Can my NZ business collect biometric information from staff or customers?

Yes, but only if you comply with the new Biometric Processing Privacy Code, which took effect in 2025. The Code sits on top of the Privacy Act 2020 and adds specific rules for any agency that collects or processes biometric information. You must carry out a proportionality assessment (essentially a PIA), have clear notification, consider less privacy-intrusive alternatives, and meet heightened transparency requirements. Retail, workplace and identity verification use cases are all in scope.

What did the Biometric Processing Privacy Code change?

The Code introduced specific obligations for biometric processing that don't apply to ordinary personal information. The most important changes are: a mandatory proportionality test before deployment, specific notification requirements, restrictions on certain use cases, and a requirement to consider alternatives. The Code applies to biometric identification and categorisation, including facial recognition, fingerprint, voice and behavioural biometrics. If your business uses any biometric technology, you need to document your compliance now.

Do I need consent to use facial recognition in my business?

Consent is not always required, but it is usually the safest legal basis. The Privacy Act 2020 allows collection of personal information for a lawful purpose connected to a function or activity of the agency, but the Biometric Processing Privacy Code adds a proportionality test. For retail loss prevention, that test is particularly demanding and the Privacy Commissioner has issued guidance indicating that many deployments will not meet it. Don't deploy facial recognition without a written assessment and, ideally, legal sign off.

What are the core obligations under the Privacy Act 2020?

The Privacy Act 2020 requires every agency (which includes most businesses) to comply with 13 Information Privacy Principles, to appoint a Privacy Officer, to notify the Privacy Commissioner and affected individuals of notifiable privacy breaches, and to respond to access and correction requests. The IPPs cover the full lifecycle of personal information: collection, use, disclosure, storage, access, correction and destruction. IPP 12 adds restrictions on sending personal information overseas.

Do I need to appoint a Privacy Officer?

Yes. Every agency must have at least one Privacy Officer under section 201 of the Privacy Act 2020. The role can be held by a staff member (it does not need to be a lawyer) and is responsible for ensuring compliance, dealing with complaints and requests, and working with the Privacy Commissioner. For smaller businesses, outsourcing the Privacy Officer function to an external adviser is a lawful and cost-effective option, particularly where you want independence from operational decisions.

How does IPP 12 affect cross-border data transfers?

IPP 12 restricts disclosure of personal information to a foreign person or entity unless one of the prescribed safeguards applies. The most common routes are: the recipient is in a country with comparable privacy laws; the recipient is bound by contract to comparable standards; or the individual authorises the transfer. If you use overseas cloud providers, SaaS tools, offshore contractors or global AI vendors, IPP 12 almost certainly applies. Contract terms need to do the work here.

What should a New Zealand data sharing agreement include?

A good data sharing agreement sets out: the purpose and legal basis for the sharing; the scope of the data; the IPP compliance allocation; security and breach obligations; audit rights; term and termination (including return or destruction of data); liability caps and indemnities; and any specific obligations under the Privacy Act 2020 for joint controllers or processors. For public-private arrangements, Te Tiriti and Māori data considerations also need to be built in. Don't rely on a boilerplate MSA.

When does a commercial contract need a Data Processing Agreement?

A DPA should be attached whenever one party is processing personal information on behalf of the other. In NZ that includes most SaaS agreements, outsourced services, marketing automation, payroll, customer support platforms and AI tools. The DPA sets out the processor's obligations, security standards, breach notification timing, sub-processor approval, and audit rights. It also allocates liability. I draft and negotiate DPAs regularly and can usually turn a short one around quickly.

What is a privacy maturity assessment?

A privacy maturity assessment is a structured review of how well your organisation manages privacy across people, processes, systems and governance. Unlike a PIA, which looks at a single project, a maturity assessment looks at the whole business. It benchmarks where you are today against a recognised framework (such as the Privacy Maturity Assessment Framework), identifies the gaps, and produces a roadmap to lift your maturity over 6, 12 and 24 months. Boards and senior leaders increasingly expect one.

Why should my business consider a privacy maturity assessment?

Three reasons. First, it gives your board and executive team an honest, independent picture of your privacy risk, not just whether you comply, but how robust your controls actually are. Second, it prioritises investment, so you spend money on the gaps that matter most. Third, it creates a defensible record that you are taking privacy seriously, which is valuable if the Privacy Commissioner ever comes knocking or a deal partner asks for assurance. For banks, insurers, health providers and other regulated businesses, a maturity assessment is fast becoming the minimum expected standard.

Why should a privacy maturity assessment be done by a lawyer?

This is the question I get asked most often, and my answer is: because a maturity assessment is a legal risk exercise dressed up as an operational review. A consultant can tell you whether you have a policy. A privacy lawyer can tell you whether that policy actually protects you under the Privacy Act 2020, whether your information sharing arrangements are lawful, whether your cross-border transfers comply with IPP 12, and whether your AI and biometric deployments would survive regulatory scrutiny. Just as importantly, a lawyer-led assessment is protected by legal professional privilege, which means the findings (including uncomfortable ones) are confidential and cannot be used against you by a regulator or in litigation. A consultant report has none of that protection. For serious maturity work, privilege is the single biggest reason to use a lawyer.

What does the assessment actually cover?

A proper maturity assessment covers ten areas: governance and accountability, policies and procedures, privacy notices and consent, data inventory and mapping, information lifecycle management, security and breach response, individual rights (access, correction, complaints), third party and vendor management, training and culture, and monitoring and assurance. For each area, I score your current state against the framework, identify the gaps, flag the legal risks, and recommend specific, prioritised actions. The output is a board ready report plus a practical action plan your operational team can work from.

