New Zealand’s privacy laws haven’t changed since 1993, but technology and the way we live our lives online has changed significantly since then. Around the world, privacy laws are being updated to cover the needs of our changing world, and now it’s New Zealand’s turn.

The changes to the Privacy Act cover the addition of a new privacy principle, mandatory reporting on data breaches, more jurisdiction given to the Privacy Commissioner, heavier penalties for privacy offences and some updates to existing privacy principles.

The world is much more of a global marketplace now, hence privacy principle 12 was added. This principle puts onus on companies to check the privacy protections in place in the countries where personal information is disclosed. The scope of the Privacy Act has also been updated so that it explicitly applies to all companies who do business in New Zealand, and that doesn’t necessarily mean holding an office there.

If there has been a data breach that has caused, or has the potential to cause serious harm, it is now mandatory to inform the Privacy Commissioner, and usually also the affected people. In the past, people may not have even been aware if their personal information had been breached, which meant they couldn’t do anything to mitigate any potential damage, for example, by changing their passwords. Mandatory reporting aims to prevent this and will also give the Privacy Commissioner more oversight of the types of data breaches New Zealand companies are facing.

The Privacy Commissioner can now issue compliance notices that tell a company to do something or stop doing something in order to comply with the Privacy Act. The Commissioner will be able to shorten the timeframe in which a company must comply with investigations, and the penalty for non-compliance will be increased from $2,000 to $10,000.

The Privacy Commissioner will now make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal.  The Commissioner’s decisions can be appealed to the Tribunal.

There are also new penalties, such as destroying documents containing personal information if a request has been made for it, with penalties of up to $10,000 for committing such offences.

Principle 1 has been updated to clarify the requirement to only collect identifying information from people if it is needed for a lawful purpose.

Principle 4 has been updated to clarify that companies must ensure personal information collected from children and young people is done fairly and reasonably.

Principle 13 has been updated to clarify that companies must take reasonable steps to protect unique identifiers from being misused.


Take a quick and free Privacy Readiness Assessment 

Recent blog posts

UPDATE: CVE-2021-44228 Apache Log4j 2 RCE – log4shell

UPDATE: CVE-2021-44228 Apache Log4j 2 RCE – log4shell

Since the news of this critical RCE (CVE-2021-44228) in Apache log4j was made public on Friday, Simplify Security's MTR team has been investigating activity to improve detection and response capabilities. As a quick summary, this vulnerability results from how log4j...

CVE-2021-44228 Apache Log4j 2 RCE – log4s

CVE-2021-44228 Apache Log4j 2 RCE – log4s

On December 9, 2021, the Apache Log4j project’s GitHub publicly disclosed a high severity vulnerability that impacts Apache Log4j 2 versions 2.0 to 2.14.1.   The vulnerability allows for unauthenticated remote code execution on Log4j 2, an open-source Java logging...

What is phishing and how to stop it

What is phishing and how to stop it

What’s phishing? Malicious emails that look genuine and try to trick you into providing data, spreading malware, or paying money. What are the risks? Phishing has led to massive financial losses, malware infections, and data breaches. How to stop phishing 41% IT and...