What does the New Zealand Privacy Act 2020 mean to Mobile Mentor?

Late last year New Zealand had an update to their Privacy Laws – referred to as the Privacy Act 2020.

The updated act introduced greater protections for individuals and new obligations for businesses. It includes the requirement to report serious privacy breaches and introduces new rules when sending information overseas

This act is built around 13 privacy principles: 

  1. Organisations should collect data only if it’s necessary. 

  2. If possible, information should be collected directly from the person.  

  3. Organisations must provide reasoning around why they are collecting data. 

  4. Organisations must not collect data via unlawful or unfair means. 

  5. Organisations must keep data secure. 

  6. An individual has the right to know if data is kept about them. 

  7. An individual has the right to request data stored about them. 

  8. Organisations must take steps to ensure data is accurate. 

  9. An organisation can keep data only as long as it is needed. 

  10. Information collected for one purpose cannot be used for another. 

  11. Organisations cannot disclose data unless an exemption applies. 

  12. Organisations can only disclose data overseas when comparable laws exist. 

  13. Organisations must not assign a unique identifier to an individual (unless necessary for operational functions). 


What is personal information?

To understand how this act affects us, and our customers, it’s important to understand what Personal information is. 

Personal Information includes data such as 

  • Names 

  • Phone numbers 

  • Email addresses 

  • Other observations where an individual is identified 


When do we have to notify the Privacy Commissioner?

The new act stipulates if any organisation accidently leaks or breaches personal information in our care and this breach causes serious harm to affected individuals where personal information was breached, we must notify the Privacy Commissioner and the relevant individuals.   

Types of harm include  

  • Discriminatory harm        

  • Emotional harm        

  • Employment harm        

  • Financial harm        

  • Identity theft  

  • Loss of access to information        

  • Loss of opportunity        

  • Physical harm        

  • Reputational harm        

  • Threats of harm      

Unlike Australia’s mandatory Data Breach Notification laws, the New Zealand breach reporting requirements are based on an assessment of harm and seriousness of breach rather than quantity of data breached.  

There are guidelines from the Privacy Commission for assessing the likelihood of serious harm, including: 

  • Action taken to reduce the risk of harm following the breach 

  • Whether the personal information is sensitive in nature 

  • The nature of the harm 

  • Who obtained (or could obtain) the personal information 

  • Whether the personal information is protected by a security measure 

There is a useful Breach Reporting Assessment via this link, that steps you through a set of questions to help you understand the risk and harm of a breach in your organisation. If in doubt, it’s best to report the breach to the Privacy Commissioner. 


What if we don’t report a serious breach?

Organisations can now be fined up to $10,000 by the Privacy Commission for the following failures.  

  • Failing to apply to a compliance notice 

  • Falsely obtaining someone’s personal data 

  • Someone requests their personal information and you destroy the data 

  • Failing to report a Privacy Breach that should be notified 

This fine has increased from $2,000 for breaches before this new act was released. 


What about data stored overseas?

For data stored overseas, unless you have authorised disclosure of your data outside New Zealand, the disclosing party will need to ensure that the information will be protected by safeguards comparable to NZ’s privacy laws before transferring it offshore

It is ok to share / disclose your personal data overseas if 

  • The recipient receiving the data is covered by NZ Privacy Act 

  • The recipient receiving the data is covered by comparable privacy provisions through laws overseas  

  • If the person whose data will be disclosed waives the protections 

  • Or if the overseas organisation is a prescribed country or covered by a prescribed binding scheme e.g., APEC 

There is a statement saying cloud services providers such as Microsoft or AWS are exempt and in theory these services have very robust data protection technologies in place to protect our individual data. 


Can I find out what data is stored about me?

You are entitled to seek access to personal information held about you by any New Zealand organisation and if their request is refused, you can complain to the Privacy Commissioner.  

We have recently had a request from this site https://privacybee.com/ from an offshore individual wanting to ensure all data about them was purged from our systems. I expect to see more of these generic services being used by individuals for who personal data and privacy is important. 

Just a note – Organisations can refuse to disclose your personal information to you if it can cause  

  • Serious threat to the health, safety or life of an individual 

  • Risk of harassment 

  • Risk of distress 



How can you find out more about the NZ privacy act 2020?

There are free online privacy training courses for those that want to understand more about the privacy act and understand how it may impact you or your organisation. Training is available on the office of the privacy commissions’ web site via this link.

What do these changes mean for Mobile Mentor?

In readiness for this new updated Privacy act, we have checked our website and processes to ensure anyone wanting to, has a way to request what information we hold about them and if they want their personal information updated, they can request this as well. 

We have reviewed our data management processes for archiving and disposing of data that’s no longer needed to ensure we are meeting the relevant privacy principals. 

And most importantly we are working to ensure we have clear processes and guidance for staff, so confidentiality of data is maintained. For us this includes on-going training for staff on data breach and data protection. We use KnowBe4 for our regular security awareness training. 


If you’re interested in seeking help with change management through these new privacy requirements, check out our Change Management service, or contact us.