Data Protected - New Zealand
Last updated June 2022
General | Data Protection Laws
National Supervisory Authority
Scope of Application
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
General | Data Protection Laws
General data protection laws
The Privacy Act 2020 (the "Privacy Act").
The Information Privacy Principles ("Privacy Principles") in the Privacy Act may be supplemented by a code issued by the Privacy Commissioner for particular sectors. There are currently six codes in operation: the Civil Defence National Emergencies (Information Sharing) Code, the Credit Reporting Privacy Code, the Health Information Privacy Code, the Justice Sector Unique Identifier Code, the Superannuation Schemes Unique Identifier Code and the Telecommunications Information Privacy Code.
Entry into force
The Privacy Act came into force on 1 December 2020. It followed recommendations for particular areas of reform made by the New Zealand Law Commission and the Office of the Privacy Commissioner (including mandatory breach notification and stronger enforcement powers), to bring New Zealand's privacy law into line with other jurisdictions.
National Supervisory Authority
Details of the competent national supervisory authority
Office of the Privacy Commissioner
109-111 Featherston Street
Notification or registration scheme and timing
There is no notification or registration scheme for organisations that deal with personal data.
Exemptions to notification
Scope of Application
What is the territorial scope of application?
The Privacy Act applies to activities of agencies within New Zealand, including overseas agencies in the course of carrying on business in New Zealand (regardless of where the personal information is collected or held, or where the individual is located; and regardless of whether or not the overseas agency has a place of business in New Zealand, receives any monetary payment for its goods or services, or intends to make a profit from its business in New Zealand).
Is there a concept of a controller and a processor?
The Privacy Act uses the term "agency" which is similar to a controller and applied in a way that maintains a similar distinction between controllers and processors. In particular, where an agency: (i) holds personal information as agent for, or for the sole purpose of processing the information on behalf of, another agency; and (ii) does not use or disclose the information for its own purposes, then the information will be deemed to be held by the agency on whose behalf it is held or processed.
Are both manual and electronic records subject to data protection legislation?
Yes. The Privacy Act applies to all personal information collected, stored or held by an agency and is not reliant on the form in which the information is recorded.
Are there any national derogations?
The Privacy Act applies to all “agencies”, being any person or body of persons, whether corporate or unincorporated, and whether in the public sector or the private sector.
Most organisations will fall within the definition of an 'agency'. Organisations specifically excluded from this definition include members of Parliament, courts and tribunals in relation to their judicial functions and the news media when they are conducting their news activities.
In addition, individuals who collect or hold personal information for their own personal, family or household affairs are exempt from the Privacy Act (although this does not apply where the collection, disclosure, or use would be highly offensive to an ordinary reasonable person).
What is personal data?
The Privacy Act uses the term "personal information" and defines it as "information about an identifiable individual", including information relating to a death that is maintained by the Registrar-General pursuant to the Births, Deaths, Marriages, and Relationships Registration Act 1995 or its predecessors.
“Information” is not defined in the Privacy Act, but it has been held in interpreting other relevant legislation that "information" is not confined to the written word but embraces any knowledge, however gained or held.
Is information about legal entities personal data?
No. Personal information must concern a natural person.
What are the rules for processing personal data?
The collection, use, and disclosure of personal information, by public and private sector agencies, must comply with the 13 Privacy Principles set out in the Privacy Act.
These principles can be summarised as obligations to: (i) collect the information for a lawful purpose (only to the extent necessary for that purpose) via legal means and directly from the data subject (subject to the provided exceptions); (ii) identify and communicate to the data subject the fact of collection and the lawful purpose for the collection of the information; (iii) protect the information against loss, access, use, modification, disclosure and other misuse and maintain the information in such a way that the agency can confirm the existence of, correct or provide access to the information on the request of the data subject; (iv) take reasonable steps to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant and not misleading; and (v) not disclose the information unless permitted to do so by law and, in the case of disclosures to an overseas agency, only if the receiving agency is subject to similar safeguards to those in the Privacy Act.
There are a number of exceptions, for example: (i) the Privacy Act applies only to the extent that it is not inconsistent with another Act of Parliament; and (ii) in special circumstances, the Privacy Commissioner can authorise agencies to collect, use or disclose information even when that would usually breach specified Privacy Principles.
