Privacy Act 2020 in the workplace

Employers will need to take extra precautions under the Privacy Act 2020 which took effect on December 1.

The Privacy Act governs how individuals, organisations and businesses collect, use, disclose, store, and give access to personal information. This includes employee and client records.

Privacy Act 2020

The Privacy Act 2020 introduces more protections for individuals and some new obligations for businesses and organisations (referred to in the legislation as an 'agency')

The changes include the requirement to report serious privacy breaches to the Privacy Commissioner and to affected people.

The Privacy Commissioner has new powers to help people access their own information and to require businesses and organisations to comply with the law.

There are increased fines for organisations that don’t comply, and there are new rules when sending personal information overseas.

Privacy Principles

The Privacy Act is made up of Information Privacy Principles (IPPs). There are 13 IPPs in the 2020 amendment act, up from 12. These principles sit under three categories: collecting personal information, holding personal information, and using and disclosing personal information.

Organisations should follow the 13 IPPs to ensure compliance. You can find out more about these here.

Privacy Act changes

Under the latest changes, organisations must:

  • Tell the Privacy Commissioner and the affected people if your organisation has had a serious privacy breach
  • Overseas companies that do business in New Zealand must comply with the Act
  • The Privacy Commissioner can issue compliancy notices that tell organisations they must stop breaching the law or put things right
  • The Commissioner can also issue access directions. For example, if an individual requests information about themselves then an Access Direction requires an organisation to provide that information within 20 days of the request

New offences introduced within the Act include higher penalties (up to $10,000) and potential to be publicly identified by the Commissioner.

New Offences

Offences (agency):

• Non-notification of a breach to the Privacy Commissioner

• Non-compliance with a compliance notice

Offences (individual):

• Misleading an agency

• Knowingly destroying a requested document

Examples of privacy breaches

  • giving information to someone who wasn’t authorised (e.g. delivering your letter to the wrong house)
  • using incorrect information about a person (e.g. recording a debt that you never had)
  • collecting a person’s information without their consent (e.g. a video camera in a private place)
  • refusing to give a person access to their information

Common breaches in the workplace include:

  • Sending an email to the wrong person
  • Employee browsing (accessing files without legitimate reason)

 What does your organisation need to do next?

  • Appoint a Privacy Officer: Under the Privacy Act every organisation is required to have a privacy officer. No special training or qualification is required but you do need an understanding of the 13 Information Privacy Principles (IPPs) within the Act. The privacy officer is responsible for:
    • Ensuring the organisation complies with the Act.
    • Dealing with requests made to the organisation for access to/or correction of, personal information.
    • Working with the Privacy Commissioner during the investigation of complaints.
    • Secure personal data online and offline
  • Privacy Policy: Every organisation should have a privacy policy in place and procedures to detect, report and investigate a personal data breach as soon as possible. The Privacy Commissioner has created and a policy generator called ‘Priv-o-matic’. Click here for more information. Ensure your customers and clients understand how you plan to use the information.

  • Raise awareness within your organisation: It is important to make sure your organisation and the clients/individuals you hold personal information of or on behalf of, are aware of the new amendments.

    Ensure you have clear internal lines of communication and let your staff know who they can approach within the organisation to discuss privacy issues.

  • Data security:

    Ensure all personal information is collected with permission and held securely. Review your third party contractual arrangements, where any other party stores or processes personal information provided by your organisation such as cloud-based data storage.

    The steps appropriate in keeping information secure will depend on:
    • How sensitive the personal information is.
    • What are you using the personal information for.
    • What security measures are available, and how will using these measures impact on your organisation's functions. I.e. computer security, locked filing cabinets, discussing personal issues in a confidential and secure manner.
    • What might the consequences be for the individual if the information is not kept secure.


  • The Privacy Act does not affect the questions you can ask a referee or candidate. However, it is important to note, that non-discrimination guidelines remain in place. It is easy to ask the wrong questions in the ‘ice-breaking’ section of an interview. 
  • Job application form: You need to be clear on why you are collecting the information, what you are going to do with it and how you are going to secure it in line with the Privacy Act principles. 

More information

This is for informational purposes only and further information can be obtained from the Privacy Commissioner here

If you require further support understanding how the Act affects your workplace and any changes required, contact our HR advisors on (03) 366 4034 or email