What are the key changes introduced by the Privacy Act 2020 that New Zealand businesses must comply with?

The Privacy Act 2020 replaced the Privacy Act 1993 and came into force on 1 December 2020. The key changes that all New Zealand agencies (including private sector businesses) must be aware of include: mandatory notification of notifiable privacy breaches (sections 113–116) — if a privacy breach is likely to cause serious harm to an affected individual, the agency must notify both the Privacy Commissioner and the individual as soon as reasonably practicable; the introduction of compliance notices issued by the Privacy Commissioner (Part 8) — where the Commissioner forms an opinion that an agency has breached an IPP, the Commissioner may issue a compliance notice requiring remediation; enhanced IPP 12 provisions for overseas disclosure — agencies must now take more active steps to ensure overseas recipients protect information to Privacy Act 2020 equivalent standards; the extension of the Privacy Act to overseas agencies that carry on business in New Zealand; and the introduction of criminal offences for misleading an agency to obtain access to another's information, and for destroying documents subject to an access request. A written Data Protection Policy that reflects these changes is essential for demonstrating compliance.

What is a Privacy Officer and does every New Zealand business need one?

Under section 211 of the Privacy Act 2020, every agency must have at least one Privacy Officer. An agency is broadly defined in section 6 of the Act to include any person or body of persons, whether corporate or unincorporated, and whether in the public or private sector. This means that all New Zealand businesses — from sole traders to large listed companies — are required to designate at least one Privacy Officer. The Privacy Officer is not required to be a lawyer or specialist privacy professional, but must be someone who takes responsibility for the organisation's privacy compliance. The Privacy Officer's responsibilities under the Act include: encouraging the agency to comply with the Privacy Act 2020; dealing with requests made under IPPs 6 and 7 for access to and correction of personal information; working with the Privacy Commissioner in relation to investigations and inquiries; and maintaining an awareness of the organisation's privacy obligations. The Privacy Commissioner publishes guidance on the role of the Privacy Officer at www.privacy.org.nz. A Data Protection Policy should identify the Privacy Officer by name and contact details and describe their responsibilities.

When does a New Zealand business have to report a privacy breach to the Privacy Commissioner?

Under sections 113–116 of the Privacy Act 2020, a New Zealand agency is required to notify the Privacy Commissioner of a privacy breach if it is reasonable to believe that the breach has caused serious harm to an affected individual or is likely to do so. A privacy breach is defined in section 112 as any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, personal information, or any action that prevents the agency from accessing personal information on either a temporary or permanent basis. Factors relevant to assessing whether a breach has caused or is likely to cause serious harm include: the sensitivity of the information (health information, financial information, and identity credentials are considered high risk); whether the information could be used to discriminate against, embarrass, or humiliate the affected individual; the number of individuals affected; the nature of the harm (financial loss, physical harm, reputational harm, or emotional distress); and whether the information has been accessed by a person likely to use it harmfully. If a notifiable breach is identified, the agency must notify the Privacy Commissioner as soon as reasonably practicable. The Commissioner then assesses whether the agency must also notify affected individuals. The Commissioner has published a privacy breach notification tool at www.privacy.org.nz to assist agencies in assessing and notifying breaches.

Can a New Zealand business transfer personal information to overseas cloud services?

Yes, but only in compliance with IPP 12 of the Privacy Act 2020. IPP 12 permits an agency to disclose personal information to an overseas person if the agency believes on reasonable grounds that the overseas person is required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act 2020. The Privacy Commissioner has published guidance on complying with IPP 12 in relation to cloud services, noting that agencies should: assess the data protection laws of the country where the cloud provider is located; review the cloud provider's terms and privacy policies; include appropriate contractual provisions requiring the provider to protect personal information to Privacy Act 2020-equivalent standards, report breaches, and not further disclose without authorisation; and consider data residency — whether data will be stored in a specific region or globally. Many countries have privacy laws that provide broadly comparable protections to the Privacy Act 2020, including Australia (Privacy Act 1988), the United Kingdom (UK GDPR), and European Union member states (EU GDPR). Agencies using cloud services based in these jurisdictions with appropriate contractual protections will generally satisfy IPP 12. The agency remains responsible under New Zealand law for personal information disclosed to overseas cloud providers.

