Close this search box.

Important updates to the New Zealand Privacy Laws


The Privacy Act 2020

There are now 13 information privacy principles instead of the original 12 and even though most are recognisable from the old act, there have been some tweaks.

For example, while Principle 1 has always required that an agency can only collect personal information in relation to its legitimate purposes and not unrelated ones, it now also forbids collecting identifying information altogether where it is possible to provide a service without doing so. (In this context, the term “agency” means any person, business, government departments or organisation in the public or private sector.)

Similarly, Principle 4 which covers the manner of collecting personal information, requires specific consideration to be given on whether it is appropriate when collecting information from children or young people.

Principle 12 relates to sending information outside New Zealand. Due diligence is needed to ensure the information will be protected by similar standards as in New Zealand. The Government is expected to prescribe a list of countries with comparable protections and the OPC provides other tools such as model contractual terms with an overseas recipient.

Principle 12 does not apply when using, say, a cloud service to store data where the overseas service provider is not using the data for its own purposes.

In those conditions, the New Zealand agency remains responsible.

Overseas agencies doing business in New Zealand are also now subject to the Act, which ensures a level playing field.

Although some might question how the OPC can enforce the Act against the likes of Facebook, it is likely there will be increasing coordination with overseas privacy authorities.

This occurred, for instance, between Australia and Canada with the 2015 data breach investigation of online adult ‘discreet affair’ dating site, Ashley Madison.

The most important additions in the new Act are the duty to notify affected individuals of breaches when they may suffer serious harm and OPC’s power to issue compliance notices against agencies. These are underpinned by fines.

It is important to note, however, that failure to notify when required also provides individuals with recourse to complain and ultimately bring an action for monetary damages which can be up to a maximum of $350,000. Class actions are also now possible.

For more information about the new act, visit

The Unsolicited Electronic Messages Act

We are seeing this act being enforced in the last few months.

For Guardian Angel monitored clients, there is a renewed justification for paying for good monitoring services utilising API integrations.

We are the only company in NZ with API integrations with Blackline and Garmin meaning we get the alerts live from the overseas servers (see flowchart below)

We do get the SMS and email as back up, but we are more regularly seeing these not arrive.

It’s a major concern for any companies relying on in-house monitoring or monitoring providers without integrations.

For us, the API integrations have been in place since the start of our business, and any new devices or services we bring on, we don’t go live with until we have finalised the API work.

We are not prepared to accept any risk at all of us not being able to respond to a worker in need. This is the only way we can guarantee that.
API Flowchart

Not sure what you need?

Get your free copy of our buyers guide

“How to Evaluate Lone & Remote Worker Solutions”. Learn how to select the right devices, monitoring & get clarity on the best lone & remote worker solutions for your organisations needs.

Lone Worker risk assessment

Identifying an effective Lone Worker management solution can be daunting. Our Lone Worker Risk Assessment helps you cut through the noise. Get a better idea of your lone worker risks.

Lone Worker Safety Solutions Audit

Because we don’t know each other yet we have designed a quick lone worker safety audit. This lets us get to know you better and answer any questions you may have.