ARTICLE
23 May 2025

Data protection: legal requirements for businesses

L
LegalVision

Contributor

LegalVision logo
LegalVision, a commercial law firm founded in 2012, combines legal expertise, technology, and operational skills to revolutionize legal services in Australia, New Zealand, and the UK. Beginning as an online legal documents business, LegalVision transitioned to an incorporated legal practice in 2014, and in 2019 introduced a membership model offering unlimited access to lawyers. Expanding internationally in 2021 and 2022, LegalVision aims to provide cost-effective, quality legal services to businesses globally.
Explore Firm Details
Explores the key legal requirements for data protection that businesses need to be aware of & comply with.
New Zealand Privacy
Tayler Berridge-Smith
Your Author LinkedIn Connections

In Short

  • The Privacy Act 2020 governs data protection in New Zealand, setting out 13 principles for how businesses must handle personal information.
  • You must report any serious data breaches to the Privacy Commissioner and affected individuals as soon as possible.
  • Compliance with sector-specific regulations may apply to businesses in finance, health and telecommunications.

Tips for Businesses

Regularly audit the personal data you collect, how it is used and who has access to it. Keep your privacy policy clear and accessible to customers. Ensure your team understands data protection responsibilities and be prepared with a plan to handle data breaches effectively.

New Zealand businesses must navigate a complex landscape of data protection laws and regulations to ensure they handle personal information ethically and securely. This article explores the key legal requirements for data protection that businesses need to be aware of and comply with.

The Privacy Act 2020: The Cornerstone of Data Protection

The Privacy Act 2020 is the primary legislation governing data protection in NZ. This Act applies to all businesses and organisations that collect, use or store personal information about individuals. The Act sets out 13 information privacy principles that guide how personal information should be handled.

Key Principles of the Privacy Act 2020

  1. Purpose of Collection: You must collect personal information connected with your functions or activities for a lawful purpose.
  2. Source of Personal Information: Where possible, personal information should be collected directly from the individual concerned.
  3. Collection of Information from Subject: When collecting personal information, you must inform individuals about the purpose of collection, intended recipients and their rights to access and correct that information.
  4. Manner of Collection: Personal information must be collected by lawful and fair means, without being unreasonably intrusive.
  5. Storage and Security: You must ensure that personal information is protected against loss, unauthorised access, use, modification or disclosure.
  6. Access to Personal Information: Individuals have the right to access their personal information held by your business.
  7. Correction of Personal Information: Individuals have the right to request correction of their personal information if it is inaccurate.
  8. Accuracy of Personal Information: You must take reasonable steps to ensure that personal information is accurate, complete, relevant and up to date before using it.
  9. Retention of Personal Information: Personal information should not be kept for longer than necessary for the purposes for which it was collected.
  10. Limits on Use of Personal Information: Personal information should only be used for the purpose for which it was collected, unless an exception applies.
  11. Limits on Disclosure of Personal Information: Personal information should not be disclosed unless an exception applies.
  12. Disclosure of Personal Information Outside NZ: You must ensure that personal information is adequately protected if transferred overseas.
  13. Unique Identifiers: There are restrictions on the use of unique identifiers assigned to individuals.

Mandatory Data Breach Reporting

One of the significant changes introduced by the Privacy Act is the requirement for mandatory data breach reporting. If a business experiences a privacy breach that it believes has caused or is likely to cause serious harm, it must notify the Privacy Commissioner and affected individuals as soon as possible.

Factors to consider when assessing whether a breach is likely to cause serious harm include:

  • the sensitivity of the information involved;
  • the nature of the harm that may be caused;
  • the person or entity who has obtained or may obtain the information; and
  • whether the information is protected by security measures.

The Privacy Commissioner website has a helpful tool called 'NotifyUs' to help you to determine if a privacy breach is notifiable.

Cross-Border Data Flows

The Privacy Act also introduces new rules for the disclosure of personal information to overseas entities. Before disclosing personal information overseas, businesses must ensure that the recipient is subject to comparable privacy safeguards. Alternatively, you may obtain the individual's authorisation for the disclosure.

Industry-Specific Regulations

In addition to the Privacy Act 2020, certain industries may be subject to additional data protection requirements:

  • Financial Sector: The Reserve Bank of New Zealand and the Financial Markets Authority have guidelines on cybersecurity for financial institutions. These guidelines emphasise the importance of robust risk management frameworks and incident response plans.
  • Health Sector: The Health Information Privacy Code 2020 outlines specific guidelines for handling health information. This code applies to health agencies and imposes additional obligations beyond those in the Privacy Act.
  • Telecommunications Sector: The Telecommunications Information Privacy Code 2020 provides specific rules for collecting, using and disclosing personal information.

Practical Steps for Compliance

To comply with these legal requirements, New Zealand businesses should:

  • Conduct a Data Audit: Identify what personal information is collected, how it is used, where it is stored and who has access to it.
  • Develop a Privacy Policy: Create a clear, accessible privacy policy that outlines how the business handles personal information.
  • Implement Security Measures: Use appropriate technical and organisational measures to protect personal information, such as encryption, access controls and regular security assessments.
  • Train Staff: Ensure all employees understand their data protection and privacy responsibilities.
  • Establish Data Breach Procedures: Develop and test procedures for detecting, reporting and responding to data breaches.
  • Review Third-Party Contracts: Ensure that contracts with service providers include appropriate data protection clauses.
  • Appoint a Privacy Officer: Designate a person within the organisation to be responsible for privacy compliance.
  • Regularly Review and Update: Continually assess and update data protection practices to ensure ongoing compliance with evolving legal requirements and best practices.

Failing to comply with data protection laws can have serious consequences for businesses, including:

  • fines and penalties;
  • reputational damage; and
  • loss of customer trust.

Key Takeaways

Data protection is not just a legal requirement. It is a fundamental aspect of responsible business practice in the digital age. By understanding and complying with the legal requirements outlined in the Privacy Act and other relevant regulations, New Zealand businesses can protect themselves and their customers, build trust, and create a competitive advantage in an increasingly data-driven world.

If you are concerned about your privacy obligations, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0800 005 570 or visit our membership page.

Frequently Asked Questions

What should I do if I experience a data breach?

Under the Privacy Act, businesses must report any data breach that is likely to cause serious harm to the Privacy Commissioner and affected individuals as soon as possible. The Privacy Commissioner provides a tool, 'NotifyUs', to help businesses assess if a breach needs to be reported.

How long am I able to retain personal information?

Under the Privacy Act, you should not keep personal information for longer than necessary for the purpose for which it was collected. You need to regularly review your data retention policies and ensure that you only retain personal information as long as it is required to fulfil its intended purpose. Once it is no longer needed, you must securely dispose of or anonymise the information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Tayler Berridge-Smith
Tayler Berridge-Smith
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More