Update from the Office of the Privacy Commissioner 28 November 2025

As the Privacy Act 2020 turns five on 1 December it’s a good time to reflect on recent amendments and to look at how it might be further improved.

The Privacy Amendment Act, which has been recently passed, broadens the notification requirements and introduces a new Information Privacy Principle IPP3A, which comes into force on 1 May 2026. Providing New Zealanders with more information about what organisations are holding their personal information will enable them to exercise their other privacy rights, such as the right to access or correct the personal information.
The New Zealand Privacy Commissioner Michael Webster stands in front of an abstract painting. We can see his head and shoulders, and he is wearing a suit and white shirt.

It’s important refinements like this are made to Privacy Act, but more changes are needed to further strengthen it to suit today’s needs.

Keep an eye on our website, as over the next few weeks I’ll be talking more about how the Privacy Act 2020, and especially the introduction of mandatory breach reporting, was a big step forward towards protecting New Zealander’s privacy. I’ll also be highlighting some possible changes which can be made to the Act, including changes to reflect the incredible technological developments we’ve seen over the last five years.

We see multimillion dollar penalties in Australia for firms who fail to protect personal information, but in New Zealand there’s no civil penalty regime. Stronger penalties are a great incentive toward making agencies take privacy seriously, but there are also other things that can be done to modernise the Privacy Act and strengthen privacy outcomes.

In the European Union, people have the right to ask organisations to delete their personal data if certain conditions apply. Adding the ‘right to erasure’ to privacy rules here would provide New Zealander’s with the right to ask organisations to delete their personal information in certain circumstances. This right would reduce the harm arising from privacy breaches through reducing the amount of personal information an agency is holding.

New Zealanders also need stronger protections for the significant privacy risks which arise from automated decision-making, with problems such as inaccurate predictions, discrimination, unexplainable decisions, and a lack of accountability.

I’m also suggesting that agencies need to be able to demonstrate how they meet their privacy requirements, such as the privacy management programmes recommended by the OECD.

You might expect me to argue for more powers, but the New Zealand public also supports the need for Act reform. In our March 2025 privacy survey, three quarters said the Privacy Commissioner should have the power to:

  • audit the privacy practices of agencies,

  • issue small infringement fines for a privacy breach, and

  • ask Courts to issue large fines for serious privacy breaches.

Like-minded countries have been modernising their privacy regimes and we need to do the same to make sure the Privacy Act is fit for purpose for the modern digital age.

Ngā mihi,

Michael Webster
Privacy Commissioner


New guidance: information sharing for children and young people’s wellbeing and safety

People working in the children’s sector will often need to work together to ensure children and young people are getting the services and support they need to be safe, protected from harm and to thrive and succeed. New guidance shows them how.

The guidance provides material that people need to confidently make good and timely decisions. It covers sharing under the Oranga Tamariki Act (wellbeing and safety), the Family Violence Act (protection from family harm) and the Privacy Act (personal information) and includes useful tools such as quick reference guides and checklists.

There is no legislative barrier to information sharing when there is a wellbeing or safety concern for a child or young person and the Privacy Act does not stand in the way of protecting children from harm.

OPC’s work is part of the integrated government response (rec 7) relating to the Dame Karen Poutasi review in 2022.



Learn more about IPP3A

One of the important changes in the Privacy Amendment Act 2025 is the addition of Information Privacy Principle 3A, which comes into force on 1 May 2026.  

If an agency collects personal information indirectly, IPP3A will require them to take reasonable steps to make sure that the person concerned is told.

We’ve developed some guidance on IPP3A to help people understand the new requirements, which includes an IPP3A decision flowchart to help you figure out if you need to tell individuals that you have collected their information indirectly.

The guidance includes information on what collecting personal information indirectly means, the notification requirements of IPP3A, the differences from IPP3, timing of notifications, and exceptions for when collecting information indirectly.

On 1 May 2026 all organisations will need to have their systems in place to comply with the new requirements. We are still considering how IPP3A will best apply to the Codes of Practice made under the Privacy Act, and you can expect to see consultation on this early next year.

Galleries, Libraries, Museums, and Archives readers will be especially interested in the IPP3A(5) guidance about archiving in the public interest.

Annual Report

Privacy complaints in our 2024/25 Annual Report are up 21% from 2023/24, which had also been a record year. The number of serious privacy breaches notified by organisations also rose 43% this year.

The Annual Report also showed:

  • A 40% increase in privacy complaints for investigation.

  • A 30% drop in privacy breaches notified by the public sector, while the private sector recorded a 133% increase in notifiable breaches.

  • 1208 privacy complaints dealt with as ‘fast resolve’, which means we acted swiftly to help people resolve their privacy concerns or provided agencies with information about how to comply with their obligations. This was 16% up from last year.

  • We negotiated financial reparation for 6.5% of the privacy complainants that we accepted for consideration.

We also made 12 submissions to select Committees during the year to ensure privacy was considered and provided sound privacy advice to dozens of agencies which helped the strengthen their privacy projects.

Read our submissions.

Read our Annual Report.


Simply Privacy courses

Simply Privacy is running its popular Privacy Officer Toolkit Workshop for new Privacy Officers on 3 and 4 March 2026.

Powered by Wild Apricot Membership Software