NZ Privacy Act 2020: Practical Compliance for Business

Start with the Privacy Act 2020’s Information Privacy Principles (IPPs 1–13). Collect only what you need (IPP1), tell people why and how you’ll use it (IPP3), secure it (IPP5), keep it accurate (IPP8), don’t keep it longer than necessary (IPP9), and limit use and disclosure (IPPs 10–11). Ensure individuals can access and correct their data (IPPs 6–7). Practical steps: map your data flows, implement collection notices, set a retention schedule, and standardise responses to access requests. LegalDocs.ai provides compliant notices and retention policy templates.

Appoint a privacy officer—this is mandatory under the Privacy Act 2020, section 201. Choose someone with authority and time to oversee IPP compliance, staff training, and privacy impact assessments. Give them a direct reporting line, a register for requests and incidents, and a playbook for complaints to the Office of the Privacy Commissioner. Schedule refresher training and tabletop exercises. LegalDocs.ai can supply role descriptions, incident logs, and training modules so your privacy officer can embed practical, auditable processes quickly.

Before sending personal information overseas, apply Information Privacy Principle 12. Take reasonable steps to ensure the recipient is subject to comparable privacy safeguards or bind them by contract to equivalent protections; otherwise, obtain the individual’s express, informed authorization. Do due diligence on cloud and support vendors, use transfer impact assessments, and include audit, breach-notification, and onward-transfer limits in contracts. Keep a register of cross-border disclosures. LegalDocs.ai offers IPP12 transfer checklists and contract clauses to help you evidence compliance.