BitRaser >
Article >
Understanding the New Zealand Privacy Act 2020

BITRASER^®

Understanding the New Zealand Privacy Act 2020

Written By

Namrata Sengupta linkdin

Published On

Nov 25, 2024

Category

Data Privacy Law

Min Reading

3 Min

Summary: The New Zealand Privacy Act 2020 governs the protection of the privacy of individuals whose personal information is held and accessed by agencies in the public and private sectors. It establishes principles that regulate the collection, use, and disclosure of personal information of individuals in New Zealand by businesses regardless of where the businesses operate. It also provides individuals the right to access their personal information. Read this article to gain insights on the key elements of the Act, such as information privacy principles, manner of collection, access to and destruction of information, along with penalties in case of non-compliance.

Administered by the Ministry of Justice of New Zealand and enacted by the Parliament of New Zealand, the Privacy Act 2020 replaced the Privacy Act 1993. In July 2024, a recent update was released that amended the Dec 2020 version. Explained in 9 parts, 8 schedules, and 218 Sections, this Act protects the privacy of individuals through a framework that is in alignment with global standards for protecting personal information, including guidelines from Organisation for Economic Co-operation and Development (OECD) and the International Covenant on Civil and Political Rights.

It appeals for the appointment of a privacy commissioner who is required to conduct investigations on complaints about interference with the privacy of individuals.

Subpart 1, Part 1 specifies that the New Zealand Privacy Act is applicable to all individuals regardless of their residential status or nationality as long as their personal information and data is collected by any of the following:

A New Zealand agency processing the personal information of individual A.
An overseas agency processing personal information while doing business in New Zealand, regardless of their presence in the country.

For the purpose of this subpart, it does not matter where the personal information is collected, held, or the individual concerned is located. Further, this Act applies to overseas agencies that are not necessarily for-profit organisations, operating commercially, supplying goods and services receiving monetary payment or are physically located in New Zealand.

To learn about the applications of specific subparts and sections, read the official document.

Subpart 2, Part 1, Sections 7-12 interpret preliminary provisions like defining an individual (a living natural person). Individuals are New Zealand residents or foreign individuals as long as their data is handled by a New Zealand-based agency or an overseas agency for conducting business in New Zealand.

Part 2, Sections 13-22 provide information about but not limited to the functions and reviews conducted by the Privacy Commissioner. It also gives details on the appointment of the Privacy Commissioner and Deputy Privacy Commissioner. The Privacy Commissioner (or Commissioner) is the board of members for the purposes of the Crown Entities Act 2004, a crown entity for the purposes of Section 7 of the Crown Entities Act 2004, and a sole corporation. Appointed by the Governor-General and subject to the control of the Privacy Commissioner, the Deputy Commissioner may fulfill all the responsibilities of the Privacy Commissioner.

Part 3 of the New Zealand Privacy Act elaborates on Information Privacy Principles (IPP) and codes of practice. Subpart 1 of Part 3 explores the information privacy principles that are as follows:

Principle 1, Purpose of Collection of Personal Information: No agency can collect Personal Information (PI) except when the purpose is lawful, related to the activity or function of the agency, and requires the collection of this personal information. If the collection of personal information of an individual suffices the lawful purpose, then the identifying information may not be collected.

Principle 2, Source of Personal Information: The agencies should collect PI directly from the individual concerned unless exceptions apply. The exceptions include cases where non-compliance wouldn’t endanger the individual, information collection from another source is authorised, or information is collected for research, legal proceedings, and public health, among other reasons.
Principle 3, Collection of Information from Subject: If an agency collects personal information directly from the individual, then it should inform them of the purpose if the intention of collecting information is voluntary or required by law, any repercussion for not providing it and third-party disclosure if data is shared with third parties. This principle ensures transparency.

Principle 4, Manner of Collection of Personal Information: Personal information should not be collected by unlawful, unfair, or unreasonably intrusive means (especially when the personal information is collected from children or young persons). This principle ensures ethical data collection.

Principle 5, Storage and Security of Personal Information: The agency should protect the PI against loss, misuse, and unauthorised use, access, modification, or disclosure. Appropriate measures must be taken to ensure information security is maintained.

Principle 6, Access to Personal Information: Information held by the agency must be accessible to the individual upon request. The access is granted to the individual concerned, and they are advised under IPP 7 to validate and correct information. Agencies must comply with Part 4 while giving access wherever exceptions apply (like legal proceedings).
Principle 7, Correction of Personal Information: This principle allows individuals of New Zealand to request correction of their PI if they believe it is inaccurate, misleading, or incomplete. The agency should ensure that actions are taken to correct the information and that it is complete, accurate, updated, and not misleading. The agency is obligated to attach a statement of correction with the information in case they choose not to correct the same.