How long must a New Zealand business retain personal information, and how must it be disposed of?

The Privacy Act 2020 does not prescribe specific retention periods for personal information. IPP 9 requires that an agency must not keep personal information for longer than is required for the purpose for which the information may lawfully be used. However, other New Zealand legislation prescribes minimum retention periods that override IPP 9. Key mandatory retention periods include: business records for tax purposes must be kept for 7 years from the end of the tax year to which they relate, under section 22 of the Tax Administration Act 1994 — this covers financial records, invoices, and contracts; employment records including wages, time, and leave records must be kept for 6 years under the Holidays Act 2003 and the Minimum Wage Act 1983; health and safety records such as accident registers must be kept for specific periods under the Health and Safety at Work Act 2015 and associated regulations; and company records must be kept for certain periods under the Companies Act 1993. When personal information has reached the end of its retention period, it must be disposed of securely to prevent unauthorised access. Secure disposal methods include cross-cut shredding for paper records and secure deletion or overwriting for electronic records consistent with the New Zealand Information Security Manual (NZISM) standards published by the Government Communications Security Bureau (GCSB).

Data Protection Policy (New Zealand)

DATA PROTECTION POLICY

Privacy Act 2020 (New Zealand)

[Organisation Name] | NZBN [Organisation NZBN]

[Organisation Address]

Effective Date: [Effective Date]

1. INTRODUCTION AND COMMITMENT

[Organisation Name] (NZBN [Organisation NZBN]) ("the Organisation") is committed to protecting the privacy and security of the personal information it collects and holds in the course of its business activities. This Data Protection Policy ("Policy") sets out how the Organisation collects, holds, uses, and discloses personal information in accordance with the Privacy Act 2020 ("the Act") and the 13 Information Privacy Principles (IPPs) contained in Schedule 1 of the Act.

The Privacy Act 2020 replaced the Privacy Act 1993 and introduced significant enhancements to New Zealand privacy law, including mandatory notification of notifiable privacy breaches (sections 113–116), a new compliance notice regime, and enhanced investigation powers for the Privacy Commissioner.

This Policy applies to all personal information about identifiable individuals that the Organisation holds, regardless of how it was collected. It applies to all employees, contractors, and other persons who access or handle personal information on behalf of the Organisation.

2. PRIVACY OFFICER

Consistent with section 211 of the Privacy Act 2020, the Organisation has designated a Privacy Officer who is responsible for:

Encouraging the Organisation to comply with the Privacy Act 2020 and this Policy.
Dealing with requests for access to or correction of personal information under IPPs 6 and 7.
Working with the Privacy Commissioner in relation to any investigation, complaint, or inquiry.
Maintaining awareness of privacy obligations across the Organisation.
Assessing and responding to privacy breaches, including mandatory notification obligations.

Privacy Officer: [Privacy Officer Name], [Privacy Officer Role] Email: [Privacy Officer Email] Phone: [Privacy Officer Phone]

3. PERSONAL INFORMATION WE COLLECT

"Personal information" is defined in section 7 of the Privacy Act 2020 as information about an identifiable individual. This is interpreted broadly by the Privacy Commissioner and courts. The Organisation collects the following categories of personal information:

[Personal Information Types]

4. HOW WE COLLECT PERSONAL INFORMATION

The Organisation collects personal information as follows: [Collection Methods]

Consistent with IPP 1 of the Privacy Act 2020, the Organisation collects personal information only for a lawful purpose connected with its functions and activities, and only if collection is necessary for that purpose. Consistent with IPP 3, the Organisation collects personal information directly from the individual where reasonably practicable.

