A new Privacy Bill has been introduced to Parliament.

The Bill will replace the Privacy Act 1993.

Over the 25 years since the Act was passed, the rise of the internet and the digital economy has transformed business and government, and the use of personal information. Large quantities of data are readily stored, retrieved, and disclosed and can be easily sent around the world. This creates many benefits, but also new challenges for the protection of personal information.

The changes in the Bill will strengthen privacy protections. The reforms promote early intervention and risk management by agencies (the name used for any organisation or person that handles personal information), rather than relying on people making complaints after a privacy breach has already happened. The Bill’s reforms will also enhance the role of the Privacy Commissioner.

Key reforms in the Bill are:

  • Requirements to report data breaches: If agencies have a privacy breach that poses a risk of harm, it must notify the people affected and the Commissioner
  • Compliance notices: The Commissioner will be able to issue compliance notices to require an agency to do something, or stop doing something.
  • Decisions on access requests: The Commissioner will make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal.  The Commissioner’s decisions can be appealed to the Tribunal.
  • Strengthening cross-border protections: New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by acceptable privacy standards. The Bill also clarifies that when a New Zealand agency engages an overseas service provider, it will have to comply with New Zealand privacy laws.
  • New criminal offences: It will be an offence to mislead an agency in a way that affects someone else’s information, and to destroy documents containing personal information if a request has been made for it. The proposed penalty is a fine up to $10,000.
  • Strengthening the Privacy Commissioner’s information gathering power: The Commissioner will be able to shorten the timeframe in which an agency must comply with investigations and the penalty for non-compliance will be increased from $2,000 ton $10,000.

The Bill implements recommendations made by the Law Commission in 2011. The Law Commission found that the Act’s principles were sound, but that it needed updating to better address the challenges of the digital age.

Next steps

People will have the opportunity to comment on details of the proposed law changes when the Bill is considered at Select Committee.

Follow the progress of the Privacy Bill(external link).

Related documents

If you would like to learn more about the changes, please see the following documents:

Cabinet Paper - Privacy Bill 2018 - Approval for Additional Policy Amendments [PDF, 304 KB]

Cabinet Paper - Privacy Bill 2018 – Approval for Introduction and Additional Policy Decisions [PDF, 354 KB]

Cabinet Paper - Reforming the Privacy Act 1993 [PDF, 360 KB]

Appendix One to Cabinet Paper Reforming the Privacy Act 1993 [PDF, 378 KB]

Government Response to Law Commission report on the Review of the Privacy Act 1993 [PDF, 84 KB]

Supplementary Government Response to Law Commission report [PDF, 479 KB]

Law Commission Review of Privacy(external link)

This page was last updated: