Get ready for the new Privacy Act

24 November 2020

Kindly provided by the Office of the Privacy Commissioner 

The Privacy Act 2020 comes into effect on the 1 December. But what does this mean for GPs and other professionals working in the health sector? The new Privacy Act introduces greater obligations for businesses and organisations, a financial penalty for serious privacy breaches, and more enforcement powers for the Privacy Commissioner

The Health Information Privacy Code has been updated to reflect the changes in the Privacy Act 2020. 

Reporting serious privacy breaches

One of the main things to be aware of is the new legal requirement to tell the Privacy Commissioner if there has been a privacy breach that has caused, or is likely to cause, serious harm. In most instances you will also need to tell the affected individuals. Currently, reporting a privacy breach is voluntary.

With this change in place, it will be an offence to fail to inform the Privacy Commissioner when there has been a notifiable privacy breach and carries a potential fine of $10,000. 

But what is serious harm?

Not all privacy breaches need to be reported; the threshold for a notifiable breach is ‘serious harm.’ This can be assessed by considering, for example, the sensitivity of the information lost, actions taken to reduce the risk of harm, and the nature of the harm that could arise.

Practices can use the online tool NotifyUs to assess whether a privacy breach is notifiable, and then to report that breach if necessary. 

Other key changes

The new Act retains the privacy principles of the 1993 legislation, with some changes. Here are the other main changes:

Compliance notices

The Privacy Commissioner can issue a compliance notice requiring you to do something, or stop doing something, in order to comply with the Privacy Act. Compliance notices will describe the steps that the Commissioner considers are required to remedy non-compliance with the Act and will specify a date the changes must take place by.

Access directions

The Privacy Commissioner can direct agencies to provide individuals access to their personal information. This will allow faster resolution of complaints relating to information access. Access directions will be enforceable in the Human Rights Review Tribunal.

Extraterritorial effect

The new Privacy Act now clearly states that it has extraterritorial effect. This means that an overseas organisation that is ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations, even if it does not have a physical presence here and is located offshore.

New criminal offences

The Privacy Act 2020 introduces new criminal offences. It will now be an offence to mislead an agency to access someone else’s personal information—for example, impersonating someone in order to access information that you are not entitled to see. It will also be an offence to destroy personal information, knowing that a request has been made to access it. The penalty for these offences is a fine of up to $10,000.

There are also new controls on sending personal information overseas, to ensure it is protected by an equivalent level of protection. 

The Office of the Privacy Commissioner suggests having a model contract clause in place with overseas receiving organisations to protect the information in a way that is comparable to New Zealand standards. This guidance document explains how to set this up. 


Free e-learning modules:

  • Privacy Act 2020: outlines the key changes and takes about 30 minutes to complete.
  • Health ABC: a great way to bring your staff up to speed with health privacy issues.

Other resources are also available to help you understand the changes to the Act.