Consistent with IPP 4, when the Organisation collects personal information from an individual, it will take reasonable steps to ensure that individual is aware of: the fact that the information is being collected; the purpose for which it is being collected; the identity of the Organisation; any person to whom the information is likely to be disclosed; and the individual's rights of access and correction.

5. PURPOSES OF COLLECTION AND USE

The Organisation collects and uses personal information for the following purposes: [Collection Purposes]

Consistent with IPP 10, the Organisation will not use personal information for a purpose other than the purpose for which it was collected (the primary purpose) unless: the individual concerned authorises use of the information for another purpose; the Organisation reasonably believes the individual would consent; or use for another purpose is authorised or required by law.

6. DISCLOSURE OF PERSONAL INFORMATION

Consistent with IPP 11 of the Privacy Act 2020, the Organisation will not disclose personal information to a third party unless:

The individual has authorised the disclosure.
The Organisation reasonably believes the individual would consent if asked.
Disclosure is necessary to prevent or lessen a serious threat to public health or safety.
Disclosure is in connection with the purpose for which the information was collected, and the individual would reasonably expect disclosure for that purpose.
Disclosure is required or authorised by law (for example, to Inland Revenue, the Police, or under a court order).
The information is publicly available information.

The Organisation may share personal information with third-party service providers who assist the Organisation in providing its products and services (for example, cloud computing providers, payment processors, and marketing platforms). These third parties are required to protect personal information in accordance with the Privacy Act 2020 and this Policy.

7. SECURITY OF PERSONAL INFORMATION

Consistent with IPP 5 of the Privacy Act 2020, the Organisation will take reasonable steps to protect personal information it holds against: loss; access, use, modification, or disclosure that is not authorised; and other misuse.

Security measures implemented by the Organisation include:

Access controls: personal information is accessible only to authorised personnel who need it to perform their functions.
Encryption: personal information transmitted electronically is encrypted where appropriate.
Physical security: paper records containing personal information are stored securely and access is controlled.
Staff training: all staff are trained on their obligations under the Privacy Act 2020 and this Policy.
Vendor management: third-party service providers are required to maintain security standards consistent with this Policy.
Regular review: security measures are reviewed regularly to ensure they remain appropriate.

8. PRIVACY BREACH RESPONSE AND MANDATORY NOTIFICATION

Under sections 113–116 of the Privacy Act 2020, the Organisation is required to notify the Privacy Commissioner and affected individuals if a privacy breach occurs that it is reasonable to believe has caused, or is likely to cause, serious harm to any affected individual.

Privacy breach response process: [Breach Response Process]

Target notification timeframe: [Breach Notification Timeframe].

Factors the Organisation will consider in assessing whether a breach is likely to cause serious harm include: the sensitivity of the personal information involved; the nature of the harm that could result; and the number of individuals affected. All privacy breaches — whether or not they are notifiable — will be recorded in the Organisation's Privacy Breach Register maintained by the Privacy Officer.

9. RETENTION AND DISPOSAL

Consistent with IPP 9 of the Privacy Act 2020, the Organisation does not keep personal information for longer than is required for the purpose for which it may lawfully be used. Retention periods for key categories of information are as follows:

[Retention Periods]

When personal information is no longer required and has reached the end of its retention period, it will be disposed of as follows: [Disposal Method].

Minimum retention periods may be extended where the information is the subject of a complaint, legal proceedings, regulatory investigation, or other legal obligation to retain.

10. YOUR RIGHTS — ACCESS AND CORRECTION

Under the Privacy Act 2020, individuals have the following rights in relation to their personal information:

Right of access (IPP 6): you have the right to request access to personal information the Organisation holds about you. The Organisation must respond to an access request within 20 working days.
Right of correction (IPP 7): you have the right to request correction of personal information the Organisation holds about you if it is inaccurate, out of date, incomplete, irrelevant, or misleading.
Right to complain: if you believe the Organisation has breached its obligations under the Privacy Act 2020, you have the right to complain to the Privacy Commissioner (www.privacy.org.nz).

