Privacy Act 2020 of New Zealand

In this article, we will breakdown New Zealand’s Privacy Act 2020 and discuss how you can make your website compliant with the Act. 

New Zealand Privacy Act 2020 mandates that any organization must collect and use the personal information of an individual for a lawful purpose. It maintains the standard required by other data privacy laws in the world that organizations must be transparent about how and why they collect and use the personal data of the users.

The cornerstone of the Act is its 13 Information Privacy Principles that govern the collection, use, and disclosure of personal information. Some of those apply to websites as well. 

New Zealand’s Privacy Act 2020 is an amended act that repeals the Privacy Act of 1993. It came into effect on December 1, 2020. 

The objective of the Privacy Act 2020 is to provide “internationally recognised privacy obligations and standards” to protect the personal information of the people in New Zealand. It also recognizes several rights of the people, including the right to access personal information. 

The Act applies to any agency (company, organization, or website) that collects, holds, uses, or discloses personal information of individuals within the territory of New Zealand.

Personal information under the Act means any “information about an identifiable individual”. It means any piece of data or information that can identify a person constitutes personal information. For example, name, postal address, email address, phone number, social media details, and device information collected via cookies.

The Privacy Act 2020 is enforced and supervised by the Office of the Privacy Commissioner.

Read the official text here.

The NZ Privacy Act 2020 proposes 13 Information Privacy Principles (IPP) for handling personal information. It governs how the organizations must collect, use, hold and disclose the personal information of the individuals.

IPP 1: Purpose for collection

An organization can only collect the personal information of an individual for a lawful purpose of the site. Or the collection of personal information is necessary for that purpose. 

IPP 2: Source of information

If the organization requires to collect the personal information of an individual, it must be collected from that individual and not from other sources, unless:

• it will not affect the interest of the individual concerned,
• it is for a lawful purpose,
• the individual authorizes the collection from someone else,
• the information is publicly available,
• it is necessary for:
  • criminal offense procedures,
  • law enforcement,
  • vital interest of individuals, 
  • proceedings before a court, or
  • protection of public revenue. 
• the information is used in a way that it is impossible to identify the individual, or 
• the information is used for statistical or research purposes and published in a form that it is impossible to identify an individual.

IPP 3: Collection of information from subject

The organization must inform the individuals, whose personal information they are collecting about:

• The fact that they will collect the information,
• The purpose of information collection,
• Who the information will be shared with,
• The name and address of the organization that collects or hold the personal information, 
• What will happen if the individuals do not provide the information, and
• Rights to access and correction of personal information.

The organization can avoid informing the individuals in case of the same conditions mentioned in the IPP2.

How to write an effective privacy policy for your website?

IPP 4: Manner of collection of personal information

The organization must collect the personal information of an individual by lawful means and not in a way that is unfair and intrusive.

IPP 5: Storage and security of personal information

The organization must have appropriate security safeguards in place to protect the personal information against loss, unauthorized disclosure, or misuse.  

IPP 6: Access to personal information

Individuals have the right to access their personal information. The organization must confirm if it holds any personal information about them and give access to it, upon request. 

IPP 7: Correction of personal information

The individuals have the right to ask the organization to correct their personal information. It is also the organization’s responsibility to use the information lawfully and ensure that it is accurate, up-to-date, complete, and not misleading. 

In case the organization refuses to or disagrees with the individual’s request, it must attach a statement of correction with the information. 

IPP 8: Accuracy of personal information

An organization must ensure that the personal information they hold is accurate, up to date, complete, and not misleading.

IPP 9: Retention of personal information

The organization should not keep personal information for longer than it is required for the purpose for which the information was collected.

IPP 10: Use of personal information

An organization cannot use the personal information collected for a defined purpose for any other purpose unless the new purpose is directly related to the original one. Other than this, other conditions listed for IPP2 apply as well. 

If you require to use the personal information for another purpose, you must inform and ask for consent from the concerned individuals.

IPP 11: Disclosure of personal information

An organization must not disclose the personal information to any other organization unless,

• disclosure of the personal information is one of the purposes,
• it is disclosed to the individual,
• it is authorized by the individual,
• the information is available in a publicly accessible publication, or
• other circumstances mentioned for IPP2.

IPP 12: Disclosure of personal information outside New Zealand

An organization can disclose personal information to another organization outside New Zealand if

• the individual concerned consents to the disclosure,
• the foreign organization is subject to the Act,
• it informs the individual that the information may not receive the same level of safeguard comparable to the Privacy Act,
• the foreign organization provides comparable safeguards to the Act, or
• the foreign organization is subject to a binding scheme or privacy laws of a prescribed country.

IPP 13: Unique identifiers

Unique identifiers are forms of identification given to people by organizations, e.g. passport number, driver’s license number, or social security number. 

An organization cannot assign a unique identifier to an individual if another organization has already assigned that unique identifier to the individual. 

The unique identifier must be assigned to an individual whose identity is clearly established. The organization must take reasonable steps to minimize the risk of misuse of the unique identifier.

A privacy breach is defined as the unauthorized or accidental access, disclosure, loss, or destruction of personal information. A privacy breach may also prevent an organization to access the information temporarily or permanently. 

You must notify the breach to the Commissioner and the affected individuals as soon as practicable after becoming aware of it.

A privacy breach is notifiable if it causes serious harm to the individuals affected. It also depends on the measures taken by the organizations to minimize the risk.

The notice must include 

• the number of affected individuals,
• the measures taken or intended to be taken to mitigate the risks,
• the details of the person or organization in possession of the personal information, and 
• the contact details of the organization.

Failing to notify about the breach to Commissioner could result in a fine not exceeding $10,000. 

An organization may face charges if it

• obstructs or resists the Commissioner or any other person from exercising their power under the Privacy Act or
• fails to comply with any lawful requirements of the Act.

The fine for failing to comply with the New Zealand Privacy Act 2020 is at most $10,000. The Commissioner will decide the timeframe in which an organization must cooperate with the investigations following the infringement.

Here is a useful checklist for your website to become compliant with the New Zealand Privacy Act.

1. Assess and identify if your website collects, uses, holds, or discloses the personal information of people in New Zealand. 
2. Identify the lawful purpose for which you need to collect the information.
3. Keep the data accurate and complete.
4. Do not store personal information longer than necessary for the defined purpose.
5. Do not share personal information without the consent of the users.
6. Take necessary security measures to protect the website from data loss or theft.
7. Notify the users about the purpose of collecting the personal information and get their consent for the same.
8. Disclose about how you handle personal information to the users, preferably via a privacy policy page.
9. Add a cookie consent notice to the ever page to get user consent for using cookies. 
10. Provide a link or email address for the users to request access or correction of their personal information.

CookieYes is a cookie consent solution that helps your website to obtain and manage user consent for cookies. With its flexible customization features to excellent support, CookieYes provides you an all-around cookie consent solution.

Using CookieYes, you can

• add a cookie consent notice to your website and customize it any way you want,
• choose from 26 languages for the cookie consent notice or banner,
• auto-translate the consent notice,
• auto-scan your website for cookies and add them to your website in a list,
• auto-block third-party cookies before getting user consent and also add scripts that you may want to block,
• display consent notice depending on the location of the user,
• log user consent for easy demonstration of consent if needed, and
• easily and quickly add a privacy policy page with the privacy policy generator.

Sign up today for free and make your website cookie complaint.