Privacy Act 2020


Protecting Personal Information in the internet age

The Privacy Act 2020 (the Act) received its Royal assent on 30 June 2020. It comes into effect on 1 December 2020; it replaces the Privacy Act 1993. 

The Act seeks to increase New Zealanders’ confidence that their personal information is secure and will be treated properly.

While many things, like the 12 information privacy principles, stay mostly the same, the new Act introduces some critical changes, including addressing privacy risks sooner, and giving greater powers to the Privacy Commissioner. 

Understanding and preparing for these changes begins now. For more information, view the Privacy Commissioner’s website.

What is Personal Information, and why a new Act?

Personal information is more than a person’s name, address and date of birth; it is all information about an identifiable individual. 

Technology has changed enormously since the Privacy Act 1993 became law. The growing use of internet-connected devices, social media, e-commerce, and cloud storage means large quantities of data can now be easily stored, retrieved, and disclosed anywhere around the world. This has many benefits, but it also creates new challenges for the protection of personal information by public and private sector agencies. These agencies include school boards and NZSTA.

Other countries have already introduced tighter privacy laws, some of which impact on New Zealanders and New Zealand business (e.g. the European Union’s GDPR (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act). 

In short, the new Act updates our privacy laws, so they remain fit-for-purpose in the digital age.

What does this Act mean?

The Act safeguards the privacy of people’s information by keeping the 12 core principles about information privacy intact, and the previous Act’s complaints system is retained – if you think there has been an interference with your privacy you can complain to the Privacy Commissioner.

Summary of key changes

  • Mandatory reporting of seriously harmful privacy breaches to the Privacy Commissioner
  • Compliance notices can be issued by the Privacy Commissioner
  • Disclosing personal information overseas is more controlled (new information privacy principle 12)
  • Binding decisions can be made by the Privacy Commissioner about personal information access requests
  • More gathering powers to the Privacy Commissioner for investigations
  • New criminal offences, with a fine of up to $10,000
  • Internet businesses carrying out business in New Zealand must now comply (even if they have no physical presence)
  • Agencies must take particular care in the way they collect personal information from children or young persons (information privacy principle 4).

Checklist for boards

Boards and their schools are agencies that collect, use and store a lot of personal information. The personal information collected relates to students and their parents, caregivers and whānau, staff, contractors and board members. It also includes personal information from other agencies that interact with the school such as the Ministry of Education, Education Review Office and NZSTA, and others in the school and its wider communities, such as sports and community groups. 

  • Does your board have a privacy officer? 
  • Does your board plan to allocate resources (time and money) to support the privacy officer’s training and work?
  • Does your board have a privacy policy, and can the school recognise when a privacy breach may have occurred? 
  • What about procedures on what to do when someone asks for their personal information or their child’s information, or if there is a privacy breach?
  • Have your school’s privacy statements, e.g. when students enrol, been reviewed recently?
  • Does your board and school store and dispose of personal information by following the school records retention/ disposal pack?

More information

Scroll Arrow Icon

© 2018 New Zealand School Trustees Association