Legislation current as at 25 April 2026. Check legislation.govt.nz for any amendments.

Privacy Act 2020 NZ — A Practical Compliance Guide for Frontline Managers and Staff

The Privacy Act 2020 (the Act) is New Zealand’s main law protecting personal information. It applies to every organisation — private sector, public sector, and non‑profit — that collects, uses, holds, or discloses personal information about identifiable individuals. This guide explains the 13 Information Privacy Principles (IPPs) in plain language, the notifiable breach regime, and special rules for health information. It is written for frontline managers and staff who handle personal information day‑to‑day.

Key point: The Act is enforced by the Office of the Privacy Commissioner. Penalties for serious or repeated breaches can reach $10,000 for individuals and $100,000 for bodies corporate (section 201). Compliance is not optional.

The 13 Information Privacy Principles (IPPs)

The IPPs are set out in section 22 of the Act. They govern the entire lifecycle of personal information.

IPP 1–4: Collection

IPP 1 — Purpose of collection (s 22(1)): Only collect personal information if it is necessary for a lawful purpose connected with your functions or activities.
IPP 2 — Source of information (s 22(2)): Collect the information directly from the individual unless an exception applies (e.g., the individual authorises indirect collection, or collection from the individual is not reasonably practicable).
IPP 3 — What to tell the individual (s 22(3)): At the time of collection (or as soon as practicable), tell the individual: the fact of collection, the purpose, the intended recipients, whether collection is voluntary or compulsory, the consequences of not providing it, and the individual’s rights of access and correction.
IPP 4 — Manner of collection (s 22(4)): Collect information in a way that is lawful, fair, and not unreasonably intrusive.

IPP 5: Storage and Security

IPP 5 (s 22(5)): An agency that holds personal information must ensure it is protected, by reasonable security safeguards, against loss, unauthorised access, use, modification, disclosure, or other misuse. “Reasonable safeguards” include physical security (locked cabinets, access controls), technical security (encryption, firewalls), and organisational measures (staff training, privacy policies).

IPP 6–7: Access and Correction

IPP 6 — Access (s 22(6)): Individuals have the right to request access to personal information held about them. You must respond as soon as reasonably practicable, and generally within 20 working days (section 40). You may refuse access only on grounds set out in sections 49–53 (e.g., risk of serious harm, legal privilege).
IPP 7 — Correction (s 22(7)): Individuals may request correction of their information. If you agree, you must correct it and, if practicable, notify any third parties to whom you have disclosed the incorrect information. If you refuse, you must attach a statement of correction to the record.

IPP 8: Accuracy

IPP 8 (s 22(8)): Before using or disclosing personal information, take reasonable steps to ensure it is accurate, up‑to‑date, complete, relevant, and not misleading. This is especially important when the information is used to make decisions that affect the individual (e.g., credit checks, employment decisions).

IPP 9: Retention

IPP 9 (s 22(9)): Do not keep personal information for longer than is necessary for the purposes for which it may lawfully be used. Develop a retention and disposal schedule. When information is no longer needed, destroy it securely or de‑identify it.

IPP 10–11: Use

IPP 10 — Use (s 22(10)): Use personal information only for the purpose for which it was collected, unless an exception applies (e.g., the individual authorises another use, or the use is directly related to the original purpose and the individual would reasonably expect it).
IPP 11 — Disclosure (s 22(11)): Do not disclose personal information to anyone outside your agency unless the individual authorises it, or one of the exceptions in section 22(11)(a)–(f) applies (e.g., disclosure is necessary to prevent or lessen a serious threat to public health or safety, or is required by law).

Notifiable Privacy Breaches

Part 6 of the Act (sections 113–119) requires agencies to notify the Privacy Commissioner and affected individuals of a privacy breach that has caused, or is likely to cause, serious harm. “Serious harm” includes significant financial loss, emotional distress, physical harm, or identity theft.

72‑hour rule (section 117): If you become aware of a breach that has caused or is likely to cause serious harm, you must notify the Commissioner as soon as practicable, but no later than 72 hours after becoming aware. You must also notify affected individuals as soon as practicable (section 118).
What to include in a notification (section 119): Describe the breach, the type of information involved, the steps taken or proposed to mitigate harm, and how individuals can protect themselves.

Practical tip: Maintain a breach response plan. Train staff to recognise a potential breach and escalate immediately. If in doubt, notify — the Commissioner can advise on next steps.

Health Information — Special Rules

The Health Information Privacy Code 2020 (HIPC) modifies the IPPs for health information. Key differences:

IPP 2 (source): Health agencies may collect information from other health practitioners without the individual’s direct authorisation in certain circumstances (e.g., emergency treatment).
IPP 6 (access): Individuals have a right to access their health information, but access may be refused if it would pose a serious threat to the individual’s health or safety (rule 11).
IPP 11 (disclosure): Disclosure of health information is permitted for the purposes of providing health services, or for public health reasons (e.g., notifiable diseases).
Retention: Health information must generally be retained for at least 10 years after the last contact (or until the patient’s 25th birthday for children).

If your organisation handles health information, you must comply with both the Act and the HIPC.

Practical Steps for Compliance

Appoint a Privacy Officer (section 23). This person oversees compliance, handles requests, and manages breaches.
Review your collection notices — ensure they meet IPP 3 requirements.
Implement security measures — encryption, access controls, staff training.
Create a retention and disposal policy (IPP 9).
Train staff on the IPPs, breach reporting, and how to handle access and correction requests.
Document everything — policies, training records, breach logs, and disposal certificates.

Staff can ask ShiftScript questions like this and get the answer cited from their own uploaded policies — shiftscript.nz/portal/

Frequently Asked Questions

Need to check your privacy obligations fast?

ShiftScript lets your team ask questions about your own privacy policies and get instant, cited answers — no more guessing or digging through PDFs.

Try ShiftScript now

Frequently asked questions

What is the Privacy Act 2020?

The Privacy Act 2020 is New Zealand’s main privacy law. It governs how agencies collect, use, store, and disclose personal information. It is enforced by the Office of the Privacy Commissioner.

What are the 13 Information Privacy Principles?

The 13 IPPs are set out in section 22 of the Act. They cover collection (IPP 1–4), storage and security (IPP 5), access and correction (IPP 6–7), accuracy (IPP 8), retention (IPP 9), and use and disclosure (IPP 10–11).

What is the 72-hour rule for privacy breaches?

Under section 117 of the Act, if you become aware of a notifiable privacy breach (one that has caused or is likely to cause serious harm), you must notify the Privacy Commissioner within 72 hours.

Do health information rules differ under the Privacy Act?

Yes. The Health Information Privacy Code 2020 modifies the IPPs for health information. For example, health agencies may collect information from other practitioners without direct authorisation in emergencies, and health information must generally be retained for at least 10 years.

What are the penalties for non-compliance?

Under section 201, the Privacy Commissioner can issue a compliance notice. Failure to comply can result in a fine of up to $10,000 for an individual and $100,000 for a body corporate. Serious or repeated breaches may also lead to civil proceedings.