(06) 877-0992 info@govern.co.nz
The New Zealand Privacy Act takes centre stage in 2023

The New Zealand Privacy Act takes centre stage in 2023


The New Zealand Privacy Act takes centre stage in 2023

The New Zealand Privacy Act of 2020 is an key piece of legislation that all businesses have a responsibility to take seriously in order to better protect customer and business information from data theft or misuse.

The increased frequency of highly publicised data breaches over the past 12 months has brought the importance of the Act into sharper focus for 2023 and solidified cybersecurity as a necessary consideration for all businesses, big and small.

Under the Act, several key principles must be abided by when collecting and using personal information. These include :

1. Ensuring appropriate security safeguards are taken

2. Only using personal information for its intended purpose

3. Informing individuals about how their personal information will be handled

4. Being open and transparent with customers about how their information is collected and used.

The New Zealand Privacy Commissioner is committed to helping businesses, and individuals understand their rights and responsibilities under the Act and providing them with all the necessary information to do so. To assist organisations comply with these laws, they have created a suite of supporting resources, such as training materials and guidance documents, that offer help at both the management, and employee level. Through this support, businesses can better protect themselves from data breaches and other threats to their customer information.

The importance of the legislation and its impact on incidents were evident in two recent cases, the Mercury IT and Archives NZ breaches. In both instances a hacker was able to gain confidential customer data and then proceed to use it for fraudulent activity – all due to the organisations inadequate security measures. These two examples (of which there are many more) should serve as a warning to all.

This year promises to be a difficult one for businesses, but with the right steps taken, it is possible for those operating in New Zealand to comply with the New Zealand Privacy Act of 2020 – ultimately meaning better protection of customer data and less risk of data loss or misuse.

Here’s what you can do:

Create a Privacy Policy

To protect your business, creating a comprehensive and up-to-date privacy policy is essential.

Many businesses may be unsure how to do this, so here are some tips:

  1. Understand Your Obligations – Take the time to read through the New Zealand Privacy Act of 2020 in detail and make sure you understand what it requires you to do. Check the supporting material on their website, to help explain any grey areas or questions.
  2. Establish a Process – You should set up an internal process for handling customer information and data, with clear rules about who has access and how it is used. This process should be regularly reviewed to ensure that it remains compliant with the Act.
  3. Regularly Audit Your System – It’s important to review your systems regularly to identify any vulnerabilities that could lead to a breach of privacy or data loss. Check for things such as a lack of encryption, weak passwords, or outdated security software that could put customer data at risk.
  4. Update Your Policy – Whenever there are changes to the New Zealand Privacy Act of 2020, or if you make changes to your own internal processes, you should update your privacy policy as soon as possible. This will ensure that customers are kept up-to-date on how their data is being used and protected.

Employee Training

Time and again we see the weakest link in the cybersecurity chain to be employees.

Upskilling your staff on how to be cyber-safe is an imperative action in order to protect your business.

Start this process by :

  1. Setting Clear Guidelines – Make sure your employees receive training on their obligations under the Privacy Act and are aware of their roles in protecting customer data. Ensure that any guidelines you set out are clear and easy to understand so everyone knows what’s expected of them. The New Zealand Privacy Commissioner has a short training program of 30 minutes or less on their website that offers a digital certificate that businesses can save as proof to the Commissioner of compliance should there be a breach.
  2. Provide Resources – Ensure that employees have the resources they need to stay up-to-date on changes in data protection laws around the world and other relevant regulations. This can include access to specific training materials such as videos or e-learning programs, as well as providing in-person seminars with experts. Ensure your staff is also aware of the Australian Privacy Act or the GDPR if you work with or store data overseas.

The Australian Privacy Act

Changes to the Australian Privacy Act, which took place late last year, have a dual impact on New Zealand.

First, New Zealand Businesses doing business in Australia will fall under the country’s penalties for data breaches. As such Bellgully advises that, “New Zealand business entities doing business in Australia should take note of the coming changes.”

Secondly, the New Zealand legislation for data sovereignty will undergo similar changes to strengthen our responsibilities. If a New Zealand business is providing services to an Australian customer, they will have to abide by the same regulations as if they were in Australia. It is important that businesses understand these changes and take appropriate measures to ensure compliance.

As part of the new changes, there is also a requirement for organisations only to store personal information in Australia unless it is absolutely necessary to store it overseas. This ensures that the country’s data sovereignty remains in place and that user information is kept safe and secure. The Australian Privacy Act has also strengthened its enforcement powers, allowing for greater financial penalties for organisations in breach of the Act. It is important that businesses understand their obligations and ensure they are compliant with the new rules. The Privacy Act also includes provisions for individuals to complain about privacy breaches and for organisations to be held accountable for any such breaches. This strongly incentivises companies to reinforce their data security policies and practices.

Overall, these changes represent an important shift in how we protect the privacy of Australians and New Zealanders alike. The changes to the Australian Privacy Act are a positive step forward in ensuring our data remains secure and protected. It is essential that businesses understand their responsibilities under this new legislation and take the necessary steps to ensure compliance. This will protect customers’ personal information and give organisations peace of mind.

In addition, businesses must also remain aware of the changing landscape of privacy regulations in other countries they may be doing business with or providing services to. This includes understanding European GDPR legislation, which provides even stricter data sovereignty and user privacy rules.


In conclusion, businesses need to be vigilant in protecting their customers’ data.

The laws for data protection are constantly changing, so business owners must stay up-to-date on the most recent changes and take steps to ensure that their employees receive training and have access to resources on data privacy regulations. Taking these measures will help protect customer information and keep businesses compliant.

If you need assistance navigating this legislation, or cybersecurity policies in general, contact us today.