Spotlight on Privacy: Compliance and Enforcement under the new Privacy Act 2020

10 Jul 2020
Author: DTI Lawyers

In this series shining a light on privacy law, we recently discussed some of the changes the new Privacy Act 2020 will bring as it repeals the Privacy Act 1993 [1]. Our article set out the new Information Privacy Principle 12 prescribing requirements for disclosures of personal information outside New Zealand, the requirement to notify serious privacy breaches, and potential consequences for failure to do so.

In this article, we discuss further changes and what they will mean for agencies, the Privacy Commissioner, and individuals where privacy concerns arise.


Where a person has concerns that an agency is or appears to be interfering with their privacy and wants those concerns to be addressed, a complaint needs to be made to the Privacy Commissioner. The new Act introduces the ability for a complaint to be made by any person or on behalf of one or more individuals, therefore allowing groups of individuals to lay complaints against agencies.

Compliance notices

The new Act introduces the ability for the Commissioner to issue a notice to an agency where it is considered that there was a breach of the Act or a Code of Conduct issued under another Act. A compliance notice may require an agency to do or stop doing any act that is in breach of the Act or may be treated as a breach of an Information Privacy Principle (IPP).

Access to information

Agencies have an obligation to have access to personal information held about them by an agency, where this is readily retrievable. Where an agency denies access to an individual’s personal information, the individual can seek a direction from the Commissioner to grant access.

Where an agency fails to comply with an access direction made by the Commissioner, an aggrieved individual may apply to the Human Rights Review Tribunal (the Tribunal) for an access order. An agency that fails to comply with an access order commits an offence and is liable on conviction to a fine not exceeding $10,000.

An agency that has had an access direction made against it may appeal the direction to the Tribunal. 

Tribunal proceedings

Under the existing 1993 Act, the Director of Human Rights Proceedings can bring proceedings against a person alleged to have interfered with an individual's privacy, and the aggrieved individual could not be a party or joined to the proceedings unless the Tribunal ordered otherwise.

The new legislation will allow an aggrieved individual, a representative of that individual, or a representative acting on behalf of a class of aggrieved individuals to commence proceedings in the Tribunal.


Offences are also prescribed under the new Act and a person found to be in breach of the Act may be liable for a fine of up to $10,000 upon conviction of any of the following offences:

  • Obstructing, hindering, or resisting, without reasonable excuse, the Commissioner in the performance of their powers under the Act.
  • Failing to comply with a requirement of the Commissioner without reasonable excuse.
  • misleading, or providing false information, to the Commissioner.
  • Falsely representing an authority held under the Act.
  • Impersonating an individual to obtain access to, or use alter or destroy, that individual’s information.
  • Destroying documentation containing personal information after a request has been made in respect of that information.

Action points

The incoming changes are consistent with the intention of the Privacy Act 2020 to improve compliance and enforcement where breaches of privacy occur. Agencies can take proactive steps to be compliant with their privacy obligations, as set out in our earlier article. Building on our earlier advice, further practical steps we recommend agencies take include:

  • Routinely reviewing the organisation’s procedures for detecting and reporting on notifiable breaches. Use scenarios to test whether these procedures are fit for purpose.
  • Set clear guidelines and procedures about how requests for access to personal information and compliance notices will be dealt with and what roles will be responsible for taking action on any requests or notices. 
  • Communicate and provide relevant training to the wider organisation about who is the contact person for any privacy concerns and how and when these concerns should be raised. Ensure the persons responsible for privacy within the organisation are well equipped to manage such enquiries.

For further advice on privacy law, including the provision of privacy training, please contact our team of specialist employment lawyers by phone on: 07 282 0174.


[1] Spotlight on Privacy: Changes to Privacy Law The Privacy Act 2020 comes into effect on 1 December 2020.