New Zealand’s Data Privacy Law: What You Need to Know

What is New Zealand’s Data Privacy Law?

On December 1, 2020, the Privacy Act 2020 took effect in New Zealand. The law guides how organizations gather, use, share and save personal information. The Privacy Act also mandates that organizations must report “serious” data breaches immediately if there is a “risk of harm.” “Risk of harm” refers to any incident in which data has been leaked outside of the organization. 

This act will replace the Privacy Act of 1993 and offer more protections for individuals while simultaneously holding businesses more accountable for their data hygiene. The rules within the Privacy Act apply to any data handlers based in New Zealand or organizations that carry out business in New Zealand virtually or collect data on its citizens.

What is Personal Information Under New Zealand’s New Privacy Law?

Although data at face value may seem anonymous and innocent, when it ends up in the wrong hands, it can place an individual’s identity at risk. According to New Zealand’s new law, personal information, or PII, is considered any information that provides details about a specific individual,  including:

• Name
• Phone number
• Email address
• Social security number
• Credit card number
• Passport
• License plate number
• National ID
• Bank accounts

Principles of the Privacy Act 2020

The updated New Zealand Privacy Act is composed of 12 principles that guide organizations toward safer and more effective data usage. Below are the principles outlined in the Privacy Act. 

• Principle 1: Purpose of collection of personal information – Organizations should only collect data that holds a lawful purpose related to their business function. In other words, is collecting the data necessary? 
• Principle 2: Source of personal information – The data collected should come from the source i.e. the individual involved. However, there are a few exceptions to this principle. For example, if a person’s data is publically available, needed for legal purposes, or previously authorized to be shared.
• Principle 3: Collection of information from subject – This principle deems it necessary for organizations to communicate to individuals the reason why their data is being used and what it is being used for.  
• Principle 4: Manner of collection of personal information – Data should be collected in a transparent way that is lawful, fair, unintrusive and reasonable. 
• Principle 5: Storage and security of personal information – Organizations must make certain that safeguards are in place to prevent the loss, abuse or disclosure of personal information within reasonable circumstances. 
• Principle 6: Access to personal information – If an individual inquires about personal information collected on them, the organization is required to share the reason why. 
• Principle 7: Correction of personal information – If the personal information collected by a business is incorrect, individuals have the right to request updates and corrections.
• Principle 8: Accuracy, etc., of personal information to be checked before use – Organizations are accountable for ensuring that personal information is up-to-date, accurate and not misleading.
• Principle 9: Agency not to keep personal information for longer than necessary – This principle calls for organizations to only keep data as long as it is lawfully used and relevant to their business. 
• Principle 10: Limits on use of personal information – Unless a person states otherwise, the data collected on individuals should be used for the purposes the organization already made consumers aware of. 
• Principle 11: Limits on disclosure of personal information – Disclosure of personal data is not allowed unless it is used in a manner that keeps the individual anonymous, related to protecting health and safety, needed for law and legal purposes or the individual has already agreed to the disclosure of their information from previous communication. 
• Principle 12: Unique identifiers – Unique identifiers are numbers or codes that organizations use to decipher individuals from one another in a unique way, such as a driver’s license or social security number. Under Principle 12, organizations should avoid giving individuals the same unique identifier that another organization may have already paired them with. Safeguards must also be in place to protect unique identifiers from being abused, such as truncating account numbers on correspondence. 

New Zealand Adequacy Decision with the European Union

The European Commission has the power to deem countries outside of the EU as having sufficient practices in place to protect European citizens. New Zealand is only one of 12 countries deemed by the EU to offer adequate enough data protection. This means that EU personal data can flow from EU to New Zealand under New Zealand data protection laws without additional protection required. However, the European Commision may also amend or withdraw an adequacy solution at any point, thus giving reason for New Zealand and other countries to be at the forefront of data compliance and protection. 

Ensure Compliance of New Zealand’s Data Privacy Law with Ground Labs

With more consumers turning towards their smartphones to conduct business, access social media, shop, and conduct research over the internet, the New Zealand Privacy Act is a timely and important safeguard for consumer privacy and protection. This law will protect New Zealand citizens regardless of where an organization is located if they are engaging with citizen data. 

Ground Labs is poised to adapt to the ongoing global compliance landscape with tailored solutions such as Enterprise Recon. The time is now to get your business up-to-date with the Data Privacy Law. 

Ready to learn more? Schedule a meeting with an expert today.