Principle 8, Accuracy, etc., of Personal Information to be Checked Before Use: The agency holding personal information must not use or disclose it without ensuring that it is kept complete, relevant, accurate, updated, and not misleading.
Principle 9, Agency Not to Keep Personal Information for Longer than Necessary: Personal information should not be stored after the lawful purpose has been fulfilled.
Principle 10, Limits on Use of Personal Information: An agency having control of personal information should use it only for the purpose collected unless the individual consents or exceptions apply (legal requirements). If a secondary purpose is deemed necessary to perform any function, then an intelligence and security agency holding PI for one purpose may also use it for another purpose.

Principle 11, Limits on Disclosure of Personal Information: Personal information held by an agency must not be disclosed to another person or agency unless in the circumstances like protecting public revenue, the purpose being statistical or research-related, or disclosure is authorised by the individual concerned.
Principle 12, Disclosure of Personal Information Outside New Zealand: (in reliance on IPP 11 (a, b, d, e, f, or h)) Information may be disclosed by an agency (A) to a foreign person or entity (B) only under specific scenarios like threats to health or safety or legal obligations. This principle aims at ensuring cross-border data has the same privacy standards as within New Zealand.

Principle 13, Unique Identifiers: An individual is assigned a unique identifier by an agency only if it enables the agency to perform one or more functions. An agency (A) will not assign a unique identifier to an individual that has been assigned to the individual by another agency (B) except when, as per subpart YB of the Income Tax Act 2007, A and B are associated, and the agency will use it for no purpose other than statistical or research.

Part 3 also provides details about the circumstances when the collection, use, and disclosure of personal information is authorised by the Commissioner, along with regulations for data collection and breach notifications. It outlines the enforcement of IPPs and the relation of IPPs with other New Zealand Laws. Also, it discusses complaints, penalties, procedures, and effects of the code of practice.

Sections 39-67 of Part 4 relate to detailed procedures applicable to an individual requesting to access and correct PI as per IPP 6. Correction could be in part or on the entire information, and a statement is attached to the information in case no correction is being made. Both public and private sector agencies may request charges for enabling access and correction of PI. Further, the correction requests can be denied; however, a notice must be given to the individual by the agency for refusal not later than 20 working days.

Sections 68-111 of Part 5 cover processes and powers related to handling privacy complaints and enforcing the Act. This part also includes investigation by the Commissioner, mode and settlements of complaints, etc. Individuals can file complaints with the Privacy Commissioner if they feel their rights are breached; however, the Commissioner may decide not to investigate the complaint (Section 74). The Commissioner has the power to investigate and gather evidence, and if the breach is found, a non-compliance notice requiring corrective action can be issued. The case can be referred to the Human Rights Review Tribunal, and penalties for non-compliance, like fines and legal sanctions, can be levied.
Section 104 (4) states that an agency’s failure to comply with an access order will be liable to pay a fine of a maximum of $10,000.

Sections 112-135 of Part 6 elucidate notifiable privacy breaches and compliance notices in two subparts. Subpart 1 explains the requirements for notification, assessment of the likelihood of serious harm, liability for actions, etc. The failure to notify the Commissioner of a privacy breach can cause the agency to be liable for paying a fine of at most $10,000. Subpart 2 covers matters like issuing, form, cancellation, and enforcement of compliance notices, remedies, cost, and enforcement proceedings.

Sections 136-161 of Subpart 1, Part 7 include various provisions that address the Act’s implementation and enforcement, like guidelines, agreements, results of the information matching programme, reporting requirements, amendment of rules, avoidance of controls, etc.

Sections 162-168 of Subpart 2 provide details on identity information, annual reporting requirements, the power to amend Schedule 3, and the manner and form of access. The purpose of this part is to authorise accessing agencies to conduct verification of an individual’s identity by gaining access to information about that individual that has been held by a holder agency (Refer to Schedule 3 to learn about accessing and holder agencies). However, this does not limit the processing of personal information if permitted by the information privacy principles or if authorised by an enactment.

Sections 169-173 of Subpart 3 elaborate on the law enforcement information of an identifiable individual along with the power to amend Schedule 4 (Law Enforcement) by Order in Council. The Governor-General may request insertion, amendment, or replacement of any item in Schedule 4, or repeal Schedule 4, or substitute a new Schedule. For interpretations of terms such as accessing and holder agencies, refer to Schedule 5. Unless the context is different, a local authority refers to a public body mentioned in Schedule 1 or 2 of the Local Government Official Information and Meetings Act 1987.

Sections 174-190 of Subpart 4 provide the details of the authorised information matching programme, its relation with information disclosure-related laws, information matching agreements, reports on information matching provisions, and other related subjects. Section 191 states that both Section 190 of this Subpart and Schedule 7 are repealed.

Sections 192-200 of Part 8 provide the details on the transfer of personal information outside New Zealand. It covers information on appeals against the transfer prohibition notices, offenses in case of violation, powers of the Commissioner, the application of the Human Rights Act 1993, etc. Section 197 mentions that an unreasonable excuse for refusal or failure to comply with the transfer prohibition notice can result in a fine of a maximum of $10,000.

