Compliance
New Zealand Privacy Act 2020
NZ's primary data protection legislation governing how all organisations collect, use, store, and disclose personal information.
Upcoming Deadline
IPP 3A amendment effective 1 May 2026
The IPP 3A amendment to the Privacy Act takes effect on 1 May 2026, introducing mandatory notification obligations for indirect collection of personal information. Organisations that collect personal data from third-party sources must have compliant processes in place before this date.
What is really being asked of the business
What this requirement is trying to protect in the real world
A good compliance programme starts by understanding the business purpose behind the requirement rather than treating it like a checklist.
The New Zealand Privacy Act 2020 is the country's principal data protection legislation, replacing the Privacy Act 1993 that had been in force for nearly three decades. It establishes a full framework governing how organisations and agencies collect, hold, use, and disclose personal information. The Act applies to every New Zealand organisation — regardless of size, sector, or structure — that handles personal information about identifiable individuals. It is enforced by the Office of the Privacy Commissioner, who has expanded powers under the 2020 legislation including the ability to issue compliance notices and pursue criminal penalties.
At the heart of the Act are 13 Information Privacy Principles (IPPs) that set out the rules organisations must follow throughout the information lifecycle. These principles cover everything from how personal information is collected (IPPs 1–4) and stored (IPP 5) to how it is accessed, corrected, and used (IPPs 6–11) and how it may be disclosed (IPPs 11–12). The 2020 Act introduced a mandatory breach notification regime, requiring organisations to notify the Privacy Commissioner and affected individuals when a privacy breach has caused, or is likely to cause, serious harm. This was a significant shift from the voluntary reporting regime under the 1993 Act.
The Act continues to evolve. The Information Privacy Principle 3A amendment, taking effect in May 2026, introduces new notification obligations when personal information is collected indirectly — from third parties rather than directly from the individual. Separately, IPP 12 governs the cross-border disclosure of personal information to overseas recipients, an existing obligation relevant to every NZ organisation using international cloud services. Understanding and complying with the Privacy Act is not simply a legal obligation; it is a foundation of trust between your organisation and the individuals whose data you handle.
Why It Matters
Why business owners, customers, and boards pay attention to it.
Compliance with the Privacy Act 2020 is not optional — it is a legal requirement for every New Zealand organisation that handles personal information, from sole traders to large enterprises. The Office of the Privacy Commissioner has signalled an increasingly active enforcement stance, and the introduction of mandatory breach notification means that privacy failures are no longer something organisations can quietly address internally. A notifiable breach that is not reported can result in criminal penalties of up to $10,000, and the reputational damage from mishandling personal information can be far more costly than any fine.
For New Zealand businesses, strong privacy practices are also a significant competitive advantage. Customers, clients, and business partners increasingly expect organisations to demonstrate that they take data protection seriously. Government agencies and larger enterprises frequently include privacy compliance requirements in their procurement and supply chain assessments. Organisations that can demonstrate robust privacy governance — supported by documented policies, breach response plans, and personal data inventories — are better positioned to win contracts and retain customer trust.
The May 2026 IPP 3A amendment adds further urgency for organisations that collect personal information from third parties — such as through reference checks, partner referrals, or industry databases — as they will need to establish notification processes for indirect collection. Separately, IPP 12 already requires organisations to assess cross-border disclosure arrangements for cloud services hosted overseas. Proactive preparation now will avoid a scramble as the IPP 3A deadline approaches and position your organisation well ahead of competitors who leave compliance to the last minute.
Key Requirements
The obligations most businesses need translated into operating reality.
This is where the framework turns into documented controls, ownership, evidence, and review cycles.
See key requirements
Collection Limitation (IPPs 1–4)
Personal information must only be collected for a lawful purpose connected with the organisation's functions, collected directly from the individual where possible, and with the individual's knowledge. Organisations must not collect more information than is reasonably necessary.
Storage and Security (IPP 5)
Organisations must make sure that personal information is protected by reasonable security safeguards against loss, unauthorised access, use, modification, or disclosure. This includes both technical controls (encryption, access management) and organisational measures (policies, training, physical security).
Access and Correction Rights (IPPs 6–7)
Individuals have the right to request access to their personal information held by an organisation and to request correction of inaccurate information. Organisations must respond to such requests within 20 working days and have processes in place to handle them efficiently.
Use and Disclosure Limitations (IPPs 10–11)
Personal information may only be used or disclosed for the purpose for which it was originally collected, unless an exception applies. This principle requires organisations to maintain clear records of why information was collected and to implement controls that prevent purpose creep.
Mandatory Breach Notification
Organisations must notify the Office of the Privacy Commissioner and affected individuals as soon as practicable when a privacy breach has caused, or is likely to cause, serious harm. The notification must include details of the breach, the information involved, and the steps being taken in response.
Indirect Collection Notification (IPP 3A — from May 2026)
When collecting personal information from a source other than the individual (indirect collection), organisations must take reasonable steps to make the individual aware of specified matters including the fact of collection, its source, and its purpose. This applies to information received from referral partners, reference checks, industry databases, and other third-party sources.
