NZ: Privacy Act 2020
|
|
| Regulator |
RBNZ |
| Jurisdiction |
NZ |
| Status |
live |
| Applicability |
Platform |
The Privacy Act 2020 replaced the Privacy Act 1993 and is the primary personal information legislation
in New Zealand. It strengthens the 13 Information Privacy Principles (IPPs), introduces mandatory
privacy breach notification, and requires adequate protections when transferring personal information
overseas. Every bank must comply with all 13 IPPs as a matter of law; the Office of the Privacy
Commissioner (OPC) investigates complaints and has enforcement powers including issuing compliance
notices and referring serious breaches to the Human Rights Review Tribunal.
The IPPs govern every stage of the information lifecycle: collection (IPP1–4), storage and security
(IPP5), access and correction (IPP6–7), accuracy (IPP8), retention (IPP9), use (IPP10), and
disclosure (IPP11). Breach notification obligations under s.113 require entities to notify the OPC and
affected individuals where a privacy breach is likely to cause serious harm; the OPC guidance is 72
hours for serious breaches. Data subject access requests (DSARs) must be fulfilled within 20 working
days.
Compliance register
This register maps every material obligation under the Act to the platform control or institutional
process that satisfies it. It is the static traceability layer for the Totara compliance report —
dynamic data (module build status, test evidence, control test dates) is overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
IPP1–4 — Collection principles
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| IPP1 |
Collect personal information only for a lawful purpose connected with a function or activity of the bank |
📊 Evidenced |
PRI-001 |
MOD-052 (AUTO) — role-scoped data access enforces minimum necessary at the API; collection scope is defined in product T&Cs and recorded in the data inventory |
🔨 |
| IPP2 |
Collect information directly from the individual where practicable |
🏛 Institutional |
PRI-001 |
Product onboarding flow is designed to collect directly from the customer; exceptions (e.g. bureau data) are documented in the Privacy Impact Assessment programme |
— |
| IPP3 |
Take steps to ensure the individual knows what information is being collected and why |
🤖 Automated |
PRI-001 |
MOD-072 (AUTO) — customer profile module presents privacy notice at onboarding and at each subsequent data collection point; acknowledgement recorded |
🔨 |
| IPP4 |
Collect information by means that are fair and not unreasonably intrusive |
🏛 Institutional |
PRI-001 |
Privacy Impact Assessment programme reviews all new collection initiatives; institutional process outside platform scope |
— |
IPP5 — Storage and security
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| IPP5 |
Protect personal information against loss, unauthorised access, use, modification, disclosure, and other misuse |
🤖 Automated |
PRI-001, DT-004 |
MOD-046 (GATE) — no standing production data access; every session approved, time-limited, and logged; MOD-052 (AUTO) — role-scoped access limits exposure; MOD-044 (GATE) — JWT RBAC enforces least-privilege at API gateway; MOD-104 (GATE) — encryption at rest enforced via KMS CMKs at infrastructure bootstrap |
🔨 |
IPP6–7 — Access and correction
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| IPP6 / S.44 |
Individual may request confirmation of personal information held and request a copy — bank must respond within 20 working days |
🤖 Automated |
PRI-006 |
MOD-148 (AUTO) — DSAR workflow receives, triages, and fulfils access requests; 20-working-day SLA enforced with automated escalation if at risk; MOD-071 (AUTO) — customer self-service balance and transaction history available in-app without DSAR |
🔨 |
| IPP7 / S.47 |
Individual may request correction of personal information; bank must correct or note that correction was requested |
🤖 Automated |
PRI-006 |
MOD-072 (AUTO) — customer profile module provides self-service correction of contact and preference data; corrections to regulated identity fields trigger re-verification via MOD-010; MOD-148 (AUTO) — DSAR workflow handles formal correction requests |
🔨 |
IPP8–9 — Accuracy and retention
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| IPP8 |
Before using or disclosing, take reasonable steps to ensure information is accurate, up-to-date, complete, relevant, and not misleading |
🤖 Automated |
PRI-003 |
MOD-010 (AUTO) — CDD periodic review updates customer records; MOD-072 (AUTO) — customer-initiated corrections update the authoritative record in real time |
🔨 |
| IPP9 |
Do not retain personal information longer than necessary for the purpose of collection |
🤖 Automated |
PRI-003 |
