Spotlight on Privacy: Changes to Privacy Law

7 Jul 2020
Author: DTI Lawyers

Significant changes to privacy law will come into effect from 1 December 2020, with legislation passing its final reading in Parliament on 26 June and gaining assent on 30 June. The Privacy Act 2020 will repeal and replace the Privacy Act 1993 and implements the recommendations of the 2011 Law Commission Report.[1]. It will give privacy law within New Zealand a much needed update in respect of the use of digital technology in data sharing and storage protection. Of importance, businesses will be required to report on serious privacy breaches under the new Act.

Key changes to privacy laws are outlined below, with further changes to be outlined in subsequent articles in this series, shining the spotlight on privacy law.

Cross border information sharing

Most people will be familiar with the 12 Information Privacy Principles under the 1993 Act. These have been amended and added to by the Bill which makes them more easily understood. The 2020 Act introduces another Information Privacy Principle (IPP) which will be IPPA 12 – Disclosure of Personal Information Outside New Zealand. Protections for cross border sharing of information are strengthened by IPP 12 which prescribes when personal information may be disclosed to a foreign person or entity.

The 2020 Act has been structured to align with the requirements of the European Union’s General Data Protection Regulation (GDPR), and privacy laws in other legal jurisdictions. This ensures that digital data can be moved easily between borders and similar protections will apply.

Notification of breach

Privacy protections will be strengthened by the 2020 Act where an agency will be required to notify the Commissioner and any affected individual as soon as practicable after becoming aware that a notifiable privacy breach has occurred. [2] A notifiable privacy breach is a breach that is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to.

The 2020 Act provides factors for an agency to assess against when determining whether a breach is likely to cause serious harm. The list is non-exhaustive and requires assessment of the following:

  • Any action taken by the agency to reduce the risk of harm following the breach;
  • Whether the personal information is sensitive in nature;
  • The nature of the harm that may be caused to affected individuals;
  • The person or body that has obtained or may obtain personal information as a result of the breach (if known);
  • Whether the personal information is protected by a security measure;
  • Any other relevant matters.

Under the 2020 Act employees, agents or members will not be held liable in processes or proceedings for failing to notify the Commissioner or an affected person because of anything done or omitted by the employee, agent or member. The employer or agency will however, be liable in any processes or proceedings where there was a failure to notify. 

An agency who fails to notify the Commissioner of a notifiable privacy breach under the 2020 Act is liable to conviction and a fine not exceeding $10,000.

There are circumstances under the 2020 Act in which an exception or delay to the requirement to notify the affected individuals or give public notice of a privacy breach is permitted. For example, an exception to notify may exist where an agency believe the notification would be likely to endanger the safety of any person. A reasonable delay in notification may be where an agency believes the notification or public notice may risk the security of personal information held by the agency and the risks outweigh the benefits of informing affected individuals.

Action points for businesses

The 2020 Act will come into force on 1 December 2020. This means that businesses still have time to implement the necessary changes in the workplace. We recommend employers and agencies take the following steps now:

  • Review the organisation’s privacy policies in accordance with the changes and updates of the new Act.
  • Provide training to the key roles (i.e. Privacy Officers) within the organisation who need to have working knowledge of privacy legislation and requirements.
  • Introduce or review the organisation’s procedures for detecting and reporting on notifiable breaches with clear guidelines around whose responsibility it is to identify or review any issues.
  • Communicate with employees, agents and/or members about changes and identify clear lines of communications for any concerns about privacy they may have.

These steps are essential to ensuring your organisation is compliant when the 2020 Act comes into force, and will minimise the risk of privacy breaches.

For further advice on privacy law, including review of policy and compliance, as well as privacy training, please contact our team of specialist employment lawyers by phone on: 07 282 0174.


[1] The renewed privacy laws have been a long time coming, with the first reading in Parliament in April 2018
[2] Under the Privacy Act, an Agency is any organisation or business, whether in the public or private sector, including government departments, companies, small businesses, social clubs and other types of organisations. There are exceptions, including courts and tribunals when doing their judicial tasks, news media when gathering and reporting the news, and Members of Parliament when they are acting in an official capacity.