This Act matters whenever a business collects information about customers, staff, users or leads. The practical work is to know what you collect, tell people clearly, protect it, manage overseas disclosures and respond quickly to serious privacy breaches.
Main laws
New Zealand Act
Privacy Act 2020
The Privacy Act 2020 sets New Zealand's main rules for handling personal information, including privacy principles, overseas disclosure and...
In forceNew ZealandPlain-English guide4 practical checks
Plain-English explainers, not legal advice. Use the linked official source for section-level detail, and get advice for your situation.
Get legal helpStart here
Quick read
- This Act matters whenever a business collects information about customers, staff, users or leads.
- The practical work is to know what you collect, tell people clearly, protect it, manage overseas disclosures and respond quickly to serious privacy breaches.
Likely relevant if
- Businesses collecting customer or staff data
- Online stores and SaaS businesses
- Health, education and professional service providers
Check first
- Follow the information privacy principles
- Keep privacy notices accurate
- Take reasonable security steps
What this means in practice
Key points
- A privacy policy should match the real data flow.
- Cloud tools and offshore vendors still need review.
- Breach response should be planned before an incident happens.
When this law usually matters
Most businesses do not need to memorise the whole law. The useful starting point is to know when it is likely to affect a contract, customer journey, employee process, data flow or company decision.
Key points
- Businesses collecting customer or staff data
- Online stores and SaaS businesses
- Health, education and professional service providers
- Businesses using offshore cloud tools
What to check first
Sense check
- Follow the information privacy principles
- Keep privacy notices accurate
- Take reasonable security steps
- Assess and notify notifiable privacy breaches where required
Documents and workflows to review
Key points
- Privacy policy
- Collection notices
- Vendor contracts
- Data breach plan
- Retention process