Global Data and Cyber Handbook

New Zealand

Select a Topic
Start Comparison
Artificial Intelligence, Profiling and Automated Decision Making
Jump to
Artificial Intelligence, Profiling and Automated Decision Making Start Comparison
Are there any restrictions or requirements related to creating profiles of data subjects or utilizing automated decision-making for decisions related to data subjects, including with respect to artificial intelligence?

No.

There are no express restrictions or requirements related to creating profiles of data subjects or utilizing automated decision making for decisions related to data subjects. However, IPP 8 of the Privacy Act provides that an agency that holds personal information must not use or disclose the information (e.g., using the information for automated decision making) without taking such steps that are, in the circumstances, reasonable to ensure the information is accurate, up to date, complete, relevant and not misleading.

Additionally, the OPC's guidance on AI and the IPPs (see here) recommends implementing processes for human review of automated decisions and ensuring that adequate resources are provided to the individuals conducting those reviews.

If such restrictions or requirements exist, are they subject to any exceptions?

Last review date: 20 December 2024

N/A

Has the data privacy regulator issued guidance on data privacy and artificial intelligence, automated decision-making or profiling?

Last review date: 20 December 2024

Yes.

The OPC has published summary guidance on AI and privacy (see here), which outlines key considerations for businesses to consider when using AI in relation to the IPPs:

  • Is the training data behind an AI tool relevant, reliable, and ethical?
  • What was the purpose of collecting personal information? Is your use related?
  • How are you keeping track of the information you collect and use with AI tools?
  • How are you testing that AI tools are accurate and fair for your intended purpose? Are you talking with people and communities with an interest in these issues?
  • What are you doing to track and manage new risks to information from AI tools?

The OPC has also published guidance outlining its expectations around New Zealand agencies, businesses, and organizations using generative AI (see here). That guidance outlines the following eight key points:

  • Obtain senior leadership approval.
  • Review whether a generative AI tool is necessary and proportionate.
  • Conduct a Privacy Impact Assessment (PIA).
  • Be transparent.
  • Engage with Māori.
  • Develop procedures about accuracy and access by individuals.
  • Ensure human review prior to acting.
  • Ensure that personal or confidential information is not retained or disclosed by the generative AI tool.

The Privacy Commissioner's guidance discusses these points in more detail. Compliance with this guidance is considered best practice.

Has the data privacy regulator taken enforcement action in relation to artificial intelligence, including automated decision-making or profiling?

Last review date: 20 December 2024

Enforcement activity under existing privacy law

Do other (non-personal data or cybersecurity) laws or regulations impose restrictions on use of artificial intelligence, automated decision-making or profiling?

Last review date: 20 December 2024

☒  Non-binding guidance or principles issued or in progress

The only AI-specific policy in New Zealand is the Algorithm Charter for Aotearoa New Zealand (Algorithm Charter) (see here), which is an initiative for the Government's data system and most Government agencies are signatories. Signatories to the Algorithm Charter have agreed to apply certain principles in how they use algorithms, especially in designing access to public services. However, becoming a signatory is optional.

{{ $store.state.loadingScreen.message }} ...