MOD-103 (AUTO) — Neon database provisioned per data classification with retention schedules; automated expiry and deletion runs against retention schedule — institutional policy defines schedule, platform enforces it |
🔨 |
IPP10–11 — Use and disclosure
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| IPP10 |
Only use information for the purpose for which it was collected, or directly related purpose; disclose only for that purpose |
🤖 Automated |
PRI-001, DT-004 |
MOD-052 (AUTO) — role-scoped data access prevents use outside the authorised scope; purpose is tied to role and enforced at API layer, not UI layer |
🔨 |
| IPP11 |
Do not disclose personal information unless consistent with the purpose of collection or one of the permitted disclosures |
🤖 Automated |
PRI-001 |
MOD-052 (AUTO) — disclosure requires an authorised role; no bulk export or cross-system disclosure without a defined data sharing control; MOD-046 (GATE) — privileged access management prevents ad-hoc extraction |
🔨 |
Breach notification (s.113)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| S.113(1) |
Notify OPC if a privacy breach occurs or is likely to occur that poses a risk of serious harm to affected individuals |
🤖 Automated |
PRI-002 |
MOD-150 (AUTO) — security anomalies (CloudTrail failures, Cognito brute-force, Secrets Manager anomalies) are auto-classified as potential breaches; notification timer starts automatically |
🔨 |
| S.113(2) |
Notify affected individuals of the privacy breach as soon as practicable |
🤖 Automated |
PRI-002 |
MOD-150 (AUTO) — breach classification workflow triggers notification assembly; regulator API submission automated where available; customer notification dispatched via notification orchestration |
🔨 |
| S.113 guidance |
OPC expects notification within 72 hours for serious breaches |
🤖 Automated |
PRI-002 |
MOD-150 (AUTO) — breach severity classification gate starts the 72-hour timer on detection; breach response SLA monitored automatically |
🔨 |
Cross-border transfer (s.212)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| S.212 |
Before transferring personal information to an overseas person, ensure equivalent privacy protections apply |
🏛 Institutional |
PRI-001 |
Cloud provider data processing agreements and cross-border transfer assessments are institutional (Legal / Privacy Officer); platform data residency is enforced by MOD-103 (AWS region configuration) |
— |
Privacy Impact Assessments
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Conduct Privacy Impact Assessments for new processing activities with significant privacy implications |
🏛 Institutional |
PRI-005 |
PIA process is owned by the Privacy Officer and run for every new product or major feature; platform design artefacts provide the technical input but the PIA itself is institutional |
— |
| Obligation |
Owner |
Platform evidence input |
| Designation of Privacy Officer |
Board / CEO |
Institutional HR record |
| Privacy training programme |
Privacy Officer / Chief People Officer |
Platform access acknowledgement logs via MOD-049 |
| Regulatory responses to OPC investigations |
Privacy Officer |
MOD-148 and MOD-052 provide audit evidence extracts |
| Review of third-party data sharing arrangements |
Privacy Officer / Legal |
Institutional contracts; platform provides data lineage |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Collection (IPP1–4) |
4 |
1 |
1 |
2 |
0 |
| Storage and security (IPP5) |
1 |
1 |
0 |
0 |
0 |
| Access and correction (IPP6–7) |
2 |
2 |
0 |
0 |
0 |
| Accuracy and retention (IPP8–9) |
2 |
2 |
0 |
0 |
0 |
| Use and disclosure (IPP10–11) |
2 |
2 |
0 |
0 |
0 |
| Breach notification |
3 |
3 |
0 |
0 |
0 |
| Cross-border transfer |
1 |
0 |
0 |
1 |
0 |
| Privacy Impact Assessments |
1 |
0 |
0 |
1 |
0 |
| Total |
16 |
11 (69%) |
1 (6%) |
4 (25%) |
0 |
All attributed modules are currently build_status: Not started — the compliance position will
update as modules are built and deployed.
| Policy |
Title |
| PRI-001 |
Privacy Policy |
| PRI-002 |
Data Breach Response Policy |
| PRI-003 |
Personal Information Retention & Destruction Policy |
| PRI-005 |
Privacy Impact Assessment Policy |
| PRI-006 |
Customer Data Access & Correction Policy |
| DT-004 |
Data Governance Policy |
| DT-009 |
AI & Algorithm Policy |
| REP-010 |
Credit Reporting & Bureau Submission |
Official documentation
Policies referencing this standard
- DT-004 — Data Governance Policy
- DT-009 — AI & algorithm policy
- PRI-001 — Privacy Policy
- PRI-002 — Data Breach Response Policy
- PRI-003 — Personal Information Retention & Destruction Policy
- PRI-005 — Privacy Impact Assessment Policy
- PRI-006 — Customer Data Access & Correction Policy
- REP-010 — Credit reporting & bureau submission
Compiled 2026-05-22 from source/entities/regulations/nz-privacy-act.yaml