New Zealand’s Privacy Act 2020 Incident Response Guidelines

What’s required under New Zealand’s new privacy legislation and how your organization can comply

New Zealand introduced the Privacy Act 2020 on December 1, 2020 to strengthen data protection. The law establishes 13 information privacy principles that govern how organizations can collect, store, use, and share data. It also includes new rules for notifying individuals about data breaches and strengthens enforcement mechanisms. As a result, it’s essential for every company that operates in New Zealand to understand what’s required under the law.

Automate New Zealand privacy obligations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Who is Subject to New Zealand’s Privacy Act 2020?

The Privacy Act 2020 applies to any organization that collects, stores, or handles personal information about New Zealand residents.

Specifically, the law covers:

  • New Zealand agencies: Any organization based in New Zealand.
  • Overseas agencies: Any organization not based in New Zealand when carrying on business in the country.
  • Individuals: Any individual who is not a resident in New Zealand that collects or stores personal information while in the country (regardless of where the subject of that information is located).
But it does grant several exceptions for:

  • New Zealand government agencies
  • Ombudsman
  • News entities carrying on news activities
  • Overseas governments performing government functions

A Note on Scope

The Privacy Act 2020 has an extraterritorial scope, meaning it does not matter where personal information is collected or where the individual is located if the subject of the data is a New Zealand resident. Additionally, the law only allows organizations to transfer personal information to another country if that country’s privacy laws are comparable to New Zealand’s.

How Does New Zealand Enforce the Privacy Act 2020?

The Office of the Privacy Commissioner is responsible for enforcing the Privacy Act 2020.

What are the Commissioner’s Responsibilities?

The Commissioner can investigate any instances of potential non-compliance following a complaint or on its own initiative. Upon investigation, the Commissioner can issue a compliance notice requiring an organization to take action or stop doing certain activities. Finally, the Commissioner can provide advice to the New Zealand government and organizations on the application of the Privacy Act 2020.

What is the Penalty for Non-Compliance?

Instances of non-compliance with the Privacy Act 2020, including not responding to requests for information from individuals and failing to notify the Commissioner about a serious privacy breach, are criminal offenses and carry fines of up to $10,000 NZD. Affected individuals can also issue complaints to the Human Rights Review Tribunal, which can order the offending organization to pay damages.

What Incident Response is Required Under the Privacy Act 2020?

The Privacy Act 2020 requires organizations to issue data breach notifications if they experience a privacy breach that is likely to cause serious harm to individuals.

What is a privacy breach?Any unauthorized or accidental access to personal information; disclosure, alteration, loss, or destruction of personal information; or action that prevents an organization from accessing information temporarily or permanently.
What is the standard for serious harm?The Commissioner offers an online survey, found here, to assess whether or not a privacy breach meets the standard for serious harm. It considers:

  • If personal information is involved
  • Whether or not the personal information is sensitive
  • Who has obtained or may obtain the data
  • The harm that may be caused to affected individuals
  • Any action already taken to reduce the risk of harm
  • If the data is protected by a security measure

How to Respond to a Notifiable Privacy Breach

Organizations that experience a notifiable privacy breach must notify the Privacy Commissioner and affected individuals as soon as practicable after becoming aware that the breach occurred.

Notifying the Commissioner

Organizations should use the Commissioner’s “NotifyUs” tool, found here. These notifications should include this information:

  • Contact details for the organization and person issuing the notification
  • Timeline details about the breach, including when it occurred and when it was discovered
  • Details about the breach, including how many people were affected, the type of personal information involved, and who might be in possession of the information
  • Details about the harm that may be caused to affected individuals following the breach
  • Steps the organization has taken or intends to take to notify individuals
  • Whether or not any other organizations were affected by the breach
  • Whether or not the organization has notified any other agencies about the breach

Notifying Individuals

Organizations must notify affected individuals directly by phone, letter, email, or in person if possible. If this could cause further harm, is too expensive, or is not possible due to a lack of contact information, then organizations can issue an indirect notice through information on their website, posted notices, or the media. These notifications must include:

