New Zealand Privacy Act 2020

Every business has a privacy policy. Not every business has privacy

Usually becomes relevant the moment you collect, stores, uses, or shares personal information — which in practice covers almost every NZ business.

Talk through this requirement See where you stand first

This page helps when

Staff, customer, or supplier data is already moving through your business and no one can clearly show how it is governed
IPP 3A, IPP 12, or breach-response questions are turning privacy into a board-level issue
A customer, regulator, or employee could reasonably ask for evidence today

Best next move

Start with Baseline.

The timing is already active. Start with a working session if this requirement is blocking procurement, insurer conversations, privacy readiness, or leadership confidence.

Deadline Passed

IPP 3A amendment effective 1 May 2026

The IPP 3A amendment to the Privacy Act takes effect on 1 May 2026, introducing mandatory notification obligations for indirect collection of personal information. Organisations that collect personal data from third-party sources must have compliant processes in place before this date.

Where This Starts To Hurt

The buyer moment that makes this rule urgent

The moment usually arrives when an access request, a misdirected email, or a Commissioner complaint turns the 13 IPPs into operating pressure

The Privacy Act 2020 usually turns from a compliance file into a live business issue the moment a customer, employee, regulator, or incident asks you to show how personal information is actually being handled. If you hold staff records, customer details, health information, referral data, or supplier contacts, the Act already applies. The practical question is whether working processes sit behind the promise when someone asks for evidence.

That includes the full information lifecycle: why information is collected, how much is collected, who can access it, how it is secured, when it is disclosed, how access requests are handled, and what happens when something goes wrong. The Act's mandatory breach notification regime made privacy failures harder to hide, and the Office of the Privacy Commissioner has more scope to intervene than many organisations assume.

The law is also still moving. IPP 12 already affects overseas data arrangements, and IPP 3A adds new indirect collection notification obligations from May 2026. For many businesses, Privacy Act compliance stops being theoretical the moment a buyer, regulator, employee, customer, or breach response process asks for evidence that privacy is actually being managed.

What Starts Breaking

What stalls: deals, audits, or insurer renewals

The Privacy Act matters because privacy failures now create legal, operational, and reputational consequences at the same time. A notifiable breach can bring regulator attention, force uncomfortable customer conversations, and expose weak governance that leadership thought was handled.

It also increasingly shows up in commercial scrutiny. Larger customers, government buyers, and partners want evidence that personal information is being handled properly. Businesses that can point to clear policies, data inventories, breach processes, and accountable ownership answer those questions faster and with less risk.

There is also a timing issue. IPP 3A introduces a specific change on 1 May 2026 for indirect collection, and IPP 12 already affects cloud and overseas data arrangements. Organisations that wait until a contract review or incident to tidy privacy governance usually discover the work is wider than expected.

What You Will Need To Prove

The first controls, owners, and evidence to put in place

Mandatory breach notification, cross-border disclosure under IPP 12, and the 20-working-day access-request clock carry the first commercial weight for most NZ businesses

See the main requirements

Collection Limitation (IPPs 1–4)

Personal information must only be collected for a lawful purpose connected with the organisation's functions, collected directly from the individual where possible, and with the individual's knowledge. Organisations must not collect more information than is reasonably necessary.

Storage and Security (IPP 5)

Organisations must make sure that personal information is protected by reasonable security safeguards against loss, unauthorised access, use, modification, or disclosure. This includes both technical controls (encryption, access management) and organisational measures (policies, training, physical security).

Access and Correction Rights (IPPs 6–7)

Individuals have the right to request access to their personal information held by an organisation and to request correction of inaccurate information. Organisations must respond to such requests within 20 working days and have processes in place to handle them efficiently.

Use and Disclosure Limitations (IPPs 10–11)

Personal information may only be used or disclosed for the purpose for which it was originally collected, unless an exception applies. This principle requires organisations to maintain clear records of why information was collected and to implement controls that prevent purpose creep.

Mandatory Breach Notification

Organisations must notify the Office of the Privacy Commissioner and affected individuals as soon as practicable when a privacy breach has caused, or is likely to cause, serious harm. The notification must include details of the breach, the information involved, and the steps being taken in response.

Indirect Collection Notification (IPP 3A — from May 2026)

When collecting personal information from a source other than the individual (indirect collection), organisations must take reasonable steps to make the individual aware of specified matters including the fact of collection, its source, and its purpose. This applies to information received from referral partners, reference checks, industry databases, and other third-party sources.