Are there any formalities to obtain consent to process personal data?
No. However, Privacy Principle 3 sets out the information that the data subject must be made aware of before, or as soon as practicable after, information is collected.
Are there any special rules when processing personal data about children?
Privacy Principle 4 requires agencies to have regard to an individual's age when deciding how to collect information to ensure that the way information is collected from children and young people is fair.
Are there any special rules when processing personal data about employees?
There are very limited additional rules when processing personal data about employees. However, the requirements under the UEMA (discussed below) do not apply to messages in circumstances where the sender and recipient have a special relationship and the message contains information relating to that relationship, such as information about employment or a related benefit plan.
Sensitive Personal Data
What is sensitive personal data?
The Privacy Act does not contain any concept or definition of sensitive personal data. The Privacy Commissioner has however published a guidance note that outlines the Privacy Act's application to sensitive personal information, which it describes as "information about the individual that has some real significance to them, is revealing of them, or generally relates to matters that an individual might wish to keep private." The guidance specifically lists health, genetic, biometric and financial information, as well as the personal information of children and young people as sensitive personal information.
The Privacy Act requires agencies collecting personal information to only do so for a "lawful purpose connected with a function or activity of the agency", and the collection must be "necessary" for that purpose (Privacy Principle 1). In addition, information may not be collected by unlawful, unfair or unreasonably intrusive means (Privacy Principle 4). In practice, this may constrain the collection of certain types of personal information where they cannot be reasonably connected to a lawful purpose of the agency.
Health information is subject to specific protection through the Health Information Privacy Code (the "HIPC").
Are there additional rules for processing sensitive personal data?
No. However, health information may be processed only for purposes allowed by the HIPC.
Are there additional rules for processing information about criminal offences?
Some criminal records are subject to specific protection through the Criminal Records (Clean Slate) Act 2004 (the "Clean Slate Act"). The criminal records of those who are deemed by the Clean Slate Act to have a clean criminal record may be processed only for purposes allowed by the Clean Slate Act.
Are there any formalities to obtain consent to process sensitive personal data?
No. However, the HIPC notes that agencies may need to give a more detailed explanation as to the intended use of information when particularly intimate or sensitive information is sought, or where it plans to use the information in an unexpected way.
Data Protection Officers
When must a data protection officer be appointed?
Every public and private sector agency must have at least one privacy officer (from within or outside the agency).
What are the duties of a data protection officer?
The Privacy Act sets out some of the responsibilities of the privacy officer, namely: (i) encouraging the agency to comply with the Privacy Principles; (ii) dealing with requests made to the agency under the Privacy Act (e.g. requests for access to personal information, or correction of personal information); (iii) working with the Office of the Privacy Commissioner in relation to investigations conducted pursuant to complaints made under the Privacy Act in relation to the agency; and (iv) otherwise ensuring compliance by the agency with the Privacy Act.
The Office of the Privacy Commissioner also recommends that a privacy officer should: (i) be familiar with the privacy principles in the Privacy Act and with any other legislation governing what the agency can and cannot do with personal information; (ii) should deal with any complaints from the agency's clients about possible breaches of privacy; should train other staff at the agency to deal with privacy properly; and (iii) should advise managers on how to ensure the agency's business practices comply with privacy requirements, the privacy impacts (if any) of changes to the agency's business practices, and whether improving privacy practices might improve the business.
The Privacy Commissioner can also require an agency to provide the name and contact details of the agency's privacy officer for the purpose of enabling the Commissioner to respond to inquiries from the public about personal information held by the agency.
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
There is no general accountability obligation in New Zealand privacy law. Agencies are required to adhere to the Privacy Principles outlined in the Privacy Act, and the Office of the Privacy Commissioner's website publishes guidance on how companies can do so.
Are privacy impact assessments mandatory?
The Office of the Privacy Commissioner's website contains guidance on Privacy Impact Assessments (PIAs) and the ways in which they are useful to agencies, but there is no requirement at law for agencies to carry out PIAs. The guidance notes that PIAs will help agencies to know if they are meeting their obligations under the Privacy Act.
