Global Data and Cyber Handbook

New Zealand

Select a Topic
Start Comparison
Key Data & Cybersecurity Laws
Jump to
Key Data & Cybersecurity Laws Start Comparison
How are data and cybersecurity laws/regulations implemented?

Last review date: 20 December 2024

  omnibus – all personal data

  sector-specific — e.g., financial institutions, governmental bodies

Health, telecommunications, civil defense, credit reporting, justice sector (unique identifiers), and superannuation schemes (as currently provided for in codes of practice)

Data privacy and security are also addressed in a range of other sector-specific laws, such as the Health Act 1956.

What are the key data privacy laws and regulations?

Last review date: 20 December 2024

The key legislation governing privacy in New Zealand is the Privacy Act 2020 (Privacy Act). The Privacy Act sets out 13 Information Privacy Principles (each an IPP) that govern (among others) the collection, storage and security, accuracy, retention, use and disclosure of personal information.

The Privacy Commissioner may also issue a code of practice under the Privacy Act in relation to particular industries and sectors (each a Privacy Code). A Privacy Code may modify the application of any of the IPPs as they apply with respect to specified information or classes of information, specified agencies or classes of agencies, an industry or profession, or a class of industries or professions.

What are the key cybersecurity laws and regulations?

Last review date: 20 December 2024

New Zealand does not have specific cybersecurity laws and regulations.

The Privacy Act addresses cybersecurity through the application of IPP 5. IPP 5 requires an agency to ensure that personal information it holds is protected by such security safeguards as it is reasonable in the circumstances to take, against:

  • Loss
  • Access, use, modification, or disclosure that is not authorized by the agency and other misuse
What are the key laws and regulations relating to non-personal data?

Last review date: 20 December 2024

New Zealand does not have specific laws or regulations relating to non-personal data.

Are new or material changes to those key data and cybersecurity laws anticipated in the near future?

Last review date: 20 December 2024

Yes.

In November 2024, the Privacy Commissioner recommended a specific set of amendments to modernize the Privacy Act in line with technological advancements. The proposed amendments focus on the following topics:

  • introducing a right for individuals to request that their data be erased
  • establishing a stronger penalty regime for breaches of the Privacy Act
  • requiring agencies to demonstrate how they meet their privacy requirements, such as the privacy management programs recommended by the OECD, and
  • introducing stronger protections for automated decision making like artificial intelligence

On 18 December 2024, the Privacy Commissioner announced plans to issue a Biometrics Processing Privacy Code of Practice (Code). A draft code, along with proposed guidance, has been released for public consultation. Previously, an exposure draft of a biometrics processing privacy code was released, which received significant public feedback. The current consultation focuses on an amended version of that exposure draft.

Alongside the Code, the Office of the Privacy Commissioner (OPC) has released draft guidance to explain the application of the rules, how the Code is intended to work, and how organizations can comply with it. The draft guidance currently covers guidance on rules 1, 2, 3, 6, and 10, which generally address the purpose of collection, individuals’ rights of access, and limits on the use of biometric information. These rules are considered to significantly impact the application of the Privacy Act.

The Code addresses the key privacy risks identified by the Commissioner in relation to biometric information and includes three key proposals:

  • A proportionality assessment would require agencies to carefully consider whether their reasons for using biometrics outweigh the privacy intrusion or risks.
  • Transparency and notification requirements would place greater obligations on agencies to be open and transparent with individuals and the public about their collection and use of biometric information.
  • Purpose limitations would put some restrictions on collecting and using biometric information for certain reasons.

The Privacy Amendment Bill, which was first released in 2023, has now reached its second reading in Parliament. Once passed, it will make changes to the current personal information notification regime under the Privacy Act 2020. The Privacy Amendment Bill proposes to broaden the notification requirements under IPP 3, so that it will apply when agencies collect information about an individual indirectly. Currently, there is no requirement for an agency to notify an individual when it collects personal information indirectly.

The Bill will introduce a new IPP 3A that will apply to indirect collection and will closely mirror the requirements and exceptions of IPP 3. Agencies will not need to comply with the new IPP 3A if they reasonably believe that:

  • the relevant information is publicly available information
  • compliance would prejudice either the security or defense of New Zealand or the international relations of the Government
  • compliance would reveal a trade secret, or
  • compliance would cause a serious threat to public health or safety, or the health or safety of another individual.

IPP 3A will not apply to personal information collected before 1 June 2025.

{{ $store.state.loadingScreen.message }} ...