Skip to the content

Data protection and the 2020 Privacy Act

Around 75% of Kiwis surveyed recently were concerned about the sharing of personal data with businesses without permission. In a couple of weeks, New Zealand's updated privacy laws aimed at uncovering serious privacy breaches will come into force.

2020 Privacy Act - what’s new

New Zealand’s Privacy Act has been modernised to reflect societal changes, and to fit in with international best practice and the current technological environment.

Data privacy is part of the data protection area that covers data handling which includes how data should be collected, stored and shared with third parties.

The 2020 Privacy Act, which commences on Tuesday 1 December 2020, will require businesses to report breaches that could result in identity theft or fraud, humiliation, loss of dignity or damage to a person's reputation.

The legislation will give the Office of the Privacy Commissioner greater powers to enforce compliance.

The following points summarise the key reforms in the 2020 Privacy Act:

  • Mandatory notification of harmful breaches
    Businesses with privacy breaches that could cause serious harm must notify the Privacy Commissioner and affected parties.

  • Explicit application to businesses whether or not they have a legal or physical presence in New Zealand
    If an international digital platform is conducting business with New Zealanders' personal data, it must comply with New Zealand law regardless of where its physical location or servers are based.

  • Controls on offshore data disclosure
    Before disclosing Kiwis’ personal information overseas, New Zealand businesses must ensure those overseas entities have protection levels similar to New Zealand’s privacy laws.

  • Binding decisions on access requests
    If a business refuses to provide personal information upon request, the Commissioner has the power to demand release.

  • New criminal offences
    It will now be an offence to mislead an organisation by impersonating someone to gain access to their personal data, or to destroy data knowing it’s been requested by the Commissioner. The maximum fine is $10,000.

  • Introduction of compliance orders
    Failure to comply with the Commissioner’s compliance notices could result in a fine of up to $10,000.

2021 data protection outlook

With the latest privacy laws launching amidst the Covid-19 era, data protection is likely to intensify going forward as businesses and consumers get more serious about privacy.

According to a PwC Poll, 84% of consumers said they would switch services if they think a company’s data system is fragile.

Media has reported high profile examples of data being sold both in New Zealand and overseas.

A Consumer Magazine article highlighted loyalty schemes, including AA Smartfuel and Fly Buys, on-sell data. AA Smart Fuel reportedly made around $40,000 from aggregated data in one year. DNA home profiling kits on-sell genetic information, and menstruation tracking applications share information to advertisers.

Some of the data protection trends predicted for the coming years include automation, data analytics, assessments of third party vendors as well as reframing application development mindsets.


Automating security processing using AI tools will help companies to increased levels of data protection. Even though security AI is at its nascent stages, it is predicted to take off in 2021.

Data analytics

Data analysis is considered an asset in many organisations. In 2021, it will become a standard practice in more companies in the efforts to improve data privacy measures. Data analytics could highlight operational improvements, showing companies how to improve their data security performance.

Third-party assessments will become critical

A survey conducted by Soha Systems on third-party risk management found that 63% of all data breaches were attributed to third-party vendors. The study also found that only 2% of respondents consider third-party access amongst their top IT priorities.

Consumers will be more mindful of businesses handing over their data to third-party access. Businesses will be more careful with their third-party partners with more organisations performing risk assessments.

Understand an app’s data collection

Developers will need to be mindful about data collection. Whether it’s a web or mobile application, a developer needs to understand where the information is coming from, what's retained and kept, and how it's being used. There’s a need to question which information should be collected.

What are the next steps for businesses?

With data breaches becoming more costly, and the remedial expenses spanning anywhere from months to years, it pays to ensure your company’s IT security framework is robust when it comes to data protection.

We recommend reading further on the information sheets, blog posts, videos and further resources at

Talk to your lawyer about the clauses in your privacy policy which may need to be updated and clarified. Refer to model contract clauses and example agreements provided on this page.


More articles on security



  1. Privacy Act 2020 changes

  2. NZ must face identity and privacy problems, Scoop

  3. Privacy a big concern for Kiwis, NZ Herald

  4. What is the cost of a data breach?, CSO Online

  5. New Zealand joins call for access to social media encrypted data, RNZ

  6. Personal data the new oil, Newsroom

  7. Five data privacy predictions to look out for in 2021, Analytics Insight

  8. Five things developers should know about data privacy and security, Tech Republic

By Jo Lo