Cross-Border Disclosure (IPP 12)
Before disclosing personal information to an overseas recipient, organisations must confirm the recipient is subject to comparable privacy protections, or take other prescribed steps such as obtaining the individual's informed consent. The Section 11 agent exception means cloud providers holding data on your behalf under contract are generally not considered overseas recipients.
How Good Security Helps
Where businesses usually need practical support.
This is about building the policies, registers, evidence, and governance needed to stand up to scrutiny.
Personal Data Inventory
We build a complete inventory of all personal information your organisation holds, mapping data flows across systems, vendors, and jurisdictions. This is the essential foundation for Privacy Act compliance — you cannot protect what you have not identified.
Privacy Impact Assessment
Our analyst-prepared privacy impact assessments evaluate the privacy implications of new projects, systems, or processes before they go live. We identify risks and recommend practical controls to support compliance with the Information Privacy Principles from the outset.
Privacy Breach Readiness Report
We develop and test your breach notification processes so you can meet the mandatory reporting requirements under the Act. This includes breach assessment frameworks, notification templates, internal notification procedures, and simulation exercises to build organisational readiness.
Policy Suite & Lifecycle Management
We create, review, and maintain the privacy policies and procedures your organisation needs — from overarching privacy policies to data retention schedules, consent management procedures, and access request handling processes — keeping them current as the law evolves.
Information Asset Register
Our information asset register service helps you catalogue and classify all information assets including personal data holdings, providing the structured visibility needed to demonstrate compliance across all 13 Information Privacy Principles.
Third-Party / Vendor Risk Register
With IPP 12 cross-border disclosure obligations already in force and IPP 3A indirect collection notification approaching, understanding where your vendors are based and how they handle personal information is critical. Our vendor risk register tracks third-party data processors, their jurisdictions, and their privacy protections to support compliance.
Further Reading
Related guidance for teams that need the detail.
These articles go deeper into the surrounding decisions, timelines, and implementation issues.
Insight
What NZ Businesses Need to Know About IPP 3A Indirect Collection Notification Before May 2026
IPP 3A takes effect 1 May 2026. Here is what indirect collection notification means for NZ businesses and how to prepare.
Read article
Insight
Using Cloud Services? Here is What IPP 12 Means for Your Data
IPP 12 governs cross-border disclosure of personal information. Here is what NZ businesses using cloud services need to know.
Read article
FAQ
Common commercial questions.
Does the Privacy Act apply to my small business? +
Yes. The Privacy Act 2020 applies to every New Zealand organisation — referred to as an 'agency' under the Act — that collects, holds, uses, or discloses personal information, regardless of size. There is no small business exemption. Whether you have 5 staff or 500, if you handle personal information about identifiable individuals (employees, customers, suppliers), the Act applies to you in full.
What counts as a notifiable privacy breach? +
A privacy breach is notifiable if it has caused, or is likely to cause, serious harm to affected individuals. Serious harm is assessed by considering factors such as the sensitivity of the information, whether it is in the hands of someone likely to misuse it, whether it could lead to financial loss, identity theft, or physical harm, and the number of individuals affected. When in doubt, it is safer to notify — the Privacy Commissioner has indicated a preference for over-reporting rather than under-reporting.
What are the penalties for non-compliance? +
The Privacy Commissioner can issue compliance notices requiring organisations to take specific actions. Failing to comply with a compliance notice, or failing to notify a notifiable breach, is a criminal offence carrying fines of up to $10,000. Beyond statutory penalties, the Human Rights Review Tribunal can award damages for interference with privacy. The most significant cost, however, is often reputational — a publicised breach can erode customer trust and damage business relationships far beyond the direct financial penalties.
How does IPP 3A change things for my business? +
Information Privacy Principle 3A, effective May 2026, introduces notification obligations when personal information is collected indirectly — from third parties rather than directly from the individual. This affects any NZ business that collects information through reference checks, referral partners, industry databases, or other third-party sources. You will need to establish processes to notify individuals when their information has been collected indirectly. Good Security helps organisations prepare for IPP 3A by mapping indirect collection sources, establishing notification procedures, and documenting compliance decisions.
What about cloud services and overseas data — is that IPP 3A? +
No. The rules for disclosing personal information to overseas recipients are in IPP 12, which has been in force since the Privacy Act 2020 commenced. IPP 12 is relevant to cloud services, overseas vendors, and international data transfers. The Section 11 agent exception means most standard cloud service usage (where the provider acts as your processor under contract) is not treated as a disclosure. IPP 3A is a separate principle covering indirect collection notification.
Do I need a dedicated privacy officer? +
The Privacy Act does not require you to appoint a dedicated privacy officer, but it does require that someone in your organisation is responsible for encouraging compliance and dealing with privacy requests and complaints. For businesses, this role is often held by a director, general manager, or HR manager alongside their other responsibilities. Engaging a virtual CISO service like Good Security gives you expert privacy governance support without the cost of a full-time specialist appointment.
Most businesses managing New Zealand Privacy Act 2020 obligations start with Assurance.
If you are weighing up fit, scope, or urgency, start with the scorecard for a fast benchmark and book a consultation when you need a practical next-step plan.