New Zealand Privacy Act

Simple, practical steps to meet New Zealand’s privacy law

The New Zealand Privacy Act sets out how organisations must collect, use, and protect personal information. BrightShield makes compliance achievable for small businesses through clear policies, playbooks, and practical guidance.

Benefits

Why the Privacy Act matters

It’s the law

The Privacy Act applies to all organisations and businesses in New Zealand — no matter their size — if they collect or hold personal information.

Protects individuals

Strong privacy practices show customers, employees, and partners that you respect their rights.

Avoids penalties and risk

The Office of the Privacy Commissioner (OPC) can issue compliance notices, investigate complaints, and refer serious breaches to the Human Rights Review Tribunal, which can award damages.

Builds trust

Meeting privacy obligations helps strengthen relationships with customers, regulators, and business partners.
Three business professionals having a friendly meeting around laptop in modern office with bright collaborative workspace
How We Help

BrightShield takes the complexity out of Privacy Act compliance.

Pre-Built Policy Templates

Compliant privacy policies, data protection rules, breach procedures, and more — ready to customise.

Step-by-Step Guidance

Guides for handling access and correction requests, managing cross-border data disclosures, and responding to privacy breaches.

Quick Wins First

We highlight easy improvements — like publishing a privacy statement or setting up a breach response process — that make the biggest impact.

Progress Tracking

See how your organisation aligns with the 13 Information Privacy Principles (IPPs) and track improvements over time.

Evidence Storage

Keep access request logs, breach notifications, and vendor agreements in one place.
Why us

The BrightShield advantage

Your partner in making Privacy Act compliance simple, practical, and achievable. We give you clear steps, smart priorities, and steady progress — so you can protect personal information with confidence.

Practical, not overwhelming

We turn the Privacy Act legal requirements into plain, actionable tasks.

Built for small businesses

BrightShield is designed for smaller teams, making the biggest impact with the resources you already have.

Confidence, not just compliance

Go beyond avoiding complaints. Build trust and resilience with privacy practices that last.

Frequently asked questions

What is the New Zealand Privacy Act?
The Privacy Act 2020 is New Zealand’s main privacy law. It sets out how organisations must handle personal information, guided by 13 Information Privacy Principles (IPPs).
Does the Privacy Act apply to my business?
Yes. Unlike Australia’s Privacy Act, the New Zealand law applies to all organisations, regardless of size, that collect or hold personal information.
What are the Information Privacy Principles (IPPs)?
The 13 Information Privacy Principles (IPPs) are:
  • Principle 1 – Purpose for collection
    You can only collect personal information if it’s for a lawful and necessary purpose.
  • Principle 2 – Source of information - collection from the individual
    Collect information directly from the person whenever possible.
  • Principle 3 – What to tell the individual about collection
    Tell people why you’re collecting their information, how it will be used, and who it will be shared with.
  • Principle 4 – Manner of collection
    Don’t collect information in ways that are unlawful, unfair, or unreasonably intrusive.
  • Principle 5 – Storage and security of information
    Protect personal information from loss, misuse, or unauthorised access.
  • Principle 6 – Providing people access to their information
    People have the right to see the personal information you hold about them.
  • Principle 7 – Correction of personal information
    People can ask you to correct their information if it’s wrong, and you must take reasonable steps to do so.
  • Principle 8 – Ensure accuracy before using information
    Make sure information is accurate, up to date, and relevant before using it.
  • Principle 9 – Limits on retention of personal information
    Don’t keep personal information for longer than it’s needed. When it’s no longer required, securely delete or anonymise it.
  • Principle 10 – Use of personal information
    Only use personal information for the purpose it was collected, unless an exception applies.
  • Principle 11 – Disclosing personal information
    Only disclose personal information if the person has agreed, or if the law allows it.
  • Principle 12 – Disclosure outside New Zealand
    If you send personal information overseas, make sure it will be protected by comparable privacy safeguards.
  • Principle 13 – Unique identifiers
    Only assign unique identifiers (like customer numbers) if it’s necessary, and don’t reuse identifiers from other organisations.
How hard is it to comply with the Privacy Act?
It depends on your current practices. Publishing a privacy statement and setting up breach response procedures can be done quickly. Other obligations — like managing cross-border transfers or maintaining processes for correction requests — may take more effort. BrightShield makes it easier with templates, playbooks, and progress tracking.
What happens if I don’t comply?
The Privacy Commissioner can issue compliance notices and investigate breaches. Serious or repeated failures can be referred to the Human Rights Review Tribunal, which has the power to order compensation and penalties.
How does BrightShield support Privacy Act compliance?
BrightShield helps you meet Privacy Act compliance by:

  • Policy templates aligned with the 13 IPPs
  • Playbooks for access requests, breach response, and cross-border data handling.
  • Quick wins to close gaps fast.
  • Evidence tracking to show compliance.
Let's Begin

Privacy compliance, made simple

BrightShield gives you the policies and playbooks you need to meet the New Zealand Privacy Act, protect personal information, and build trust with your customers.

Book a Call