Data Privacy: New Zealand’s Data Breach Laws Have International Implications

From 1 December 2020, New Zealand’s mandatory data breach notification laws take effect. If your organisation carries on business or is based in New Zealand, and you experience a data breach, you may be required to notify the regulator and affected individuals. If you don’t comply, you may face fines or other regulator action.
This is a brief snapshot of how you determine if you need to notify.
Key Terms
What is a ‘privacy breach’?
A privacy breach (commonly called a ‘data breach’) is the unauthorised or accidental access to, or disclosure, alteration, loss or destruction of personal information held by an ‘agency’ - any organisation or business, whether in the public sector or private sector. This includes government departments, companies and businesses, social clubs and other types of organisations.
A privacy breach also occurs when any action prevents a person from accessing their personal information that is held by an agency – for example, ransomware or denial of service attacks - s112 Privacy Act 2020.
What is ‘personal information’?
Personal information is “information about an identifiable individual” – s7 Privacy Act 2020.
The information does not need to name someone specifically to be personal, if they are identifiable in other ways, for example, through their home address.