Data privacy in New Zealand is governed by the Privacy Act 2020 (Privacy Act). The Privacy Act sets out how individuals and organisations (both public and private) can collect, hold, use, and disclose Personal Information. Personal Information means any information about an identifiable individual (for instance, an individual’s name, address, financial information, or health details).
Any organisation carrying out business in New Zealand, providing services to New Zealanders, and/ or collecting their Personal Information for its own purposes is subject to the Privacy Act.
The Privacy Act contains a set of 13 principles. These provide the substantive requirements for collecting and using Personal Information and are similar to the information privacy regime in Australia.
Broadly, they are as follows:
The Privacy Act 2020 applies to offshore persons carrying on business in New Zealand, regardless of where the information is collected or held, and where the person to whom the information relates is located. If you plan to collect and/or use Personal Information as part of carrying out business in New Zealand, we recommend that you assess your operations against the 13 Information Privacy Principles set out in the Privacy Act.
All organisations carrying on business in New Zealand 2 (and subject to the Privacy Act) must appoint a privacy officer - a person who will ensure the organisation is compliant with the Privacy Act.
The New Zealand Office of the Privacy Commissioner (OPC) is responsible for monitoring and enforcing compliance with the Privacy Act. The Privacy Act requires organisations to notify the OPC where there has been a serious privacy breach (for instance a cyber attack or an incident which means that personal information has been lost or exposed). OPC guidance is that this notification should happen within 72 hours. You may also be required to notify the individuals who have been impacted by a privacy breach. Failure to report a notifiable privacy breach to the OPC without reasonable excuse is a criminal offence, with a maximum fine of NZ$10,000.
Complaints about a breach of the Information Privacy Principles are investigated by the OPC and may be referred to the Director of Human Rights Proceedings (DHRP) if the matter is not able to be resolved by the OPC. The DHRP has the ability to bring the matter before the Human Rights Review Tribunal and the Tribunal can award damages for a breach of privacy (up to a maximum of NZ$350,000). The Privacy Act allows a class action mechanism for individuals impacted by a breach of privacy. Using this mechanism, a representative may bring a class action to the Human Rights Tribunal for an interference with their privacy on behalf of a class of individuals.
The Customer and Product Data Act 2025 came into force on 29 March 2025 and introduces a consumer data right (CDR) on specific designated sectors. The CDR allows customers to authorise third party “accredited requesters” to request their data from “data holders” (such as banks and electricity companies) and request that data holders initiate certain actions on their behalf.
Banks will be the initial entities designated as “data holders” and required to comply with the CDR, and regulations and technical standards will be issued under the Act by 1 December 2025. The electricity sector is likely to be the second designated industry, with regulations expected to be rolled out in 2026.
The development in CDR in the banking sector is anticipated to open up opportunities for new financial technology companies to enter the market as “accredited requesters”. This development provides competition, not only for the services currently offered by banks, but also new and innovative services.
1 The Ministry of Justice has introduced a Bill to expand principle 3 to require agencies to inform individuals when they collect personal information indirectly, e.g. from third parties (the current principle only applies when collecting information directly from the individual).
2 The Privacy Act does not use the same definition of “carrying on business” as the definition used to determine whether overseas companies must register as a branch in New Zealand.