NZ Privacy Act – what you really, really need to know - (Data Privacy Day Part 2)

Yorb • January 30, 2025

In part 1 of our Data Privacy Day blog, we discussed the state of cybersecurity in New Zealand (as you do) and the critical importance of data governance. You can catch up on the whys and wherefores of data governance as it applies to you here


Moving on, this time, we’re focusing on the 13 Information Privacy Principles in our Privacy Act (2020) and what you need to do to stay on the good side of our legislation – and your customers. 


But first, this is why you should care. 

There’s a cost to getting data privacy wrong

What if you don’t stay on the right side of the Privacy Act? While the penalties in New Zealand for a data breach aren’t as severe as in Australia, like most things, it’s probably only a matter of time until we catch up. But as of right now:


New Zealand: Failing to report a serious data breach (a legal requirement under section 118 of the Privacy Act 2020) to affected individuals and the Privacy Commissioner can see you fined up to $10,000. 


Australia: In Australia, the maximum fine for a serious data breach can be (up to) an eyewatering $50,000,000. 


However, the often underappreciated cost of a data breach is to your reputation, as it can significantly undermine customer loyalty. So, instead of spending time building up sales to an existing happy customer base, you may find yourself scrabbling around looking for entirely new customers. And not to forget, you could incur costs like legal fees and data breach remediation, as well as fines.


CERT NZ has been calling on businesses across New Zealand to prioritise cybersecurity as criminals increasingly target small businesses. With nearly half of all local cyber incidents aimed at small and medium-sized enterprises (SMEs) and the average cost of a data breach estimated at NZ$173,000, there’s, quite frankly, probably more to worry about than a $10,000 fine.

The New Zealand Privacy Act (2020)

A quick 101 here! (Feel free to skip!)


What data is covered by the Privacy Act? The Act refers to personal information (sometimes called PII or personally identifiable information), such as their height or eye colour, and information that can identify them, like their name, date of birth, or address.


What does data privacy mean? Data privacy means that when you collect data or information about people, they have legal rights that you must respect. Check out the 13 principles of data privacy further on in this blog for a full list of what you can and, even more importantly - can’t do. 


How is data privacy enforced? New Zealand’s Privacy Act 2020 provides the rules around all of the above, and you are responsible for making sure those rules are applied and kept to, or face the consequences.

Those 13 Information Privacy Principles – what you can and can’t do

Now you know what’s at stake, let's jump into the 13 principles. We’ve (heavily) summarised these, but thanks to the Office of the Privacy Commissioner, you can also download a handy two-page PDF here. The principles fall into three basic groups.

1. Data collection

Principle 1: Collection of personal information. You can only collect personal information for lawful and necessary business purposes.


Principle 2: Source of Information. This is about where personal information can be collected from (with ‘directly from the individual’ being the primary option). 


Principle 3: Awareness of Collection. You must let people know you’re collecting their personal information and why. Even if collecting business cards at a trade fair.   


Principle 4: Manner of Collection. You can only collect personal information legally and fairly and avoid being too intrusive into personal affairs.

2. Data storage

Principle 5: Storage and Security. You must protect personal information with reasonable security measures against unauthorised access and misuse.


Principle 6: Access to Information. Individuals have the right to request that you confirm if you hold their information and, if so, can ask for access to it. 


Principle 7: Correction of Information. Individuals can request you to correct their personal information, and you must ensure their data is accurate and complete. 

3. Data use and sharing

Principle 8: Accuracy Check Before Use. You must check the accuracy of personal information before using or disclosing it.


Principle 9: Retention Limitations. You can’t hang on to personal information for longer than is needed. If they are no longer clients, delete it – securely and permanently!


Principle 10: Limits on Use. You can’t use personal information obtained for one reason for another reason with their consent (unless it’s directly related).


Principle 11: Disclosure Limits. Unless agreed, you can’t disclose someone’s information without reasonable grounds – for example, law enforcement. 


Principle 12: International Disclosure. No sharing of personal information with overseas businesses or entities without an individual’s say-so. 


And finally, Principle 13: Unique Identifiers. You can assign unique identifiers but can’t duplicate others' identifiers except under specific conditions.

That’s a lot to remember. How can you make compliance failsafe?

Data governance, that’s how.


Circling back to blog 1, data privacy and data governance are inseparable. To quickly recap, data governance requires you to develop and implement the frameworks, principles, and policies that guide how your data (and that of your customers) is used and managed. This includes:


  • Accountability – allocating who is responsible for what
  • Processes – the actions to take and steps to follow to manage data
  • Technology – having the right tools to support end-to-end data management
  • Continuous improvement and vigilance - ongoing reviews, audits, and feedback 
  • Reporting - so you know what you have and where it is
Useful stuff

Like to know more about data – from ethics to specialist data communities and forums? This comprehensive data toolkit created by the Privacy Commissioner is invaluable. (Just quietly, we’d give it a 10/10.)


Want to know how to prevent or respond to a privacy breach? Or to report one? 

The New Zealand Privacy Commissioner has all the info you need here.


The Act requires you to have at least one person familiar with your privacy obligations to fulfil the role of a privacy officer. Here’s what they will need to know.


And, of course, when it comes to advice and the cybersecurity tools you need to empower your data governance policy, call Yorb. We’ve got your back.

Recent Posts

Why you should think of your technology partner as an iceberg.

February 21, 2025
And no, it’s not because it has the potential to turn you into a Titanic. Rather, it’s because what you see and interact with most days is just the tip of what we do. Below the waterline of everyday interaction is a significant mass of knowledge, expertise, and strategic value – all aimed at helping to secure and enable the growth of your business.

Data Privacy Day, and why you should mind your own business - (Data Privacy Day Part 1)

By Yorb January 23, 2025
Data Privacy Day has been internationally observed on 28 January since 2007. Its purpose is to raise awareness and promote best privacy and data protection practices. It serves as an excellent reminder of exactly how precious our data is, as well as our ethical and legal obligations as businesses to securely manage and protect it. So, in terms of data privacy, how have we fared here in New Zealand? Why is data governance so important - what is it, and why exactly do you need it? Warning – triggering content: It may not be your job to manage data – and you may not think you even need to care about it. But if you are a stakeholder, it’s your responsibility to make sure that your business complies with New Zealand’s privacy and data protection best practices.  This is a big topic (sorry!), so it’s in two parts.

Steering Manawatu Toyota towards success

By Yorb Limited November 21, 2024
Manawatu Toyota are an award-winning Toyota dealership with seven locations across New Zealand and a team of around 160 staff. The business has grown rapidly over the past 20 years, starting with Manawatu Toyota in Palmerston North before acquiring dealerships in Feilding, Levin, Masterton and Whanganui, as well as Tractor Repair Company (TRC).
Share by: