Contents
Privacy and data protection is an evolving area of law as regulators try to keep up with fast-developing technologies, the rapid accumulation of data and increasingly sophisticated cyber-criminals.
Privacy week 2025 is from Monday 12 May to Friday 16 May. The theme is “Privacy on Purpose” and the Office of the Privacy Commissioner (OPC) is offering a range of free webinars on various privacy related topics. Follow this link to find out more.
CONTENTS
New Zealand
Australia
International
Privacy Amendment Bill – feedback sought on IPP 3A guidance documents
Parliament has indicated that information privacy principle 3A will come into force on 1 May 2026. IPP3A is part of the Privacy Amendment Bill, now at third reading stage.
IPP 3A will require agencies that collect personal information from third party sources to take reasonable steps to notify affected individuals of the indirect collection of their data.
The Office of the Privacy Commissioner (OPC) is seeking feedback on draft guidance documents relating to IPP 3A, including whether they are fit for purpose and easy to understand. Submissions close on 25 June.
Read the draft IPP 3A guidance documents, and give your feedback, here.
Statutes Amendment Bill
A number of changes to the Privacy Act 2020 are also being introduced through the Statutes Amendment Bill, reported back from the Governance and Administration Committee on 14 April 2025.
The Bill now clarifies that in cases where there are two or more related complaints, the six-month limitation period to bring proceedings to the Human Rights Review Tribunal will begin only after decisions have been made and notified in respect of each complaint.
To qualify as related, complaints must involve the same parties and must have been considered together by the Privacy Commissioner or Director of Human Rights Proceedings.
Biometrics Code
The OPC is developing a Biometric Processing Privacy Code to create more specific rules for agencies using biometric technologies to collect and process biometric data.
The OPC released a consultation draft of the Code in December 2024 and received over 100 submissions from the public and around 50 from organisations, businesses and government agencies. It expects to publish the final Code within the next few months.
Biometric data and technologies are already used in many areas of society and business including identity verification, border control, law enforcement, retail security and attendance monitoring.
More information is available here.
Social Media Age-Appropriate Users Bill
National has introduced a member’s bill that would require social media platforms to take all reasonable steps to prevent children under 16 from being an account-holder of “age-restricted media platforms”. An “age restricted media platform” is a platform whose primary purpose is to enable online social interactions between 2 or more end-users and which is designated by regulations as age-restricted. The bill is modelled on recently enacted Australian legislation. Act opposes the Bill so it will need either Labour or the Greens to get a majority.
See the draft Social Media Age-Restricted User Bill here.
Customer and Product Data Act 2025
The Customer and Product Data Act 2025 (CPD Act) came into force on 30 March 2025. It establishes a "consumer data right" in New Zealand, granting customers rights to their data and to request certain businesses transfer of their data to other trusted businesses.
The Privacy Commissioner is mentioned 48 times in the CPD Act and has a significant role in ensuring processes under the CPD Act comply with the Privacy Act’s information privacy principles. The CPD regime will be introduced on a sectoral basis, beginning with the banking sector.
“Sobering” public service inquiry prompts strong response
On 18 February Public Service Commissioner Sir Brian Roche released the findings from the Public Service Commission’s inquiry into how government agencies protected 2023 census data, and Covid-19 vaccination programme data.
Sir Brian said the findings of the inquiry made for “very sobering reading” and pointed to an unacceptable level of system failure that must be remedied.
The inquiry was prompted by, although did not directly address, allegations that Te Pāti Māori used the data for election purposes. That matter is being investigated separately by Police, the Privacy Commissioner and the Serious Fraud Office.
Among the initiatives announced by Sir Brian to improve processes within the public service are:
- work on a new public service information sharing standard for implementation by 1 July
- updated guidance and template for information sharing agreements, and
- strengthened accountability settings for all public service agencies when sharing data with third-party service providers.
Guidance for working with third party providers
Kordia recently released its 2025 New Zealand Business Cyber Security Report. The Privacy Commissioner, Michael Webster, has focussed on the Report’s finding that 35% of survey respondents identified cyber-attacks and data leaks arising from external providers as their biggest concern.
The OPC issued guidance in November last year to assist businesses to manage their privacy responsibilities in their interactions with third parties. The Commissioner clearly considers that businesses could make better use of this resource to help address their concerns.
“It’s clear that more consideration needs to be given to these privacy issues and it’s not a case of out of sight out of mind and thinking a third-party provider has everything covered.
“You can’t outsource the responsibility of taking care of personal information,” he said.
OPC annual report 2024
The OPC Annual Report for 2024 identifies compliance and enforcement as priorities for the current financial year. It records that the OPC triaged and reviewed 864 privacy breach notifications last year, of which 414 were reported as “serious privacy breaches”. This is similar to the 2023 numbers.
The report summarises the OPC’s recommended amendments to the Privacy Act 2020, to modernise it and strengthen privacy outcomes through:
- providing new rights such as a “right to erasure”
- establishing a new, stronger penalty regime
- requiring agencies to be able to demonstrate how they meet privacy requirements, and
- providing stronger protections for automated decision making, such as AI.
‘Hack report’ finds large insecurities
The latest ‘hack report’ from CyberCX, a trans-Tasman cyber security firm, shows large data risks, particularly in the utilities, transport and health sectors. Of the severe vulnerabilities uncovered in the survey, 90% were attributable to three causes:
- insufficient security measures built into applications
- inadequate management of identities and access to systems, and
- maintenance of security updates or patches across the system.
