Privacy Act Changes
5 November 2019
Changes to the Privacy Act are currently making their way through Parliament and are expected to be passed into law before the end of the year. The changes are being made to make sure that the legislation is in line with new technology and the way that businesses now operate.
The proposed changes include:
- Mandatory reporting to the Privacy Commissioner and affected individuals of privacy breaches, where the breach has caused or is likely to cause serious harm. When considering if the breach is notifiable, consider the following:
- Is the information sensitive in nature?
- The nature of harm caused.
- Who obtained or may obtain the information as result of the breach?
- Any action taken by the agency to reduce harm.
- Whether the information is protected by security measures; and
- Any other relevant matters.
- You must also advise the Office of the Privacy Commission as soon as practicable after becoming aware of a notifiable breach either by email, phone or using their online form
- If a business receives a request for personal information, the business cannot destroy the information in order to avoid providing it.
- Where NZ businesses use overseas service providers e.g. cloud storage, the NZ business is treated as holding the personal information stored with the overseas provider, which means the NZ business remains responsible for complying with the privacy principles in respect of that information.
- Agencies will be required to take into account the vulnerability of children and young people when collecting personal information from them. In an amendment to Privacy Principle 4 (which sets out how personal information should be collected).
What you will need to do:
- Undertake training with your staff about your process to follow in the event of a serious privacy breach.
- Make sure that you and your staff are aware of how to respond to requests for personal information.
- Make sure that all personal information is stored securely and disposed securely when you have finished with it.
- If you are using an overseas based agency e.g. IT service provider for cloud computing, ask them how they are meeting NZ privacy laws. A change to the Act means that you must have reasonable grounds to believe the person overseas complies with the Privacy Act or an equivalent law safeguarding privacy.
- Appoint a Privacy Officer , this is a requirement under the Privacy Act.
- Review your Privacy Statement
- If required use the Privacy Commission on-line learning
Remember the same principles apply to your employee’s information.
Other recent articles
24 March 2026
Major Changes to NZ Employment Law: What Employers Need to Know in 2026
Something we have been hearing lots from our members is how do we stay on top of these changes that seem to be popping up in the news? Are there things we need to do right now? What are the actual impacts in terms we understand? Significant reforms to New Zealand’s employment landscape have now taken effect, with more changes on the horizon. From high‑income dismissal rules to a full rewrite of the Holidays Act, these updates reshape the rights, responsibilities, and relationships between employers and workers.
5 February 2026
2026 Off to a Flying Start
As we lament the end of the holidays and ask ourselves where has summer gone?!, we’re also looking ahead to another busy year — particularly given the volume of legislative change expected in 2026 (more on this below). We’re pleased to welcome Emma Wasson to the Healthy Practice team, who joined us in January in the newly created role of HR Coordinator-Healthy Practice. Emma will be focused on supporting our HealthyPractice Advisers and strengthening the resources available to you. She’ll also be involved in developing our annual reports, including the staff-ratio and GP remuneration reports, due out early this year.
16 December 2025
Happy Holidays
As we approach the end of the calendar year, we’d like to thank our Subscribers and MAS Members for your continued support of the Healthy Practice service and team. It has certainly been another busy year. Throughout 2025, we’ve seen the matters coming through become increasingly complex and varied, alongside a noticeable increase in change activity across the health and practice sectors. This year has also brought change for us, with the retirement of the much-respected and one-of-a-kind Shaun Phelan and Fiona Mines, as well as broader change across MAS.
Join other practices already using HealthyPractice.
Register now