In specific guidance on the regulation of biometrics, the Office of the Privacy Commissioner has noted that it expects PIAs to be carried out for all projects involving biometrics.
Rights of Data Subjects
Before collecting information, an agency must have identified a legal purpose for the collection that is connected to the agency's functions or activities. This purpose must be communicated to the data subject and will then govern how the information can be used (subject to exceptions within the Privacy Act).
The agency must also provide its name and address, the intended recipient(s) of the data subject's personal information, the authority and purpose of the collection, the consequences if requested information is not provided, and the right of the data subject to access and correct his/her personal information.
Rights to access information
The data subject to whom particular information relates has a right to receive upon request confirmation from the agency of whether or not it holds such information and to have access to that information (Privacy Principle 6).
Rights to data portability
There is no data portability right in New Zealand.
Right to be forgotten
While there is no "right to be forgotten" in New Zealand privacy law, there is a limited right under the Privacy Act for a data subject to request that an agency holding personal information about that data subject make a correction to that information. Such a correction may be by way of a deletion of information (Privacy Principle 7).
In addition, the Harmful Digital Communications Act 2015 (the "HDCA") has introduced, among other things, a right for individuals to apply to the District Court for a take-down order. The purpose of the HDCA is to: (i) deter, prevent, and mitigate harm caused to individuals by digital communications (i.e. any form of electronic communication); and (ii) provide victims of harmful digital communications with a quick and efficient means of redress.
Individuals who allege they have suffered or will suffer harm as a result of a digital communication can lay a complaint with Netsafe, the approved agency under the HDCA, and Netsafe will attempt to resolve the issue between the parties. If Netsafe is unable to resolve the matter, or decides to take it no further, affected individuals may apply to the District Court for a number of orders, including that the material is taken down or corrected.
Objection to direct marketing
The Privacy Act does not give data subjects a right to object to direct marketing. However, please see the section which follows dealing with ePrivacy for comments on data subjects' rights to object to direct marketing by email, telephone and fax.
Where an agency holds personal information, Privacy Principle 7 entitles the data subject to request the correction of his/her information and to request that a statement be attached to his/her personal information noting the correction sought but not made.
Security requirements in order to protect personal data
Privacy Principle 5 of the Privacy Act requires agencies to protect personal information with such security safeguards as it is reasonable in the circumstances to take against loss, access, use, modification, disclosure and other misuse.
If it is necessary for the information to be given to a third party, the agency must do everything reasonably within its power to prevent unauthorised use or unauthorised disclosure of the information by that third party.
Specific rules governing processing by third party agents (processors)
The Privacy Act does not contain any specific rules regarding security requirements where information is processed by a third-party agent.
However, as noted above, where an agency: (i) holds personal information as agent for, or for the sole purpose of processing the information on behalf of, another agency; and (ii) does not use or disclose the information for its own purposes, the information will be deemed to be held by the agency on whose behalf it is held or processed. In addition, the Privacy Act provides that a principal will be liable for the acts or omissions of its agent regarding the processing of personal information, unless done or omitted without the (principal) agency's express or implied authority.
Accordingly, where an agency appoints a third-party agent to process personal information on its behalf, the agency will remain responsible under the Privacy Act for ensuring that the Information Privacy Principles (including the security requirements in Principle 5) continue to be met.
Notice of breach laws
The Privacy Act introduced mandatory reporting of data breaches requirements under which an agency must notify the Privacy Commissioner and the affected individual(s) as soon as practicable after becoming aware of a notifiable privacy breach. It has further clarified that, unless there are extenuating circumstances, that notification should take place within 72 hours of an agency becoming aware of the breach. A notifiable privacy breach is a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or is likely to do so.
In determining whether a breach has caused serious harm, agencies must consider: (i) any action(s) taken by the agency to reduce the risk of harm following the breach; (ii) whether the personal information is sensitive in nature (e.g. health records); (iii) the nature of the harm that may be caused to affected individuals; (iv) the person or body that has obtained or may obtain the personal information as a result of the breach (if known); (v) whether the personal information is protected by a security measure; and (vi) any other relevant matters.
