Privacy Act 1993 vs 2020 Guide

The Privacy Act 1993 was New Zealand’s first law to set out clear rules for collecting, using, and sharing personal information. It shaped how organisations, especially employers, handled employee and customer data.

In December 2020, it was replaced by the Privacy Act 2020. The new law modernised New Zealand’s privacy protections to match today’s digital world, where data is often stored in the cloud, shared across borders, and used by third-party apps.

‍

For employees, it offered stronger rights to know how their personal information is used and to expect transparency from their employers.

‍

In this guide you’ll learn:

• What changed between the Privacy Act 1993 and 2020
• How the changes affect NZ workplaces
• Breakdown key changes

‍

From 1993 to 2020: Why the Update Was Needed

‍

When the Privacy Act 1993 was introduced, most data was stored in paper files or local servers. Email was new, and “cloud storage” didn’t exist.

‍

Fast forward to 2020; businesses use digital HR platforms, recruitment tools, and payroll systems that often process personal information overseas. The 1993 rules could no longer keep up with this fast-changing environment.

‍

That’s why the Privacy Act 2020 was created; to strengthen protections, increase accountability, and ensure New Zealand’s privacy laws met international standards.

‍

Privacy Act 1993 vs 2020: Key Differences

‍

Breach Notification

• Privacy Act 1993: No requirement to report privacy breaches.
• Privacy Act 2020: Mandatory to notify the Privacy Commissioner and affected individuals of any breach that could cause serious harm.
• Impact for workplaces: Employers must have systems to detect and report data breaches promptly. Employees will be informed if their information is exposed.

Commissioner's Powers

• Privacy Act 1993: Could only make recommendations.
• Privacy Act 2020: Can issue compliance notices requiring organisations to take action.
• Impact for workplaces: Stronger enforcement means employers must respond quickly to privacy investigations.

Overseas Data Transfers

• Privacy Act 1993: Not addressed. Data rarely left New Zealand.
• Privacy Act 2020: Businesses must ensure comparable protection when sharing data overseas.
• Impact for workplaces: Employers using overseas systems, such as payroll or cloud services, must check their providers meet New Zealand privacy requirements.

Individual Rights

• Privacy Act 1993: People could request access to or correction of their personal information but had limited recourse.
• Privacy Act 2020: Individuals have clearer rights and can complain directly to the Privacy Commissioner.
• Impact for workplaces: Employees can escalate privacy concerns if their employer does not handle them appropriately.

Language and Scope

• Privacy Act 1993: Focused on physical records and local data storage.
• Privacy Act 2020: Uses broader, simpler language covering digital data, apps and online systems.
• Impact for workplaces: The Act now applies to modern workplace technologies, digital tools and cloud-based systems.

‍

‍

Key Takeaway for Employers and Employees

• Review policies and procedures to align with the Privacy Act 2020.
• Train your teams on how to manage personal data safely.
• Set up breach response systems so incidents are handled fast and transparently.
• Check overseas providers to ensure they meet NZ privacy standards.
• Communicate clearly with staff about how their data is used and stored.
• Encourage employees to ask questions or request access to their information.
• Keep security up to date, especially with remote work tools and online platforms.
• Work together; privacy is a shared responsibility between employers and employees.

‍