New Zealand: Implemented Privacy Act 2020 including data protection regulation (Act 2020 No. 31)

On 1 December 2020, the Privacy Act 2020 (2020 No. 31), including data protection regulation, was implemented. Public and private sector agencies must comply with the 13 Information Privacy Principles (IPPs) when collecting, using, and disclosing personal information. The IPPS entail obligations to collect only necessary information through legal means, inform the data subject about the collection and its lawful purpose, safeguard information against loss and unauthorised access, ensure information accuracy, restrict information disclosure except when lawful, ensure overseas disclosures adhere to similar safeguards as those in the Act. Additionally, the Act specifies exceptions to the adherence to the IPPs, namely, then when they are inconsistent with another Act of Parliament and in special circumstances authorised by the Privacy Commissioner. The Act also details procedures for handling complaints related to privacy breaches, investigations by the Privacy Commissioner, and the establishment and enforcement of codes of practice. The Privacy Act defines personal information as "information about an identifiable individual", including information relating to a death that is maintained by the Registrar-General pursuant to the Births, Deaths, Marriages, and Relationships Registration Act 2021 or its predecessors. It concerns data of natural persons only.