Cross-Border Disclosure (IPP 12)

Before disclosing personal information to an overseas recipient, organisations must confirm the recipient is subject to comparable privacy protections, or take other prescribed steps such as obtaining the individual's informed consent. The Section 11 agent exception means cloud providers holding data on your behalf under contract are generally not considered overseas recipients.

How We Help You Answer It

When the business usually calls us

We usually get called after an incident, a Commissioner query, or a new enterprise contract demands a documented IPP-by-IPP control map

Stop searching ten systems every time a customer asks for their data

We build a complete inventory of all personal information your organisation holds, mapping data flows across systems, vendors, and jurisdictions. This is the essential foundation for Privacy Act compliance — you cannot protect what you have not identified.

Catch privacy risk before the project launches

Our analyst-prepared privacy impact assessments evaluate the privacy implications of new projects, systems, or processes before they go live. We identify risks and recommend practical controls to support compliance with the Information Privacy Principles from the outset.

Know Who Gets Told, When, And What, The Moment A Breach Hits

We develop and test your breach notification processes so you can meet the mandatory reporting requirements under the Act. This includes breach assessment frameworks, notification templates, internal notification procedures, and simulation exercises to build organisational readiness.

Stop Maintaining Policies Nobody Actually Reads

We create, review, and maintain the privacy policies and procedures your organisation needs — from overarching privacy policies to data retention schedules, consent management procedures, and access request handling processes — keeping them current as the law evolves.

See What Information Runs The Business

Our information asset register service helps you catalogue and classify all information assets including personal data holdings, providing the structure you need to show compliance across all 13 Information Privacy Principles.

Track The Suppliers That Could Expose The Business

With IPP 12 cross-border disclosure obligations already in force and IPP 3A indirect collection notification approaching, understanding where your vendors are based and how they handle personal information is critical. Our vendor risk register tracks third-party data processors, their jurisdictions, and their privacy protections to support compliance.

If You Need The Detail

The questions that come up before the contract

Does the Privacy Act apply to my small business? +

Yes. The Privacy Act 2020 applies to every New Zealand organisation — referred to as an 'agency' under the Act — that collects, holds, uses, or discloses personal information, regardless of size. There is no small business exemption. Whether you have 5 staff or 500, if you handle personal information about identifiable individuals (employees, customers, suppliers), the Act applies to you in full.

What counts as a notifiable privacy breach? +

A privacy breach is notifiable if it has caused, or is likely to cause, serious harm to affected individuals. Serious harm is assessed by considering factors such as the sensitivity of the information, whether it is in the hands of someone likely to misuse it, whether it could lead to financial loss, identity theft, or physical harm, and the number of individuals affected. When in doubt, it is safer to notify — the Privacy Commissioner has indicated a preference for over-reporting rather than under-reporting.

What are the penalties for non-compliance? +

The Privacy Commissioner can issue compliance notices requiring organisations to take specific actions. Failing to comply with a compliance notice, or failing to notify a notifiable breach, is a criminal offence carrying fines of up to $10,000. Beyond statutory penalties, the Human Rights Review Tribunal can award damages for interference with privacy. The most significant cost, however, is often reputational — a publicised breach can erode customer trust and damage business relationships far beyond the direct financial penalties.

How does IPP 3A change things for my business? +

Information Privacy Principle 3A, effective May 2026, introduces notification obligations when personal information is collected indirectly — from third parties rather than directly from the individual. This affects any NZ business that collects information through reference checks, referral partners, industry databases, or other third-party sources. You will need to establish processes to notify individuals when their information has been collected indirectly. Good Security helps organisations prepare for IPP 3A by mapping indirect collection sources, establishing notification procedures, and documenting compliance decisions.

What about cloud services and overseas data — is that IPP 3A? +

No. The rules for disclosing personal information to overseas recipients are in IPP 12, which has been in force since the Privacy Act 2020 commenced. IPP 12 is relevant to cloud services, overseas vendors, and international data transfers. The Section 11 agent exception means most standard cloud service usage (where the provider acts as your processor under contract) is not treated as a disclosure. IPP 3A is a separate principle covering indirect collection notification.

Do I need a dedicated privacy officer? +

The Privacy Act does not require you to appoint a dedicated privacy officer, but it does require that someone in your organisation is responsible for encouraging compliance and dealing with privacy requests and complaints. For businesses, this role is often held by a director, general manager, or HR manager alongside their other responsibilities. Good Security can provide the external privacy and security leadership support needed to keep that work moving without the cost of a full-time specialist appointment.