a summary of the changes in the new privacy act



Unless you’ve been living under a rock, you’ll know that NZ’s privacy laws are about to undergo their biggest transformation since the Privacy Act became law in 1993. The changes, and the new Privacy Act 2020 (the Act), come into force on 1 December 2020. So, you’ve still got a few weeks to make sure all of your ducks secret squirrels are in a row.

key change 1 – notifications of privacy breaches

Under the new law, you’ll be required to notify the Privacy Commissioner and affected individuals if you have a privacy breach that causes, or is likely to cause, serious harm. In her blog on mandatory notifications, Georgina Leslie discusses when you need to notify a breach, what counts as serious harm, and what exceptions apply (hint: not many).

key change 2 – disclosures overseas

The new law also implements a new privacy principle (commonly known as IPP12). Under IPP12, unless you have very clear consent from affected individuals, you can only disclose personal information overseas if comparable privacy safeguards are in place.  These safeguards could be under contract or via similar privacy laws to the Act.

There are 2 exceptions that will help a lot of kiwi businesses. IPP12 won’t apply to cloud providers who simply store or handle information on your behalf (i.e. they don’t use it for their own business purposes) or if the disclosure is to a foreign business operating in NZ (on the basis that this business already has to comply with the Act).

Georgina also discusses this in more detail in her blog on IPP12.

If IPP12 applies to you (or you think it might), the Office of the Privacy Commissioner has released model terms that you can include in your contract with the overseas person receiving the transferred information to ensure there are comparable privacy safeguards in place.  This is a fill in the blanks document.  It is important that you think carefully about what should be included in the sections to complete and that you include as much detail as possible.

updated templates

We’ve updated two of our templates to reflect the new Act.  Check out our updated privacy policy and website terms of use.  As a heads up, these changes are pretty minor and assume that IPP12 doesn’t apply to the person using the documents.  If it does, you may need some extra protections – this is discussed in the covering notes.

stay in touch

We plan to update you over the next few months on how the new law is bedding in and to give some tips and tricks on how to make sure your business is complying with the Act.  Stay tuned.

explore our other blog posts

post-money convertible notes

Back in 2018, Y-Combinator (YC) updated their core investment instrument and launched what is now known as the post-money SAFE. We analysed the post-money SAFE back in 2020 – see our blog here The main difference between a pre-money and post-money SAFE is that, on conversion, under the pre-money…
[partial name="mailchimp-newsletter-horizontal" dir="template-parts/components/component"]

are you based in southeast asia?

If so then you may prefer