Last review date: 23 December 2025
The key legislation governing privacy in New Zealand is the Privacy Act 2020 (“Privacy Act”). The Privacy Act sets out 13 Information Privacy Principles (each an IPP) that govern (among other matters) the collection, storage and security, accuracy, retention, use and disclosure of personal information.
The Privacy Commissioner may also issue a code of practice under the Privacy Act in relation to particular industries and sectors (each a “Privacy Code”). A Privacy Code may modify the application of any of the IPPs as they apply with respect to specified information or classes of information, specified agencies or classes of agencies, an industry or profession, or a class of industries or professions.
Last review date: 23 December 2025
New Zealand does not have specific cybersecurity laws and regulations.
The Privacy Act addresses cybersecurity through the application of IPP 5. IPP 5 requires an agency to ensure that personal information it holds is protected by such security safeguards as it is reasonable in the circumstances to take, against:
- Loss
- Access, use, modification, or disclosure that is not authorized by the agency and other misuse