The following law(s) specifically govern personal data / information:
The Privacy Act 2020 (the Act).
The Act came into force on 1 December 2020, and replaces the Privacy Act 1993.
There are also currently six codes of practice issued under the Act which modifies the operation of the Act for specific industries, organisations or type of personal information. The codes of practice are:
- Civil Defence National Emergencies (Information Sharing) Code 2020;
- Credit Reporting Privacy Code 2020;
- Health Information Privacy Code 2020;
- Justice Sector Unique Identifier Code 2020;
- Superannuation Schemes Unique Identifier Code 2020; and
- Telecommunications Information Privacy Code 2020.
The key data protection principles in this jurisdiction are:
Almost every person or organisation that collects or holds personal information is an “Agency” and subject to the Act. This includes individuals, companies, government departments, religious groups, schools, clubs and so on.
“Personal information” under the Act is any information about a living identifiable individual.
The Act sets out 13 Information Privacy Principles (IPP) relating to the collection, use, disclosure, storage and security of an individual’s personal information which are summarised below.
- Purpose of collection (IPP 1):
Agencies must only collect personal information if it is for a lawful purpose connected with their functions or activities, and the information is necessary for that purpose.
- Source of personal information (IPP 2):
Personal information should be collected directly from the individual concerned.
- Collection of information from subject (IPP 3):
When collecting personal information from the individual concerned, reasonable steps must be taken to ensure the individual is aware of:
- The fact the personal information is being collected;
- The purpose for which it is being collected;
- The intended recipients;
- The name and address of the entity collecting the information, and of the entity that will hold the information;
- Where the collection is authorised or required by law, the particular law requiring the information to be given and whether the provision of information is voluntary or compulsory;
- The consequences of not providing the information; and
- The individual’s rights of access to, and correction of, their personal information under the Act.
- Manner of collection of personal information (IPP 4):
Personal information must be collected by means that are lawful, fair and not unreasonably intrusive.
- Storage and Security (IPP 5):
Agencies must ensure there are reasonable safeguards in place to prevent loss, disclosure or misuse of personal information.
- Access to personal information (IPP 6):
Individuals have a right to ask for confirmation of whether information is held about them and a right to access their own personal information.
- Correction of personal information (IPP 7):
A person has a right to ask an Agency that holds personal information about them to correct their information if they think it is incorrect.
- Accuracy (IPP 8):
An Agency must check before using or disclosing personal information that it is accurate, up to date, complete, relevant and not misleading.
- Agency not to keep personal information for longer than necessary (IPP 9):
An Agency should not keep personal information for longer than it is required for the purposes for which the information may lawfully be used.
- Limits on use (IPP 10):
An Agency can generally only use personal information for the purpose for which it was collected.
- Limits on disclosure (Privacy Principle 11):
An Agency may only disclose personal information to a third party in limited circumstances prescribed by the Act.
- Disclosure outside New Zealand (IPP 12):
An Agency may only disclose personal information to a foreign person or entity if:
- The individual consents; and
- The overseas recipient of the personal information will protect the data in a way that is consistent with New Zealand privacy laws.
- Unique identifiers (IPP 13):
An Agency can only use unique identifiers if the identifier is necessary to enable the Agency to carry out its functions efficiently.
The supervisory authority / regulator in charge of data protection is:
The Office of the Privacy Commissioner (Privacy Commissioner).
Is there a requirement to register with a supervisory authority / regulator?
No. The Act does not require an Agency to register with the Privacy Commissioner prior to personal information being collected, used, disclosed, stored or otherwise processed.
However, personal information may only be collected, used, disclosed, stored or otherwise processed by an Agency for lawful purposes connected with a function or activity of that Agency after obtaining the individual’s authorisation and otherwise in accordance with the IPP discussed above.
Is there a requirement to notify the supervisory authority / regulator?
No prior notification to the Privacy Commissioner is required before commencing any information processing activities in New Zealand, or prior to transferring or disclosing data outside New Zealand.
Is it possible to register with / notify the supervisory authority / regulator online?
As stated above, no registration or notification to the Privacy Commissioner is required.
The key data subject rights under the data protection laws of this jurisdiction are:
Generally, individuals have the right to:
- Know whether personal information is being collected about them;
- Authorise the collection, use, storage, disclosure and processing of their personal information;
- Access their personal information; and
- Request the correction of personal information they do not consider to be correct or complete.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes. The Act requires that every Agency appoints a privacy officer to ensure that the Agency is complying with its privacy obligations. The privacy officer can be located in or outside of New Zealand.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No. The Act does not require data protection impact assessments to be provided to the Privacy Commissioner.
However, a “Privacy Impact Assessment Toolkit” is available on the website of the Privacy Commissioner to assist Agencies to perform self-assessments if they choose to do so.
For completeness, in the event of a privacy breach the Agency will need to perform a self-assessment of the likelihood of serious harm occurring as a result of the privacy breach in order to determine whether a breach notification to the Privacy Commissioner is required under the Act.
Does this jurisdiction have any specific data breach notification requirements?
Yes. Where a privacy breach occurs that causes, or is likely to cause, “serious harm” to an affected individual or individuals, the breach must be notified to the Privacy Commissioner and the affected individuals as soon as practicable after becoming aware of the breach.
