NZ Privacy Act – what you really, really need to know - (Data Privacy Day Part 2)

Yorb • January 30, 2025

In part 1 of our Data Privacy Day blog, we discussed the state of cybersecurity in New Zealand (as you do) and the critical importance of data governance. You can catch up on the whys and wherefores of data governance as it applies to you here


Moving on, this time, we’re focusing on the 13 Information Privacy Principles in our Privacy Act (2020) and what you need to do to stay on the good side of our legislation – and your customers. 


But first, this is why you should care. 

There’s a cost to getting data privacy wrong

What if you don’t stay on the right side of the Privacy Act? While the penalties in New Zealand for a data breach aren’t as severe as in Australia, like most things, it’s probably only a matter of time until we catch up. But as of right now:


New Zealand: Failing to report a serious data breach (a legal requirement under section 118 of the Privacy Act 2020) to affected individuals and the Privacy Commissioner can see you fined up to $10,000. 


Australia: In Australia, the maximum fine for a serious data breach can be (up to) an eyewatering $50,000,000. 


However, the often underappreciated cost of a data breach is to your reputation, as it can significantly undermine customer loyalty. So, instead of spending time building up sales to an existing happy customer base, you may find yourself scrabbling around looking for entirely new customers. And not to forget, you could incur costs like legal fees and data breach remediation, as well as fines.


CERT NZ has been calling on businesses across New Zealand to prioritise cybersecurity as criminals increasingly target small businesses. With nearly half of all local cyber incidents aimed at small and medium-sized enterprises (SMEs) and the average cost of a data breach estimated at NZ$173,000, there’s, quite frankly, probably more to worry about than a $10,000 fine.

The New Zealand Privacy Act (2020)

A quick 101 here! (Feel free to skip!)


What data is covered by the Privacy Act? The Act refers to personal information (sometimes called PII or personally identifiable information), such as their height or eye colour, and information that can identify them, like their name, date of birth, or address.


What does data privacy mean? Data privacy means that when you collect data or information about people, they have legal rights that you must respect. Check out the 13 principles of data privacy further on in this blog for a full list of what you can and, even more importantly - can’t do. 


How is data privacy enforced? New Zealand’s Privacy Act 2020 provides the rules around all of the above, and you are responsible for making sure those rules are applied and kept to, or face the consequences.

Those 13 Information Privacy Principles – what you can and can’t do

Now you know what’s at stake, let's jump into the 13 principles. We’ve (heavily) summarised these, but thanks to the Office of the Privacy Commissioner, you can also download a handy two-page PDF here. The principles fall into three basic groups.

1. Data collection

Principle 1: Collection of personal information. You can only collect personal information for lawful and necessary business purposes.


Principle 2: Source of Information. This is about where personal information can be collected from (with ‘directly from the individual’ being the primary option). 


Principle 3: Awareness of Collection. You must let people know you’re collecting their personal information and why. Even if collecting business cards at a trade fair.   


Principle 4: Manner of Collection. You can only collect personal information legally and fairly and avoid being too intrusive into personal affairs.

2. Data storage

Principle 5: Storage and Security. You must protect personal information with reasonable security measures against unauthorised access and misuse.


Principle 6: Access to Information. Individuals have the right to request that you confirm if you hold their information and, if so, can ask for access to it. 


Principle 7: Correction of Information. Individuals can request you to correct their personal information, and you must ensure their data is accurate and complete. 

3. Data use and sharing

Principle 8: Accuracy Check Before Use. You must check the accuracy of personal information before using or disclosing it.


Principle 9: Retention Limitations. You can’t hang on to personal information for longer than is needed. If they are no longer clients, delete it – securely and permanently!


Principle 10: Limits on Use. You can’t use personal information obtained for one reason for another reason with their consent (unless it’s directly related).


Principle 11: Disclosure Limits. Unless agreed, you can’t disclose someone’s information without reasonable grounds – for example, law enforcement. 


Principle 12: International Disclosure. No sharing of personal information with overseas businesses or entities without an individual’s say-so. 


And finally, Principle 13: Unique Identifiers. You can assign unique identifiers but can’t duplicate others' identifiers except under specific conditions.

That’s a lot to remember. How can you make compliance failsafe?

Data governance, that’s how.