How to make an access or correction request: [Access Request Process]

11. GOVERNING LAW AND REVIEW

This Policy is governed by the laws of New Zealand, including the Privacy Act 2020, the Health Information Privacy Code 2020 (where applicable), and the Tax Administration Act 1994.

This Policy will be reviewed at least annually and updated as necessary to remain consistent with applicable New Zealand law and guidance from the Privacy Commissioner. All staff will be notified of material changes.

Complaints about the Organisation's handling of personal information should be directed to the Privacy Officer at [Privacy Officer Email] in the first instance. If the complaint is not resolved to your satisfaction, you may refer the matter to the Privacy Commissioner at www.privacy.org.nz.

Chief Executive / Authorised Representative

________________

Signature

Privacy Officer

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a Data Protection Policy (New Zealand)?

A New Zealand Data Protection Policy is a formal internal document that sets out how an organisation collects, holds, uses, discloses, secures, and disposes of personal information in compliance with the Privacy Act 2020 and its 13 Information Privacy Principles (IPPs). It is distinct from a Privacy Policy (which is a public-facing document directed at individuals whose information is collected) in that it is directed internally at the organisation's own staff and governance processes.

The Privacy Act 2020 replaced the Privacy Act 1993 and came into force on 1 December 2020. It applies to all New Zealand agencies — a broadly defined term that encompasses all private sector businesses, non-profit organisations, and public sector entities. The Act introduced significant enhancements to New Zealand privacy law, including mandatory notification of notifiable privacy breaches to the Privacy Commissioner and affected individuals (sections 113–116), a requirement that every agency have at least one Privacy Officer (section 211), enhanced rules for overseas disclosure under IPP 12, and the ability for the Privacy Commissioner to issue compliance notices.

The 13 Information Privacy Principles in Schedule 1 of the Act govern every stage of the personal information lifecycle: IPP 1 (purpose of collection), IPP 2 (source of collection), IPP 3 (collection directly from individual), IPP 4 (individual told of collection), IPP 5 (storage and security), IPP 6 (access), IPP 7 (correction), IPP 8 (accuracy), IPP 9 (retention), IPP 10 (use limitation), IPP 11 (disclosure limits), and IPP 12 (overseas disclosure).

A Data Protection Policy translates these 13 IPPs into concrete internal practices and procedures. It identifies who is responsible for privacy compliance (the Privacy Officer), what personal information the organisation collects and why, how it is secured and disposed of, how privacy breaches are detected and reported, and how individuals can exercise their rights of access and correction.

For health information, the Privacy Commissioner has issued the Health Information Privacy Code 2020 under section 81 of the Privacy Act 2020. The Code modifies some of the IPPs for health information and applies to all health agencies and others who deal with health information.

A Data Protection Policy is an essential internal governance document that enables organisations to embed privacy compliance into their operations, train staff on their obligations, and demonstrate accountability to the Privacy Commissioner, regulators, clients, and the public.

When Do You Need a Data Protection Policy (New Zealand)?

A Data Protection Policy is needed by every New Zealand organisation that collects or holds personal information about identifiable individuals — which means, in practice, almost every business in New Zealand.

All New Zealand businesses — the Privacy Act 2020 applies to all agencies regardless of size. A sole trader who holds a client email list, a startup that collects customer data through a website, and a large listed corporation with thousands of employees all have the same obligations under the Act. A written Data Protection Policy is essential for any organisation to document its approach to privacy compliance and to demonstrate accountability.

When launching a new business or product — any time a new organisation begins collecting personal information, or an existing organisation begins collecting new categories of personal information, a Data Protection Policy should be developed or updated. Under IPP 4, individuals must be told at or before the time of collection what the organisation's purposes are and who the information may be disclosed to. A written Policy supports this obligation.

When using cloud services or engaging offshore service providers — IPP 12 imposes specific requirements for overseas disclosure. A Data Protection Policy that addresses cloud storage and overseas disclosure demonstrates compliance with IPP 12 and provides assurance to clients and business partners.