If it is not reasonably practicable to notify the affected individual(s), the agency must give public notice of the privacy breach instead (subject to certain exceptions). The Privacy Regulations 2020 provide the procedure for giving such public notice.
The Office of the Privacy Commissioner has launched an online privacy breach self-assessment tool and an online privacy notification form, and has updated its guidance to help businesses and organisations with this new requirement.
It is an offence not to notify the Commissioner of a notifiable privacy breach with a fine not exceeding $10,000.
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
The Privacy Act introduced new requirements under Privacy Principle 12 applying to agencies wishing to disclose personal information overseas. These include that the agency either must believe on reasonable grounds that:
- the recipient is subject to privacy laws that, overall, provide comparable safeguards to the New Zealand Privacy Act; or
- the recipient is required to protect the information in a way that overall provides comparable safeguards to the Privacy Act (for example pursuant to contract).
If a jurisdiction does not offer similar protections, the individual concerned must be fully informed that their information may not be adequately protected and they must expressly authorise the disclosure.
The Office of the Privacy Commissioner has published guidance on this new Privacy Principle and example model clauses, which can be used to assist agencies which are transferring information overseas to ensure that they meet the requirements of Privacy Principle 12.
The HIPC will continue to apply to personal information and health information even when it is transferred out of New Zealand. For the purposes of Privacy Principles 5 (Storage), 8 (Accuracy), 9 (Retention), 10 (Limits on use) and 11 (Limits on disclosure), information transferred out of New Zealand for storage and processing purposes is still considered to be held by the agency. Similarly, for the purposes of Privacy Principles 6 (Access to personal information) and 7 (Correction of personal information), information held by an agency includes information held outside New Zealand by that agency.
In addition, the Privacy Commissioner may prohibit transborder dataflows of information where the Privacy Commissioner is satisfied, on reasonable grounds, that: (i) the information has been received in New Zealand from another state and the transborder dataflow is likely to be to a third state where it will not be subject to a law providing comparable safeguards to the Privacy Act; and (ii) the transborder dataflow would be likely to lead to a contravention of the basic principles of national application set out in Part Two of the OECD Guidelines and Schedule 5A of the Privacy Act. This power was added to the Privacy Act in the course of New Zealand's application to obtain whitelisted country status, in order to address European Commission concerns regarding the ability to regulate transfers from New Zealand of personal information which has originated in an EEA country.
The Privacy Commissioner's powers to prohibit transborder dataflows do not apply where the transborder dataflow is required by New Zealand law, or any convention or other instrument imposing international obligations on New Zealand.
Notification and approval of national regulator (including notification of use of Model Contracts)
There is no additional obligation to notify or obtain the consent of the Privacy Commissioner for transborder dataflows.
Use of binding corporate rules
There is no concept of binding corporate rules in New Zealand privacy law.
The Privacy Commissioner still has limited powers under the Privacy Act and does not have any ability to make rulings or determinations, issue fines or bring prosecutions, or direct settlements. Instead, the Privacy Commissioner operates as a body to receive and investigate complaints regarding interference with an individual's privacy.
It is an offence under the Privacy Act (punishable on summary conviction with a fine not exceeding NZ$ 10,000) to: (i) without reasonable excuse, obstruct, hinder, or resist the Privacy Commissioner or any other person in the exercise of its powers under the Privacy Act; (ii) without reasonable excuse, refuse or fail to comply with any lawful requirement of the Privacy Commissioner or any other person under the Privacy Act; (iii) make any statement or give any information to the Privacy Commissioner or any other person exercising powers under the Privacy Act knowing that the statement or information is false or misleading; (iv) represent, directly or indirectly, that he or she holds any authority under the Privacy Act when he or she does not hold that authority; (v) mislead an agency by impersonating an individual, or falsely pretending to be an individual or to be acting under the authority of an individual, for the purpose of obtaining access to that individual's personal information or having that individual's personal information used, altered or destroyed; or (vi) destroy any document containing personal information, knowing that a request has been made in respect of that information under the Privacy Act.
The offences under the Privacy Act are not punishable by imprisonment.
