Changes to the Privacy Act 2020, and how to prepare

From December 1st 2020, the new Privacy Act 2020 comes into force. This change affects all agencies (person, group, corporate, public or private sector), so make sure you check out what has changed and how this might affect your business.

Changes to the Privacy Act mean businesses must:

  • Not destroy any personal information if someone asks for information held about them
  • Report serious privacy breaches to the Privacy Commissioner and any affected individuals
  • Check personal information disclosed with overseas companies will have similar protection to New Zealand.

The Privacy Act aims to keep personal information safe and secure. These updates reflect the continuous changes in technology and the ways we operate as businesses both online and offline.

What you need to do: 

  • If someone asks for their personal information held by your business, you must respond within 20 working days.
  • If there’s a serious privacy breach in your business, you must report it to the Office of the Privacy Commissioner.
  • You can only disclose personal information to an overseas company if its country has similar protections to our Privacy Act. This does not apply to overseas cloud-based services.
  • Decide who in your business will take the lead on privacy matters. This could be you, an office manager, or another trusted worker. This person will be your privacy officer.

How can you prepare?

  • While it’s a good plan, trying to mitigate the risk isn’t enough – start putting in place a plan to adequately respond should a breach occur
  • Consider undertaking a health check on your current privacy management for both systems and people
  • Discuss the changes and implications with the whole business, and get them doing some self-managed learning through the Privacy Commission E-Learning platform




Privacy Act 2020(external link) — Office of the Privacy Commissioner

Privacy Act overhaul to protect personal information in digital age