Posted by Kellie Bright on June 26 2020 in News

Changes to New Zealand’s privacy law will come into effect soon – proposed 1 December 2020. It is therefore important for you to bring yourself up to speed on these changes, and to prepare accordingly.

The Privacy Bill aims to:

  • Encourage private and public sector agencies to identify risks and prevent incidents that could cause harm.
  • Promote and protect individual’s privacy.
  • Give individual’s confidence that their personal information is properly protected. 


Key changes relevant to businesses include:

  • Businesses are required to report any serious privacy breaches to the Privacy Commissioner and notify all people affected by the breach.
  • If someone requests personal information held by a business, the business cannot destroy requested personal data in order to avoid providing it.
  • New Zealand businesses using a service provider based overseas (e.g. cloud software) are required to ensure their provider meets New Zealand’s privacy law.
  • The Privacy Commissioner will be able to issue compliance notices to require businesses to do or stop from doing something.
  • The Privacy Commissioner will be able to shorten the timeframe in which a business must comply with investigations, and the penalty for non-compliance will be increased from $2,000 to $10,000.


The most notable change for businesses is the introduction of a requirement to report serious privacy breaches. Notifiable privacy breaches will require businesses to notify the Privacy Commissioner and any affected individuals if there is a breach where it is reasonable to believe has caused or is likely to cause serious harm to an individual. In assessing likelihood of serious harm being caused by privacy, businesses must consider the following:

  • Any action taken by the business to reduce the risk of harm following the breach.
  • Whether the personal information is sensitive in nature.
  • The nature of the harm that may be caused to affected individuals.
  • The person or body that has obtained or may obtain personal information as a result of the breach (if known).
  • Whether the personal information is protected by a security measure.
  • Any other relevant matters.


Businesses that, without reasonable excuse, fail to notify the Privacy Commissioner of a notifiable privacy breach, commit an offence and are liable on conviction to fine not exceeding $10,000.

So what do you need to do to get your business ready for upcoming changes and new reporting obligations?

It is prudent for you to:

  • Educate your staff and other key people in your business of the changes.
  • Revisit your privacy policy and privacy statements to ensure compliance with the new law.
  • Develop and put in place procedures to detect, assess and report privacy breaches.


To ensure your business is compliant with the new law, it is important to understand the changes and how it may affect your business, and where necessary, take steps to ensure compliance.

If you would like more information about these changes or have any questions, please contact us.

Kellie Bright | Special Counsel
t +64 9 300 8753 |

Josheph Jang | Solicitor
t +64 9 300 8750 |

This paper gives a general overview of the topics covered and is not intended to be relied upon as legal advice.