The Privacy Commissioner will often try to settle the complaint by conciliation and mediation. If the complaint is not settled during the investigation, then the Privacy Commissioner may form the view either that there is no substance to a complaint (in which case the complainant may still file proceedings with the Human Rights Review Tribunal on his/her own account) or that there is substance to the complaint and refer it to the Director of Human Rights Proceedings (a separate statutory authority) to decide whether or not to bring proceedings at the Human Rights Review Tribunal (the "Tribunal").
If the complaint is referred to, or taken by the complainant to, the Tribunal, the Tribunal will hear the complaint afresh and is not bound by the Privacy Commissioner's opinion. The decision of the Tribunal on a Privacy Act complaint is legally binding.
The Tribunal can award various remedies, including: (i) a declaration that the agency breached the law; (ii) an order preventing repetition of the breach; (iii) an order to rectify the breach; (iv) damages; and/or (v) an award of damages against the losing party. The Human Rights Review Tribunal’s power to award damages is subject to a maximum of NZ$ 350,000 (approximately GBP 175,000).
The Privacy Commissioner has been known to publicly name agencies that it considers to have breached the Privacy Act. The Privacy Commissioner applies a naming policy which focuses on whether naming the agency would further the purposes of the Privacy Act.
Under the Privacy Act, the Privacy Commissioner has the power to issue compliance notices requiring an agency to do something, or stop doing something, in order to comply with the Act. Such compliance notices may be published, identifying the agency subject to the compliance notice and details about the breach if the Commissioner believes it is desirable to do so in the public interest.
The Privacy Commissioner can also direct an agency to provide individuals with access to their personal information. Both compliance notices and access directions are enforceable in the Human Rights Review Tribunal.
According to the Annual Report of the Privacy Commissioner 2021, the Privacy Commissioner received approximately 561 privacy complaints and 544 data breach notifications in the year ending 30 June 2021. Of the complaints closed for the year 2020/21, 65% were closed with some sort of settlement.
Recent enforcement action includes: (i) compensation of NZ$ 100,000 (approximately GBP 50,000) ordered payable by Netsafe for refusing three Privacy Principle 6 requests; (ii) compensation of NZ$ 50,000 (approximately GBP 25,000) ordered payable by a school staff member for disclosing personal information about a mother and her son to the courts; (iii) compensation of NZ$ 70,000 (approximately GBP 35,000) ordered payable by a blogger for severe humiliation, loss of dignity and injury to feelings caused by the disclosure of multiple documents including emails and bank statements containing personal information about the plaintiff on various websites and allegations made about the plaintiff on a blog; (iv) compensation of NZ$50,000 (approximately GBP 25,000) ordered payable by Accident Compensation Corporation to a claimant after it was found to have breached the Privacy Act 1993 by destroying the claimant's file; and (v) compensation of NZ$ 28,000 (approximately GBP 14,000) ordered payable by the New Zealand Parole Board for unlawful disclosure of an offender's parole address to his victim.
In 2021, the Office of the Privacy Commissioner also issued its first compliance notice to the Reserve Bank of New Zealand, triggered by a cyber attack in December 2020.
Other notable enforcement includes: (i) compensation of NZ$ 18,000 (approximately GBP 9,000) ordered payable by an individual, rather than the organisation for whom he worked, for humiliation and loss of dignity, caused by the disclosure of a damaging letter about the plaintiff to a student magazine; (ii) an award of NZ$ 168,000 (approximately GBP 84,000, the highest award to date) issued against a company which compelled an employee to access a former employee's (Ms H) Facebook page, in breach of Ms H's Facebook privacy settings, in order to access and maliciously distribute to third parties (including Ms H's new employer) a photo of a cake that Ms H had baked which featured derogatory language directed at her former employer; (iii) compensation of NZ$ 25,000 (approximately GBP 12,500) ordered payable by a telecommunications company which breached a customer's privacy by providing inaccurate information to a debt collection agency; (iv) compensation of NZ$ 21,000 (approximately GBP 10,500) ordered payable by a government agency which was found to be in breach of Principle 1 by collecting personal information which was not reasonably necessary for the purpose of assessing income-related rent applications; and (v) compensation of NZ$7,500 (about GBP 4,000) ordered payable by government entity Accident Compensation Corporation for failing to take reasonable steps to ensure information was accurate before use, having used an old medical report to determine that the complainant no longer needed compensation for an injury.
ePrivacy | Marketing and cookies
The Unsolicited Electronic Messages Act 2007 ("UEMA") governs the sending of commercial electronic messages and prohibits the sending of unsolicited commercial electronic messages, in particular the use of address-harvesting software. UEMA came into force on 4 September 2007.
