New Zealand has a data privacy law called the Privacy Act 2020. The law came into effect on December 1, 2020, and it replaces the previous Privacy Act 1993. The new law aims to strengthen privacy protections for individuals and increase transparency and accountability for organizations that collect, use, and disclose personal information.
The Privacy Act 2020 defines personal information as any information about an identifiable individual. This includes things like names, addresses, phone numbers, email addresses, and financial information. The law applies to all organizations that collect, use, or disclose personal information in the course of their business or professional activities, regardless of their size or location.
Under the Privacy Act 2020, organizations must comply with the following principles:
- Purpose: Personal information must be collected for a lawful purpose and not used for any other purpose without consent.
- Collection: Personal information must be collected in a lawful, fair, and reasonable way.
- Use and disclosure: Personal information can only be used and disclosed for the purpose for which it was collected, unless the individual has given their consent or the use or disclosure is required by law.
- Data quality: Personal information must be accurate, up to date, and complete.
- Security: Personal information must be protected by reasonable security safeguards against loss, unauthorized access, use, modification, or disclosure.
- Access and correction: Individuals have the right to access and correct their personal information held by an organization.
- Retention: Personal information must not be kept longer than necessary for the purpose for which it was collected.
- Unique identifiers: The use of unique identifiers to identify individuals must be necessary for the organization’s functions and activities.
- Transborder data flows: Personal information must not be transferred outside of New Zealand unless the organization takes reasonable steps to ensure that the recipient protects the information in a way that is consistent with New Zealand’s privacy standards.
The Privacy Act 2020 also includes new measures to strengthen privacy protections, such as mandatory breach notification requirements and increased penalties for non-compliance. The Office of the Privacy Commissioner is responsible for enforcing the law and investigating complaints.
Overall, the Privacy Act 2020 aims to balance the interests of individuals and organizations by ensuring that personal information is collected, used, and disclosed in a way that is fair, transparent, and respectful of privacy rights.