The breach notification to the Privacy Commissioner must:
- Describe the notifiable privacy breach;
- Explain the steps the Agency has taken or intends to take in response to the breach;
- Whether the Agency has or will notify any affected individuals and, if not, why;
- The names of individuals or organisations in which the Agency has contacted about the privacy breach; and
- Contact person for further inquiries.
The breach notification to the affected individual must include the above information as well as the following:
- Any steps the affected individuals may wish to take to mitigate any the risk of harm or loss (when notifying the individual);
- The affected individual’s right to complain to the Privacy Commissioner; and
- Confirmation that the Privacy Commissioner has been notified.
When considering whether “serious harm” has occurred or is likely to occur to warrant mandatory notification of the breach, the Agency must consider the following factors:
- Any action taken by the Agency to reduce the risk of harm following the breach;
- Whether the personal information is sensitive in nature (there is no statutory category of “sensitive information” in New Zealand. The term refers to the type of personal information that is the subject of the breach);
- The nature of the harm that may be caused to affected individuals;
- The person or body that has obtained or may obtain personal information as a result of the breach (if known);
- Whether the personal information is protected by a security measure; and
- Any other relevant matters.
The following restrictions apply to the international transfer of personal data / information:
Personal information may only be disclosed to an overseas recipient, including a data storage provider, if:
- The individual consents to the disclosure; and
- One of the following applies:
- The individual authorises the disclosure after being expressly informed that the recipient may not be required to protect the information to the same extent required by the Act;
- The disclosing Agency believes on reasonable grounds that the overseas recipient is subject to the Act because they carry on business in New Zealand
- The disclosing Agency believes on reasonable grounds that the overseas recipient is subject to privacy laws that provide comparable safeguards to the Act;
- The overseas recipient is covered by a “binding scheme” or is subject to the privacy laws of a “prescribed country” specified in regulations; or
- The disclosing Agency has taken reasonable steps to ensure that the overseas recipient will protect the information in way that, overall, provides comparable safeguards to those in the Act (for example, pursuant to a data protection agreement).
In practice, Agencies take the following steps to enable the lawful disclosure of personal information outside New Zealand:
- Conduct due diligence on the overseas recipient to ensure that it will protect the information in a manner that is equivalent to protection available under the Act; and
- Enter into data protection agreements with the overseas recipient prior to the disclosure.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes. Overseas organisations that “carry on business in New Zealand” are subject to the Act.
Whether an overseas organisation is “carrying on business in New Zealand” will depend on the specific circumstances as the term is not defined in the Act.
However, an overseas organisation may be treated as “carrying on business in New Zealand” without necessarily:
- Being a commercial operation;
- Having a place of business in New Zealand;
- Receiving any monetary payment for the supply of goods or services; or
- Intending to make a profit from its business in New Zealand.
The following rules specifically deal with marketing:
The Agency must obtain the individual’s consent to use their personal information for marketing purposes as required by the Act.
In addition to New Zealand privacy law requirements, agencies must also comply with general consumer protection laws and the Unsolicited Electronic Messages Act 2007 where electronic messages are being used for marketing purposes.
Do different rules apply to business-to-business and business-to-consumer marketing?
No. The Act applies to the use of personal information for marketing purposes irrespective of whether the marketing is on a B2B or B2C basis.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
The Unsolicited Electronic Messages Act 2007 provides that “commercial electronic messages” that promotes a good, service, land or a business or investment opportunity may only be sent to an individual if:
- That individual has given the sender their consent;
- The electronic message includes a functional unsubscribe facility to enable the individual to unsubscribe from receiving commercial electronic messages at any time; and
- The electronic message contains accurate information about the ‘sender’
The Act applies to B2B and B2C communications and covers email, fax, instant messaging via online platforms, and texts, but does not cover online advertisements or voice calls.
The following rules specifically deal with cookies:
The consequences of non compliance with data protections laws (including marketing laws) are:
There are a range of consequences for breaching the Act, including criminal liability for both the overseas company and its directors, with fines of up to NZD$10,000.
Class actions for a personal data breach are now permitted. If successful, each member of the class action may be awarded up to NZD$350,000.
Liability for breaching the Unsolicited Electronic Messages Act 2007 includes fines of up to NZD$200,000 for an individual and NZD$500,000 for a body corporate.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
The Act has extra-territorial application and apply to an overseas company that “carries on business in New Zealand”, whether or not the overseas company has a physical presence in New Zealand. Accordingly, any disclosure of personal information outside of New Zealand is lawfully permitted under the Act if, and only if, the specific requirements for overseas disclosure are met, namely that the overseas recipient will protect the information in a way that is comparable to the requirements under the Act.
The best and most practical way to ensure the “comparable safeguard” requirement is met is by having a specific agreement between the disclosing Agency and the overseas recipient.
New Zealand law does not prescribe what those contractual arrangements ought to be or their form, however model contracts have been provided by the New Zealand Privacy Commissioner which can be voluntarily adopted, if suitable.
Multinational organisations should be aware of the following upcoming data protection developments:
The New Zealand government is currently consulting on a process for determining the “prescribed countries” in which the Privacy Commissioner considers having adequate privacy laws for the purpose of overseas disclosure. The timeframe for prescribing the initial countries is early 2022.