  • Details about the breach, including when it happened, the personal information involved, and who might be in possession of the information (however it can not identify that party unless it’s necessary to lessen a serious threat to the life or health of individuals)
  • Steps the organization has taken or intends to take in response to the breach
  • Steps that affected individuals can take to mitigate or avoid potential harm
  • A confirmation that the organization has notified the Commissioner about the breach
  • A note that affected individuals have the right to make a complaint to the Commissioner
  • Contact details for a person within the organization who can field inquiries

Note: These notifications can not identify any other affected individuals. To avoid a delay, organizations can share information in increments if it’s not all available immediately.

Exceptions for issuing a notification

Organizations are not required to notify affected individuals or give public notice if they believe the notification would:

  • Prejudice the security or defense of New Zealand, international relations of the New Zealand government, or the maintenance of the law
  • Endanger the safety of any person or reveal a trade secret
  • Be contrary to the affected individual’s interests, if that individual is under the age of 16
  • Be likely to prejudice the individual’s health, in consultation with the individual’s health practitioner (where practicable)

Organizations can delay notifying affected individuals or giving public notice if they believe the risks of issuing the notification outweigh the benefits.

What Types of Incidents Require Notification Under the Privacy Act 2020?

Any privacy breach that meets the standard of creating serious risk for the individuals whose data is involved requires a notification under the Privacy Act 2020. Common examples include:

Phishing malware or trojan

Man in the Middle Attack

A type of privacy breach in which an attacker intercepts a digital conversation by sitting in between the two parties involved, which gives them access to the information being shared.


Lost or Stolen Data

Any case in which personal information gets lost or stolen, even if it was an accident. Organizations will need to assess what data was involved and who might have access to the data, among other factors.



Techniques that allow attackers to gain unauthorized access to data and then move that data to their own servers or devices. This theft can create serious harm depending on the personal information involved.

How Can Organizations Prepare for Compliance with the Privacy Act 2020?

Under the Privacy Act 2020, organizations must appoint a privacy officer responsible for:

  • Monitoring compliance with the law’s 13 information privacy principles
  • Fielding requests made under the law
  • Working with the Commissioner on any investigations
  • Proactively preparing for incident response

As part of this effort, the privacy officer should prepare for three phases of incident response:


Readiness is about developing a clear incident response plan to meet New Zealand’s standard of responding to a privacy breach as soon as practicable. To do so, organizations must:

  • Review what’s required by the Privacy Act 2020, other relevant laws, and contracts
  • Formally document an incident response plan that meets those requirements


Response is about taking action immediately according to that plan when a breach occurs. Doing so is not only required, but can also help mitigate costs. To respond, organizations must:

  • Investigate the incident, including when and how it occurred, what data was affected, and whether or not it creates a risk of serious harm
  • Take action to reduce any risk for affected individuals and to correct any security issues
  • Notify the Commissioner and affected individuals (if required by the Privacy Act 2020) and issue any other notifications required by global privacy laws and contracts

Ongoing Management

Ongoing management is about evolving the program alongside changing laws and emerging security threats. This type of ongoing management requires organizations to:

  • Establish a single source of truth for all monitoring, reporting, and incident response plans through an easily accessible dashboard
  • Maintain alignment from stakeholders on incident response plans to ensure everyone knows their responsibilities and is ready to take action when an incident occurs

Making Proactive Incident Response a Priority

Making proactive incident response a priority can help organizations comply with New Zealand’s Privacy Act 2020. It can lead to faster and confident action in response to any privacy breaches that occur, helping reduce potential penalties and maintain customer trust.

To achieve this proactive stance, organizations must stay up to date on global regulations, assign responsibility for security and response efforts, establish clear incident response plans that can be put into action at any time, and regularly revisit those plans as regulations, security threats, and contracts evolve.

Supercharge your incident response strategy with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.