Guidance for edge devices
The National Cyber Security Centre, together with equivalent Australian, Canadian and UK national cyber security centres, has produced guidance on edge device security. The guidance documents are designed to provide executives, managers and cyber security practitioners and procurement personnel with practical information and strategies help guard against the risk of targeted attacks on edge devices (firewalls, routers, virtual private network (VPN) gateways, internet of things (IoT) devices, internet-facing servers, and internet-facing operational technology systems).
These publications are part of an international cyber security agency initiative.
Guidance
AI guidance
Digital.Govt.NZ has released updated guidance to support public sector agencies “to explore generative artificial intelligence (GenAI) systems in ways that are safe, transparent and responsible”.
Guidance
Breaches
Health NZ breach
A malicious actor downloaded private information, including medical assessments and health-related correspondence, about Health NZ staff in the lower North Island (Capital and Coast, Hutt, Wairarapa) between 2020 and 2024.
There is no evidence that any of the data has been shared. The incident was reported to the Privacy Commissioner and the Police and is being investigated by the Cyber Crime Unit.
Employer fined more than $60k for privacy breaches
The Human Rights Review Tribunal has ordered Stonewood Group Limited to pay a former employee $60,000 for humiliation, loss of dignity and injury to feelings and around $400 in damages for breaches to the Privacy Act 1993.
The company had seized the employee’s work lap top and personal USB and cell phone from his desk in March 2019 while he was out of the office and accessed the data on it to sack him.
It later returned the phone but ignored repeated requests to return the information, including medical records and a tax return, even after receiving a “preliminary view” from the Privacy Commissioner in August 2019 that it was in breach of Privacy Principles 1, 2 and 4.
In addition to the fines, the Tribunal ordered Stonewood to provide a full and complete copy of all his personal records and to ensure that all copies were deleted.
GCSB warns against online threats
The Government Communications Security Bureau (GCSB) has warned that cyber-attacks are becoming more sophisticated and frequent, affecting both government and private sector organisations.
The warning is part of a larger initiative to strengthen New Zealand's cyber resilience and to safeguard its critical infrastructure.
Cyber-attack on mainstreet retailer
James Pascoe Group, owner of Farmers, Whitcoulls, Pascoes The Jewellers and Stewart Dawsons retail chains – was victim of a cyber-attack in March. A survey by Kordia found that 59% of New Zealand businesses experienced a cyber incident in 2024.
New privacy tort
The Privacy and Other Legislation Amendment Act 2024, to come into force on 10 June 2025, will create a statutory tort for serious invasions of privacy, intentional or reckless, where the public interest in the person’s privacy outweighs any countervailing public interest.
AI privacy protection governance protocol
The Office of the Australian Information Commissioner (OIAC) has signed an international declaration with Korea, Ireland, France and the UK reaffirming its commitment to establishing data governance that fosters innovative and privacy-protective AI.
Joint statement
DeepSeek banned on Australian government devices
The use of Chinese AI platform DeepSeek has been prohibited by the Australian Government on any government device. The decision is part of a wider initiative to shield sensitive data amid ongoing concerns regarding the new AI system supported by China.
Medibank cyberattack
Australia imposed further sanctions in February against the owner of ZServers, a Russian entity, and five Russian cyber criminals for their involvement in a 2022 cyberattack against medical insurer Medibank Private. In that attack, the personal details of 9.7 million current and former customers were hacked and published on the dark web.
The sanctions make it a criminal offence to supply the sanctioned entities and people with infrastructure and services to support the theft and dissemination of stolen data. The named individuals are also barred entry to Australia.
Ministerial press statement
Oxfam Australia provides enforceable undertaking
The OIAC has accepted an enforceable undertaking (EU) from Oxfam Australia after a data breach affecting up to 1.7m records.
The OIAC was clear that the acceptance of the EU “is not a finding that Oxfam has breached the Privacy Act nor the Australian Privacy Principles, but rather highlights the need for charities and not-for-profits to remain vigilant and follow responsible privacy practices”.
Among the measures Oxfam has undertaken to implement is: a seven year limit on the storage of certain personal information, avoiding the use of shared credentials, implementing password security controls, sharing staff guidance, procedures and training, and the use of privacy threshold assessments in relation to any project that involves handling personal information for testing purposes.
OIAC statement
Sanctions imposed on Terrorgram
The Australian Government has placed counterterrorism financing sanctions on Terrorgram – a decentralized, international online network that advocates white supremacy and racially motivated violence.
The move follows a spate of antisemitic attacks and is the first instance of Australia putting an entirely online entity under sanction. Under these measures, it is illegal to engage with, or provide assets to, Terrorgram.
ACSC impersonated by scammers
The Australian Cyber Security Centre (ACSC) has released an alert cautioning Australians about scam emails and phishing calls that seeks to trick people into sharing sensitive information or making fraudulent payments.
Individuals are advised to confirm the legitimacy of any message claiming to be from ASIC by reaching out directly through official channels.
UK ICO on the use of children’s data in financial services
The UK Information Commissioner’s Office has released its review on the use of children’s data in the financial sector. The report explores:
- evidence of good practice
- risks to data protection compliance, and
- areas for improvement.
More information is available here
Apple pulls top encryption tool from UK
Apple is pulling its Advanced Data Protection tool from the UK after the UK Government demanded access to user data that is protected from access, even by Apple.
BBC article
Guidelines for processing personal data through blockchains
The European Data Protection Board has adopted guidelines on the processing of personal data through blockchain technologies.
Guidelines
Breaches
Software provider fined £3m following ransomware attack
The ICO has fined Advanced Computer Software Group Ltd (Advanced) £3.07m for failing to implement appropriate security safeguards, such as multi-factor authentication coverage, after a ransomware attack in which the personal information of 79,404 people was put at risk.
Advanced provides IT and software services to large organisations including the NHS.
