Data Privacy: New Zealand’s Data Breach Laws Have International Implications

From 1 December 2020, New Zealand’s mandatory data breach notification laws take effect. If your organisation carries on business or is based in New Zealand, and you experience a data breach, you may be required to notify the regulator and affected individuals. If you don’t comply, you may face fines or other regulator action.

This is a brief snapshot of how you determine if you need to notify.

Key Terms

What is a ‘privacy breach’?

A privacy breach (commonly called a ‘data breach’) is the unauthorised or accidental access to, or disclosure, alteration, loss or destruction of personal information held by an ‘agency’ - any organisation or business, whether in the public sector or private sector. This includes government departments, companies and businesses, social clubs and other types of organisations.

A privacy breach also occurs when any action prevents a person from accessing their personal information that is held by an agency – for example, ransomware or denial of service attacks - s112 Privacy Act 2020.

What is ‘personal information’?

Personal information is “information about an identifiable individual” – s7 Privacy Act 2020.

The information does not need to name someone specifically to be personal, if they are identifiable in other ways, for example, through their home address.

Related Information

Published

December 10, 2020

temp Key Contacts

Tim de Sousa

Senior Director

Christopher Hatfield

Managing Director

Downloads

Most Popular Insights

  1. SEC Issues New Private Fund Rules
  2. Watch Out for These ‘Hidden’ Sanctions Traps
  3. Does the Corporate Debt Maturity Wall Really Exist?
  4. Harnessing the Power of AI for Construction Disputes
  5. Future-Proofing White-Collar Crime Defenses

Sign up to get access to FTI Consulting Insights

Subscribe