Privacy Act 2020

Privacy Act 2020
Thursday May 20, 2021

Key changes:


Notifiable Privacy Breaches

The Act introduced a privacy breach notification system.  A privacy breach that an organisation or business believes has caused, or is likely to cause, serious harm will need to be notified to the Privacy Commissioner and affected individuals as soon as possible.  It is an offence to fail to inform the Privacy Commissioner when there has been a notifiable privacy breach.

The Act outlines that the liability for breach notifications rests with the organisation or business, not the individual employee.  The threshold for notifiable breach is ‘serious harm’.

There are limited circumstances where an organisation or business is permitted to delay notifying the individual or public.  These include circumstances where notification may risk further breaches, if informing an individual will likely affect their health, or they are under 16 years of age and the organisation believes that notification would not be in their best interests.

The Office of the Privacy Commissioner has launched an online privacy breach notification tool, Notify Us, (link below) to help businesses and organisations work out whether a privacy breaches is notifiable and to report the breach to the Privacy Commissioner:


Compliance Notices

The Act empowers the Commissioner to issue compliance notices to businesses or organisations.

The compliance notices will outline the changes that the Commissioner considers necessary to remedy non-compliance with the Act.  These notices will also express a date by which the organisation or business must make the changes.


Enforceable Access Directions

The Privacy Commissioner is empowered to direct agencies to provide individuals access to their personal information.  This is so that there can be a faster resolution of complaints relating to information access under Principle 6.

Failure to notify the Privacy Commissioner of a Notifiable Privacy Breach or failure to comply with either a Compliance Notice or an Access Direction can result in a penalty of up to $10,000.


Disclosing Information Overseas

Another key change to the Act is the addition of Principle 12.  Principle 12 regulates how personal information is sent overseas.

If an overseas business or organisation does not have privacy safeguards similar to New Zealand, personal information can only be sent if the individual concerned has given their express permission.   


New Criminal Offences

The Act has now introduced criminal offences.  Per s 212 of the Act, it will be an offence:

  • To impersonate someone to access information that you are not entitled to in order to access their personal information or alter, use or destroy their personal information.
  • For an organisation or business to destroy personal information knowing that a request has been made to access it.

The penalty for both of these offences is a fine of up to $10,000.


Further Changes

The Act has clarified Principle 1 to ensure that businesses and organisations do not collect any identifying information if it is not necessary for their purpose.


Businesses and organisations must ensure that their privacy policies, including any privacy policies included in template employment agreements, are compliant with their privacy obligations under the Act.

If you would like some advice around your privacy obligations and continued privacy compliance, or if you would like assistance with drafting or updating your privacy policy, please feel free to contact our office.


By Anneke Reid