After a privacy breach — the Privacy Act 2020's mandatory breach notification requirements apply to all agencies. If an organisation has experienced a privacy breach, reviewing and updating the Data Protection Policy — and the breach response procedure it contains — is a critical remediation step that demonstrates accountability to the Privacy Commissioner.

For regulated industries — financial services organisations supervised by the Financial Markets Authority, health providers subject to the Health Information Privacy Code 2020, and other regulated entities face heightened privacy expectations. A thorough Data Protection Policy demonstrates regulatory compliance.

For government contracts and ISO certification — many New Zealand government procurement requirements and international standards (such as ISO 27001 for information security) require contractors and certified organisations to maintain written data protection policies. A well-documented Data Protection Policy supports contract compliance and certification.

What to Include in Your Data Protection Policy (New Zealand)

A well-drafted New Zealand Data Protection Policy should include the following key elements to comply with the Privacy Act 2020 and to be effective as an internal governance tool.

Privacy Officer designation — identify the Privacy Officer by name, role, and contact details, consistent with section 211 of the Privacy Act 2020. Describe their responsibilities: encouraging compliance, handling access and correction requests, working with the Privacy Commissioner, and managing privacy breach responses.

Personal information collected — list the categories of personal information collected by the organisation. Include all relevant categories: customer information, employee information, supplier information, and data collected through digital channels. Address health information specifically if the organisation collects it, noting obligations under the Health Information Privacy Code 2020.

Collection methods and IPP 4 notification — describe how personal information is collected (directly from individuals, from third parties, from public sources, through digital channels). Confirm that individuals are notified of the purpose of collection consistent with IPP 4.

Purposes of collection and use — list all purposes for which personal information is collected and used, consistent with IPP 1. Include primary purposes (providing services, employment relationship management) and secondary purposes (marketing, analytics).

Disclosure — describe when and to whom personal information may be disclosed, consistent with IPP 11. Include disclosure to third-party service providers, regulators, and overseas recipients.

Overseas disclosure — if the organisation discloses personal information overseas or uses overseas cloud services, address IPP 12 compliance specifically. Identify the jurisdictions involved and the safeguards in place.

Security — describe the security measures in place to protect personal information, consistent with IPP 5. Include access controls, encryption, physical security, and staff training.

Privacy breach response — set out the breach response process and mandatory notification obligations under sections 113–116 of the Privacy Act 2020. Include an acknowledgement timeframe and criteria for assessing whether a breach is notifiable.

Retention and disposal — specify retention periods for key categories of personal information, including mandatory minimum retention periods under the Tax Administration Act 1994 and Holidays Act 2003. Describe secure disposal methods.

Individual rights — explain how individuals can exercise their rights of access (IPP 6) and correction (IPP 7). Include contact details for making requests and confirm the 20-working-day response timeframe.

Governing law and review — state that the Policy is governed by the Privacy Act 2020 and commit to annual review. The forms-legal.com Data Protection Policy (New Zealand) provides a ready-to-use template that meets New Zealand legal requirements.

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Data Protection Policy (New Zealand) (New Zealand) [Legal document template]. Forms Legal. https://forms-legal.com/new-zealand/business/corporate/data-protection-policy-new-zealand

MLA

"Data Protection Policy (New Zealand) (New Zealand)." Forms Legal, 2026, https://forms-legal.com/new-zealand/business/corporate/data-protection-policy-new-zealand.

BibTeX

@misc{formslegal-data-protection-policy-new-zealand,
  author       = {{Forms Legal}},
  title        = {Data Protection Policy (New Zealand) (New Zealand)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/new-zealand/business/corporate/data-protection-policy-new-zealand}},
  note         = {Free legal document template. Based on Privacy Act 2020}
}

Also available for these jurisdictions:

Frequently Asked Questions

Based on Privacy Act 2020 — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know