Circling back to blog 1, data privacy and data governance are inseparable. To quickly recap, data governance requires you to develop and implement the frameworks, principles, and policies that guide how your data (and that of your customers) is used and managed. This includes:


  • Accountability – allocating who is responsible for what
  • Processes – the actions to take and steps to follow to manage data
  • Technology – having the right tools to support end-to-end data management
  • Continuous improvement and vigilance - ongoing reviews, audits, and feedback 
  • Reporting - so you know what you have and where it is
Useful stuff

Like to know more about data – from ethics to specialist data communities and forums? This comprehensive data toolkit created by the Privacy Commissioner is invaluable. (Just quietly, we’d give it a 10/10.)


Want to know how to prevent or respond to a privacy breach? Or to report one? 

The New Zealand Privacy Commissioner has all the info you need here.


The Act requires you to have at least one person familiar with your privacy obligations to fulfil the role of a privacy officer. Here’s what they will need to know.


And, of course, when it comes to advice and the cybersecurity tools you need to empower your data governance policy, call Yorb. We’ve got your back.

Recent Posts

MCI & Associates and Yorb: A journey from support to strategy

April 10, 2025
MCI & Associates is an accountancy firm with over 45 employees across offices in Dannevirke and Pahiatua. The practice services a diverse range of clients, including those in the farming and commercial sectors, and its core services include tax preparation, business advisory and planning, and general accounting. The relationship between Yorb and MCI goes back over three decades to when both companies were in their formative stages. The trust-based relationship has endured and evolved as each business has grown and matured - going through name and ownership changes.

Cyber security in small-town NZ: why it’s time to pay attention

March 26, 2025
If you think cybercriminals only go after big corporations in major cities, think again.  The majority of incidents recorded by the NCSC impact individuals and small to medium businesses, proving that cyber threats don’t discriminate based on location - they target opportunity. With over 23,000 reports to the Netsafe helpline, and $17.8M in losses reported last year, small-town businesses are very much in the spotlight. In the past few months alone, three local accounting firms in regional New Zealand have suffered a data breach,and local ISP - Inspire was recently the target of a malicious cyber attack.

What's happening at Yorb - Q1 2025

March 21, 2025
We've had a flying start to the year, and given we're really just past the point where you start to realise what day it actually is, we thought we'd share everything we've been working on lately. 2024 In Review As we reflect on 2024, it's clear that this year has been one of remarkable achievements and significant advancements for Yorb. We were very proud that we won the Reseller News Innovation Awards in the Regional Partner Category, a testament to our commitment to excellence and innovation. AI has continued to dominate the headlines, with some businesses making great strides in how they work and interact. However, the majority are still grappling with understanding the full impact of this technology on their business, industry, and society. As we navigate this evolving landscape, companies must adapt to the security implications, ensure the integrity of data, and adjust to changing work and consumer patterns. In line with our commitment to security, we launched our new Security Platform, Yorb Defender 2.0. Designed from the ground up to be Essential 8 compliant, we believe this solution is now a best-in-class product that meets the requirements of modern business. 2025 Looking Forward Looking ahead to 2025, we have set ambitious goals following the EOS business framework. Our recent Annual Planning has helped us develop our 10-year, 3-year, and 1-year goals, with a strong focus on several key areas: Client Experience: We are dedicated to ensuring that every interaction with Yorb meets and exceeds your expectations. Automation Platforms: We will continue to develop our automation platforms to provide more consistent and efficient service. Investing in New Technologies: Our focus will be on AI, Hyper-Automation, and Data Governance to stay ahead of the curve. Team Development: We are committed to investing in our team, ensuring they receive the best skills training in technical, people, professional, and business areas. We will are also excited to be launching business peer groups focussed around AI, bringing together business owners and leaders from across the regions to explore what the future holds for all of us. This year we are injecting new energy into our Total Support agreement, we believe there is more to our partnership than phones calls, Teams Conferences and remote support. We are therefore introducing ongoing scheduled visits as part of the contract, alongside a productivity focus with scheduled access to our development team. Kicking off this year will be monthly seminars on topics such as Security, AI, Productivity, we want to hear what topics matter most to you. Look out for your invite in the coming weeks. I’m incredibly excited by 2025 and the opportunities it brings, we call breath a collective sigh that 2024 is behind us lets get cracking on what promises to be a great year. Daniel Goymer CEO