Privacy

Privacy Data privacy

Data privacy in New Zealand is governed by the Privacy Act 2020 (Privacy Act). The Privacy Act sets out how individuals and organisations (both public and private) can collect, hold, use, and disclose Personal Information. Personal Information means any information about an identifiable individual (for instance, an individual’s name, address, financial information, or health details).

Any organisation carrying out business in New Zealand, providing services to New Zealanders, and/ or collecting their Personal Information for its own purposes is subject to the Privacy Act.

Privacy Information privacy principles

The Privacy Act contains a set of 13 principles. These provide the substantive requirements for collecting and using Personal Information and are similar to the information privacy regime in Australia.

Broadly, they are as follows:

Data minimisation - only collect information necessary for your lawful purpose and nothing more
Source of information - collect the information directly from the individual concerned
Transparency - when collecting information directly from the individual, make the individual aware of a number of elements including why the information is being collected¹
Manner of collection - collect the information in a fair and lawful way without being unreasonably intrusive
Security - implement security safeguards to protect the information from being lost, misused, or disclosed
Access - individuals have the right to access their personal information
Correction - individuals are entitled to request corrections to their personal information
Accuracy - take reasonable steps to ensure the personal information is current, complete, and not misleading
Storage limitation – ensure personal information is not held longer than necessary
Use of personal information – only use personal information for the purpose it was collected
Disclosure limitation – keep personal information confidential unless permitted to disclose it under the Privacy Act
Transfer of personal information outside Aotearoa New Zealand – disclose personal information outside of New Zealand only if the required statutory safeguards under the Privacy Act are in place
Unique identifiers – ensure unique identifiers used by other companies are not replicated (for instance, requiring an individual to use their Tax number to identify them to you).

The Privacy Act 2020 applies to offshore persons carrying on business in New Zealand, regardless of where the information is collected or held, and where the person to whom the information relates is located. If you plan to collect and/or use Personal Information as part of carrying out business in New Zealand, we recommend that you assess your operations against the 13 Information Privacy Principles set out in the Privacy Act.

All organisations carrying on business in New Zealand ² (and subject to the Privacy Act) must appoint a privacy officer - a person who will ensure the organisation is compliant with the Privacy Act.

The New Zealand Office of the Privacy Commissioner (OPC) is responsible for monitoring and enforcing compliance with the Privacy Act. The Privacy Act requires organisations to notify the OPC where there has been a serious privacy breach (for instance a cyber attack or an incident which means that personal information has been lost or exposed). OPC guidance is that this notification should happen within 72 hours. You may also be required to notify the individuals who have been impacted by a privacy breach. Failure to report a notifiable privacy breach to the OPC without reasonable excuse is a criminal offence, with a maximum fine of NZ$10,000.

Complaints about a breach of the Information Privacy Principles are investigated by the OPC and may be referred to the Director of Human Rights Proceedings (DHRP) if the matter is not able to be resolved by the OPC. The DHRP has the ability to bring the matter before the Human Rights Review Tribunal and the Tribunal can award damages for a breach of privacy (up to a maximum of NZ$350,000). The Privacy Act allows a class action mechanism for individuals impacted by a breach of privacy. Using this mechanism, a representative may bring a class action to the Human Rights Tribunal for an interference with their privacy on behalf of a class of individuals.

Privacy Consumer data right (CDR)

The Customer and Product Data Act 2025 came into force on 29 March 2025 and introduces a consumer data right (CDR) on specific designated sectors. The CDR allows customers to authorise third party “accredited requesters” to request their data from “data holders” (such as banks and electricity companies) and request that data holders initiate certain actions on their behalf.

Banks will be the initial entities designated as “data holders” and required to comply with the CDR, and regulations and technical standards will be issued under the Act by 1 December 2025. The electricity sector is likely to be the second designated industry, with regulations expected to be rolled out in 2026.

The development in CDR in the banking sector is anticipated to open up opportunities for new financial technology companies to enter the market as “accredited requesters”. This development provides competition, not only for the services currently offered by banks, but also new and innovative services.

_{¹ The Ministry of Justice has introduced a Bill to expand principle 3 to require agencies to inform individuals when they collect personal information indirectly, e.g. from third parties (the current principle only applies when collecting information directly from the individual).

²The Privacy Act does not use the same definition of “carrying on business” as the definition used to determine whether overseas companies must register as a branch in New Zealand.}

Doing Business in New Zealand 2025

Download the latest edition to Doing Business in New Zealand and gain expert-led insights into investing in Aotearoa New Zealand.

Contact us

Joelle Grace

Partner, Corporate and Commercial, Canterbury, PwC Legal

+64 210 396 521

Email

Elena Kim

Director, Corporate and Commercial, Auckland, PwC Legal

+64 21 236 0604

Email

About the author(s)

The world never stops moving—and neither do you.

We are part of a tech-forward, people-empowered global network that spans across 149 countries with over 370,000 people.

We provide market-leading services that include artificial intelligence, assurance, digital transformation, deals, tax, legal and consulting, while bringing together the teams, resources and alliances you need so you can act boldly and achieve real results.

In Aotearoa New Zealand, PwC employs over 1,700 people and has offices in the Auckland, Waikato, Hawke's Bay, Wellington and Canterbury regions.

Over and above our traditional service offerings, PwC New Zealand has a strong industry focus, with multi-discipline teams dedicated to key industry groups in both global and national markets. For our clients, this means the best local knowledge combined with the broadest global experience.

PwC Legal – integrated legal expertise

PwC Legal offers expertise across a broad range of practice areas. We are part of the largest legal services network by geography, with over 3,500 lawyers worldwide. While technical excellence is fundamental to what we do, it is our global reach and deep market insights that set us apart from traditional law firms, allowing us to offer you a fully integrated service that encompasses legal, financial, tax, and accounting expertise.

In today’s fast-moving world, it is more important than ever to have a legal partner who understands all aspects of your business. This document brings together the diversity of expertise and skills across PwC Legal and PwC New Zealand to help you navigate the changing and complex business environment.