for access or correction. 

Enforcement and penalties

The Office of the Privacy Commissioner (OPC) ensures compliance with the law, handles and investigates complaints, advises New Zealand’s government on matters of data privacy. 

According to one of the articles on the OPC’s website, in the Knowledge Base section, when investigating a complaint the OPC will try to facilitate resolution and only where this is not possible will they refer the matter to the Director of Human Rights Proceedings (the Director) so they can bring the case to the Human Rights Review Tribunal (the Tribunal). The Tribunal will then decide whether compensation is awarded or not and the appropriate range of compensation for violations of Act 2020. 

As regards penalties, violations are considered criminal offenses and are sanctionable by a fine not exceeding NZD 10,000 (approx. $ 6,000). However, according to the same article, “the Tribunal has said that cases at the less serious end of the spectrum will range up to NZD 10,000 (approx. $ 6,000), more serious cases can range from NZD 10,000 (approx. $ 6,000) to around NZD 50,000 (approx. $ 29,900), and the most serious cases will range from NZD 50,000 (approx. $ 29,900) upwards. The most the HRRT has awarded so far for a privacy matter is just over NZD 168,000 (approx. $ 100,400).”

Data Subject Rights - GDPR vs. Privacy Act 2020