UEMA applies to any electronic message sent for a commercial purpose. "Electronic message" is defined broadly to cover any form of message sent using a telecommunications service (but excluding voice calls) or to an electronic address, and therefore covers email, fax, text messages and other forms of electronic messages.
Currently, New Zealand law does not contain any specific provisions regarding cookies and there is no legal requirement to notify users of cookies, third party or otherwise, unless cookies collect personal information.
The Office of the Privacy Commissioner has suggested that the user should be informed when a cookie is intended to be received, stored or sent by the Internet. The notice should specify, in generally understandable language, which information is intended to be stored in the cookie, for what purpose and the period of validity of the cookie.
Conditions for direct marketing by e-mail to individual subscribers
UEMA sets out the conditions for direct marketing by e-mail. UEMA requires that all "commercial electronic messages" may only be sent with the consent of the recipient, include accurate information about the person who authorised the sending of the message and contain a functional unsubscribe facility in order to enable the recipient to instruct the sender that no further messages are to be sent to the recipient.
UEMA regulates the sending of commercial electronic messages which have a "New Zealand link", which is where: (i) the message originates from New Zealand; (ii) the person who sent the message, or the recipient of the message, is an individual who is physically present in New Zealand when the message is sent or accessed, or is an organisation whose central management and control is in New Zealand when the message is sent or accessed; or (iii) the message is sent to an electronic address that ends with "nz" or begins with an international access code directly followed by "64".
UEMA expressly prohibits harvesting e-mail addresses for the purpose of sending bulk unsolicited commercial e-mails.
Conditions for direct marketing by e-mail to corporate subscribers
UEMA does not distinguish between individual and corporate recipients of commercial electronic messages.
However, with regard to the ability to deem or infer consent, UEMA provides that consent will be deemed to have been given when an email address (or other electronic address) has been conspicuously published by a person in a business or official capacity, it is not accompanied by a statement to the effect that the relevant electronic address-holder does not want to receive unsolicited electronic messages, and the message is relevant to the business, role, functions or duties of the recipient.
Exemptions and other issues
Exemptions from UEMA requirements include where the message provides a quote, facilitates a previously agreed commercial transaction, provides information about goods previously purchased, provides factual information about an ongoing membership or subscription, or delivers product upgrades, as well as certain messages authorised by a government body, court or tribunal, and certain messages in other specified circumstances where the sender and recipient have a special relationship and the message contains information relating to that relationship (such as information about employment or a related benefit plan, or information about a subscription, membership, account or loan).
The Marketing Association has developed Best Practice Guidelines for Email Marketing which are complementary to the legislative framework provided by UEMA.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
There is no specific legislative scheme limiting direct marketing by telephone to individual subscribers and voice calls made using a standard telephone service are specifically excluded from the scope of UEMA.
However, telemarketing activities, particularly with regard to the collection and storage of personal data, must comply with the Privacy Act and the 13 Privacy Principles. In addition, telemarketing is captured by the scope of various other enactments. Organisations that engage in telemarketing must comply with consumer protection laws, most notably the Consumer Guarantees Act 1993 and the Fair Trading Act 1986.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
There are no separate requirements for direct marketing by telephone to corporate subscribers.
Exemptions and other issues
The Marketing Association has developed a Telemarketing Code of Practice for the purpose of promoting best practice by those engaged in telemarketing.
The Marketing Association also runs a voluntary scheme called the "Do Not Call" service. The service caters for people who do not wish to receive unsolicited marketing calls to their home telephone. Responsible businesses who use the telephone as a marketing tool subscribe to the Do Not Call list to ensure they do not call any number on that list. The "Do Not Call" service does not extend to businesses.