What is the New Zealand Privacy Act 2020 (NZPA)?
NZPA stands for New Zealand Privacy Act, which is the New Zealand privacy law that came into force on December 1st, 2020. Therefore, it is also called Privacy Act 2020. This law protects the data of natural persons: employees and consumers. Collection, use, and disclosure of personally identifiable information PII of people in New Zealand are uniformly regulated by this Privacy Act.
Under the New Zealand Privacy Act, companies are required to inform individuals about data collection and to obtain their consent.
Who must comply with NZPA?
The New Zealand Privacy Act applies to all New Zealand government departments and agencies, companies, associations, businesses or other organizations that process personal data. Just like the CCPA and GDPR laws, not only companies headquartered in the place of the law, i.e., New Zealand, are affected, but also foreign companies, regardless of their location, as soon as they process personal data of New Zealand citizens.
Courts, news media or members of parliament are excluded from the Data Privacy Act.
You can find out more about this in Section 23 of the Privacy Act 2020, which describes the obligations of public authorities outside New Zealand.
Principles of the Privacy Act 2020
The Privacy Act 2020 includes 13 privacy principles. These are:
- Principle 1 – Purpose for collection
- Principle 2 – Source of information – collection from the individual
- Principle 3 – What to tell the individual about collection
- Principle 4 – Manner of collection
- Principle 5 – Storage and security of information
- Principle 6 – Providing people access to their information
- Principle 7 – Correction of personal information
- Principle 8 – Ensure accuracy before using information
- Principle 9 – Limits on retention of personal information
- Principle 10 – Use of personal information
- Principle 11 – Disclosing personal information
- Principle 12 – Disclosure outside New Zealand
- Principle 13 – Unique identifiers
Read more details in the Privacy Act 2020 legislative text.
Rights of individuals
The following rights are assured to an individual thanks to the NZ Privacy Act 2020:
- The right to know when and why information is collected
- Appropriate use of the information
- Secure storage of the information
- Access to the data that is stored
Duties for businesses
Among other things, companies that process personal data of New Zealand individuals are required to do the following things:
- Appoint at least one data protection officer (DPO)
- Notify individuals when data processing occurs
- Protect an employee’s immunization status
- Report of data breaches within 72 hours
- Process data access requests within 20 days
- Restrict transfer of data overseas