Sections 201-204 of Part 9 provide miscellaneous provisions such as privacy officers, inquiries, powers related to declaratory judgments, etc. It is mandatory for agencies to appoint one or more individuals as privacy officers who are responsible for encouraging compliance with IPPs and provisions, working with the Privacy Commissioner on investigations, and dealing with the requests made to the agency.

Section 205 - Protection Against Certain Actions of Part 9 states that if the information is made available in good faith, then no criminal or civil proceedings against the Crown, any individual, or the author or supplier of the information of the involved publication will be initiated.

Sections 206-211 cover subjects such as the requirement of the commissioner and staff to maintain secrecy, information sharing with overseas privacy enforcement authorities, consultation, adverse comment, liability of agencies, employers, and principals, etc.

Section 212 - Offences of this part mentions the penalty of a maximum of $10,000 in cases of offenses committed under this Act, which are:

Unreasonable excuses to create hindrance, resistance, and obstruction for the Commissioner people in power.
Refusal or failure to comply with lawful requirements of the Commissioner and people in power.
Intentionally providing misleading or false information to the Commissioner or people in authority.
Directly or indirectly falsely representing that they have been granted authority under this Act.
Misleads an agency by impersonation, false pretense of being an individual or acting under authority to:

Obtain access to the personal information of that individual.
Use, alter, or destroy the personal information of that individual.

Destroys any document that has personal information having the cognisance that a request has been made w.r.t. access to information (Subpart 1, Part 4).

Sections 213-215 delve into various regulations, including the ones related to prescribed binding schemes and countries.

Section 216 specifies that the Privacy Act 1993 is repealed and the Privacy Regulations 1993 are revoked.

Section 218 states that Section 217 and Schedule 9 were repealed on Dec 8, 2020.

There are 8 schedules defined after the sections of 9 Parts.

Schedules 1-5 provide details on transitional, savings, approved information matching agreements, identity information, law enforcement, and information matching provisions.

Schedule 6 explains the rules that need to be followed by agencies matching information which include usage of unique identifiers, technical standards, time limits, and the destruction of information. Section 5, Destruction of Information of this schedule explores the destruction of data in detail, stating that:

If an agency, upon receiving information produced by an authorised information matching programme, gains cognisance of a discrepancy, then it must destroy all the information within a period of 60 working days unless it decides to take adverse action.
If adverse action is to be taken on the basis of a discrepancy, then the agency must destroy the information as soon as practicable after it is no longer of use.
This Section does not apply to the Inland Revenue Department.

Schedule 8 elucidates the basic principles of national application set in part II of Protection of Privacy and Transborder Flows of Personal Data of OECD guidelines. Applicable to businesses in the private and public sectors processing personal data, these guidelines aim to protect privacy and individual liberties.

Complying with the New Zealand Privacy Act 2020

The New Zealand Privacy Act 2020 specifies information privacy principles that serve as a tool to guide businesses in areas like accuracy, availability, accessibility, storage, security, usage, purpose, collection, and electronic transmission etc. of personal information. In particular,

Principle 9 of the Information Privacy Principles states that information should not be stored after the lawful purpose has been fulfilled.

Section 5, Schedule 6 mentions the requirement of destruction of information when:
- After becoming aware of a discrepancy and taking an adverse action within a period of 60 working days.
- When information is not required to take an adverse action.

Whether the information is no longer required, has fulfilled the intended purpose, or cannot be stored beyond a certain period, BitRaser can permanently and securely destroy the information beyond recovery. The automatically generated erasure reports and certificate of destruction help in complying with the New Zealand Privacy Act 2020.

Was this article helpful?

FAQs

Does New Zealand have a law to protect individuals' personal information?

Yes, the New Zealand Privacy Act 2020 (also known as the Privacy Act 1993) protects and promotes the privacy of individuals whose personal information is held and accessed by agencies in the public and private sectors.

Does the New Zealand Privacy Act grant the right to get your personal information corrected?

Yes, the New Zealand Privacy Act provides the individual concerned the right for correction of personal information in Principle 7. From the agency that is holding information, the individual concerned has the entitlement to request: a) correction of the information b) A statement that the correction has been sought but not made is attached to the information

Does the New Zealand Privacy Act require information to be destroyed?

Yes, Principle 9 of the Information Privacy Principles, Section 5 of Schedule 6 requires information to be destroyed for several reasons, including expiry of the retention period, purpose getting fulfilled, and information not needed any longer.

What is the penalty for not complying with the New Zealand Privacy Act?

Section 212 of Part 9 mentions the penalty of a maximum of $10,000 in cases of offences committed under the New Zealand Privacy Act. An unreasonable excuse for refusal or failure to comply with the transfer prohibition notice can result in a fine of a maximum of $10,000. The failure to notify the Commissioner of a privacy breach can cause the agency to be liable for paying a fine of at most $10,000. Section 104 (4) of Part 5 states that an agency’s failure to comply with an access order will be liable to pay a fine of a maximum of $10,000.