Privacy Act 2020: A Guide for NZ Employers

The Privacy Act 2020 is New Zealand’s main law that sets the rules for how businesses collect, use, and share personal information. It replaced the Privacy Act 1993 and came into force on 1 December 2020.

For New Zealand employers, this law matters because handling staff and customer information is part of everyday business. From job applications and health details to payroll data, the way organisations manage personal information can build trust; or cause serious problems if done poorly.

In this guide you’ll learn:

• What the Privacy Act 2020 is and why it matters for businesses in NZ
• The 13 privacy principles and how they work in practice
• Key differences between the Privacy Act 1993 and 2020
• What Section 22 means for businesses
• Steps employers can take to stay compliant

‍

What is the Privacy Act 2020?

‍

The Privacy Act 2020 is a law that protects personal information and sets out rules for organisations, including employers, about how they handle it. Personal information means any details that can identify someone; like their name, email, address, or health information.

‍

This Act applies to all businesses, no matter how big or small. That means even small Auckland startups with just a few staff must follow the same rules as large national companies.

‍

The purpose of the Act is to make sure personal information is collected fairly, stored safely, and only used for the right reasons. It also gives people the right to access and correct their information.

‍

Why does the Privacy Act 2020 Matter for NZ Businesses?

‍

A business in New Zealand is expected to manage personal information responsibly. If not, it risks losing customer trust, damaging staff morale, and facing complaints or penalties from the Office of the Privacy Commissioner (OPC).

‍

For example, a retail business in Auckland was reported for sharing customer details with a third party without consent. This led to a complaint under the Privacy Act and caused both legal stress and reputation damage.

Employers who follow the law protect their people and their brand. It also helps build a positive workplace culture where staff know their privacy is respected.

‍

Privacy Act 2020 Principles Explained

‍

The Act is built around 13 Information Privacy Principles (IPPs). These principles guide how personal information must be collected, stored, and shared.

Here’s a quick Privacy Act 2020 summary NZ of what they cover:

1. Collection for a purpose – Collect information only if it’s needed for your work.
2. Source of information – Get details directly from the person, where possible.
3. Transparency – Be clear about why you’re collecting the information.
4. Manner of collection – Collect it fairly and respectfully.
5. Storage and security – Keep personal information safe from loss or misuse.
6. Access rights – People can ask for their information.
7. Correction rights – People can ask to update or fix wrong details.
8. Accuracy – Make sure the information is correct before using it.
9. Retention – Don’t keep information longer than necessary.
10. Use – Use the information only for the purpose you collected it.
11. Disclosure – Don’t share information without a lawful reason.
12. Cross-border disclosure – Be careful when sending information overseas.
13. Unique identifiers – Limit use of things like staff ID numbers to avoid misuse.

‍

Privacy Act 1993 vs 2020: What changed?

‍

The Privacy Act 1993 was out of date with the digital world. The 2020 Act made updates to reflect how information is shared today.

Key changes include:

• Mandatory breach notifications – If there’s a serious privacy breach, businesses must tell both the OPC and the affected people.
• Stronger cross-border rules – Clear requirements when sending data overseas.
• New powers for the Privacy Commissioner – The OPC can issue compliance notices and demand access to information.

These changes mean employers can no longer take a casual approach to data protection.

‍

Section 22 of the Privacy Act 2020

‍

Section 22 gives individuals the right to make a Privacy Act request in NZ. This means employees or customers can ask an organisation to confirm whether it holds their personal information, and to provide a copy. Employers must respond within 20 working days.

‍

Failing to respond or refusing without a valid reason can lead to complaints. For example, a business that ignored repeated requests from a former staff member faced an investigation by the OPC.

‍

How Businesses Can Stay Compliant

‍

Employers in New Zealand can take simple steps to meet their privacy obligations:

• Train managers and HR staff on the 13 privacy principles.
• Review employment agreements and policies to make sure they align with the Privacy Act.
• Create a process for responding to Section 22 requests quickly.
• Have a plan for managing and reporting privacy breaches.
• Use secure systems to store payroll and employee information.

Many businesses in Auckland and across New Zealand work with HR consultants to stay on top of these requirements and avoid costly mistakes.

‍

Key Takeaways for NZ Employers

• The Privacy Act 2020 applies to all businesses in New Zealand.
• It is based on 13 privacy principles covering how personal information is handled.
• There are important differences between the 1993 Act and the 2020 Act, especially around breach notifications and cross-border rules.
• Employers must be ready to respond to Section 22 privacy requests.
• Handling information well builds trust with staff and customers, while mistakes can damage reputation and lead to penalties.

‍