Skip to content

You need to understand data privacy if you are working with data about people. The Privacy Act 2020 provides rules that you must comply with when collecting and using the data.

On this page

What is data privacy and what is it for? 

When you are collecting data or information about people, they have legal rights that you must respect. This means that, among other things, when you are collecting and using people’s information you must ensure the following:

  1. The people you are collecting information about know that you are collecting it, why you are collecting it, how you will use it, and where it goes.
  2. The data flows appropriately from them to you (securely), inside your organisation (access to it is controlled), and outside your organisation (any disclosures are carefully considered).

What is personal information and the Privacy Act? 

Personal information is “information about an identifiable individual”. It covers both information that is simply about a person (e.g. eye colour) and information that may also identify them (e.g. their name). The information does not need to name the individual, as long as they are identifiable in other ways, like through their home address.

The Privacy Act 2020 provides the rules in New Zealand for protecting personal information and puts responsibilities on agencies and organizations about how they must do that. For example, people have a right to know what information your agency holds about them and a right to ask you to correct it if they think it is wrong.

The Privacy Act 2020

Note: Some people use the term “PII = personally identifiable information” but that expression has no legal standing in New Zealand. The other expression you may see used is “personal data”. That comes from the EU General Data Protection Regulation (GDPR). The GDPR does not apply inside New Zealand but may be of interest if you are sending personal information outside New Zealand or doing business with citizens of the EU.

EU General Data Protection Regulation

What do I need to do? 

The Privacy Act 2020 has 13 Information Privacy Principles which you are expected to comply with. There are also rules about what you must do if someone asks what information you hold about them or asks you to correct it. The 2020 Act also requires agencies to report to the Privacy Commissioner if they have a “notifiable privacy breach”.

Information Privacy Principles
Requests for access to personal information
Correction of personal information
Notifiable privacy breaches and compliance notices

What resources can help me? 

The following organisations provide resources for learning about privacy.

Privacy Commissioner

The Privacy Commissioner has the responsibility and authority to give you detailed guidance on the rules. They provide excellent online resources for even complete beginners in privacy.

Resources for agencies
Resources for individuals
Free online training courses

They have an online tool you can use to assess or report something you think might be a notifiable privacy breach.

Online tool for organisations to report privacy breaches

Government Chief Privacy Officer

For New Zealand government agencies (national & local), the Government Chief Privacy Officer also provides support and help.

Privacy standards and guidance

New Zealand Privacy Foundation

The New Zealand Privacy Foundation is an independent advocate for privacy in New Zealand publishing papers and expressing informed opinions on privacy and privacy law.

New Zealand Privacy Foundation

International Association of Privacy Professionals

The International Association of Privacy Professionals put quite a bit of useful information on their website (N.B. It tends to be USA-oriented).

International Association of Privacy Professionals

Who can I ask for help? 

If you need help, the first person to go to is your agency’s privacy officer.

Contact us

If you’d like more information, have a question, or want to provide feedback, email

Content last reviewed 13 April 2021.