Main laws

New Zealand Act

Privacy Act 2020

The Privacy Act 2020 sets New Zealand's main rules for handling personal information, including privacy principles, overseas disclosure and...

In forceNew ZealandPlain-English guide4 practical checks

Plain-English explainers, not legal advice. Use the linked official source for section-level detail, and get advice for your situation.

Get legal help

Start here

Quick read

  • This Act matters whenever a business collects information about customers, staff, users or leads.
  • The practical work is to know what you collect, tell people clearly, protect it, manage overseas disclosures and respond quickly to serious privacy breaches.

Likely relevant if

  • Businesses collecting customer or staff data
  • Online stores and SaaS businesses
  • Health, education and professional service providers

Check first

  • Follow the information privacy principles
  • Keep privacy notices accurate
  • Take reasonable security steps

What this means in practice

This Act matters whenever a business collects information about customers, staff, users or leads. The practical work is to know what you collect, tell people clearly, protect it, manage overseas disclosures and respond quickly to serious privacy breaches.

Key points

  • A privacy policy should match the real data flow.
  • Cloud tools and offshore vendors still need review.
  • Breach response should be planned before an incident happens.

When this law usually matters

Most businesses do not need to memorise the whole law. The useful starting point is to know when it is likely to affect a contract, customer journey, employee process, data flow or company decision.

Key points

  • Businesses collecting customer or staff data
  • Online stores and SaaS businesses
  • Health, education and professional service providers
  • Businesses using offshore cloud tools

What to check first

Sense check

  • Follow the information privacy principles
  • Keep privacy notices accurate
  • Take reasonable security steps
  • Assess and notify notifiable privacy breaches where required

Documents and workflows to review

Key points

  • Privacy policy
  • Collection notices
  • Vendor contracts
  • Data breach plan
  • Retention process

Related topics

How Sprintlaw can help