Data Privacy: New Zealand’s Data Breach Laws | FTI Consulting

Data Privacy: New Zealand’s Data Breach Laws Have International Implications


December 10, 2020

Digital Globe

From 1 December 2020, New Zealand’s mandatory data breach notification laws take effect. If your organisation carries on business or is based in New Zealand, and you experience a data breach, you may be required to notify the regulator and affected individuals. If you don’t comply, you may face fines or other regulator action.

This is a brief snapshot of how you determine if you need to notify.

Key Terms

What is a ‘privacy breach’?

A privacy breach (commonly called a ‘data breach’) is the unauthorised or accidental access to, or disclosure, alteration, loss or destruction of personal information held by an ‘agency’ - any organisation or business, whether in the public sector or private sector. This includes government departments, companies and businesses, social clubs and other types of organisations.

A privacy breach also occurs when any action prevents a person from accessing their personal information that is held by an agency – for example, ransomware or denial of service attacks - s112 Privacy Act 2020.

What is ‘personal information’?

Personal information is “information about an identifiable individual” – s7 Privacy Act 2020.

The information does not need to name someone specifically to be personal, if they are identifiable in other ways, for example, through their home address.

More Info

Share this page