How long does a privacy maturity assessment take?

For a small to mid-sized NZ business, expect four to six weeks from kickoff to final report. That includes initial scoping, document review, interviews with key staff (typically 6-10 people), benchmarking, drafting, and a presentation to the leadership team or board. For larger or more complex organisations it can run longer. I scope every engagement upfront, many with a fixed fee, so there are no surprises, and I work alongside your team so you build internal capability as we go.

What does responsible AI actually mean for a NZ business?

In practical terms, responsible AI means you have a documented process for deciding when to use AI, how to use it, and how to stop using it if things go wrong. It covers risk assessment, data quality, human oversight, bias testing, explainability, contractual allocation of risk, and ongoing monitoring. NZ does not have dedicated AI legislation yet, but existing laws, the Privacy Act 2020, the Fair Trading Act 1986, the Human Rights Act 1993, and common law negligence, all apply to AI deployments. Ignoring them is a commercial risk, not just a compliance one.

How does the Privacy Act 2020 apply to AI?

The Privacy Act applies to AI in two ways. First, if you train a model on personal information, each of the 13 IPPs applies, including the need for a lawful purpose, notification, and limits on use and disclosure. Second, if you use an AI tool that processes personal information (for example, summarising customer emails or screening CVs), you are collecting and using that information under the Act. The Privacy Commissioner has been clear that AI vendors and AI users are both accountable. Contract terms with your AI vendor matter.

What should an AI governance framework include?

A workable framework has five elements: (1) a clear scope of what counts as AI in your organisation; (2) a risk tiering model so low-risk uses don't get bogged down; (3) a pre-deployment assessment process (similar to a PIA but broader); (4) clear ownership and escalation; and (5) ongoing monitoring and review. It should also deal with staff use of third-party AI tools like ChatGPT or Claude, which is where most NZ businesses have unmanaged risk right now.

Do contracts with AI vendors need special clauses?

Yes. Standard SaaS contract templates are not fit for purpose. At a minimum you need clauses covering: training data rights, prohibition on using your data to train general models, indemnities for IP infringement in outputs, transparency about model versions and changes, audit rights, incident notification, and clear allocation of liability for automated decisions. I regularly review vendor contracts and flag the gaps, it is often the fastest way to reduce AI risk in a business.

When does my business need to do a Privacy Impact Assessment?

There is no general legal requirement to carry out a PIA in NZ. But the Privacy Commissioner strongly expects one before you launch any project that involves new or high risk personal information use. That includes biometrics, AI systems, large-scale data sharing, profiling, and cross-border data transfers. Government agencies are expected to complete PIAs under the Government Chief Privacy Officer model. For private businesses, a PIA is the single best tool to show you took reasonable steps to comply with the Privacy Act 2020 if something later goes wrong.

What does a proper PIA cover?

A useful PIA goes well beyond a compliance checklist. It maps the information flows, tests the project against each of the 13 Information Privacy Principles, assesses the risks to individuals, identifies mitigations, and records the decisions made. It should also cover Te Tiriti and Māori data considerations where relevant. The output should be a document you can hand to the Privacy Commissioner and say: here is how we thought about this. A rushed tick-box PIA is often worse than no PIA at all.

Should we do the PIA in-house or bring in an external lawyer?

Simple, low-risk projects can often be handled internally using a PIA template. For anything involving biometrics, AI, cross-border transfer, sensitive data or public sector partners, an external privacy lawyer adds independence and defensibility. I typically work alongside your team, so you keep ownership of the project, but you have a senior privacy voice challenging assumptions and drafting the final document.

Is Your Privacy Breach Notifiable? How NZ Businesses Should Assess "Serious Harm"

Apr 8
4 min read

A data breach has happened. Files were accessed. A laptop was stolen. An email went to the wrong person. The question every in-house team faces next is: do we need to notify the Privacy Commissioner?

Getting this assessment wrong carries real consequences. Failing to report a notifiable privacy breach is an interference with privacy under the Privacy Act 2020. But over-reporting is not ideal either, as it can create unnecessary alarm and reputational risk. The key lies in understanding what the Act means by "serious harm", and how to apply that test under pressure.

What Makes a Privacy Breach Notifiable in New Zealand

Under Part 6 of the Privacy Act 2020, an organisation must notify both the Office of the Privacy Commissioner (OPC) and affected individuals if a privacy breach has caused, or is likely to cause, serious harm to any affected person.

The trigger is not just whether a breach has occurred. It is whether it has caused, or is likely to cause, serious harm. That distinction matters. Not every breach meets the threshold. But many more do than organisations expect.

The Privacy Commissioner has made clear that the expectation is to notify within 72 hours of becoming aware that a breach is notifiable. That leaves very little time to conduct the assessment, which is why having a framework ready before a breach happens is critical.

How to Assess Whether a Breach Is Likely to Cause Serious Harm

The Act does not define "serious harm." Instead, it sets out factors organisations must consider when making the assessment. These include:

The nature of the information involved. Health data, financial details, and government identifiers are more likely to cause serious harm than a name or business email address.
What action the organisation has taken to reduce the risk. If you have contained the breach quickly, encrypted the data, or confirmed it has not been accessed, that may reduce the likelihood of harm.
Whether the information is protected by a security measure. Encrypted data that remains encrypted is less likely to cause harm than data stored in plain text.
The nature of the harm that could result. This includes financial loss, identity theft, physical safety risks, psychological harm, and reputational damage.

The Privacy Commissioner has indicated that organisations should err on the side of notifying. If there is genuine uncertainty about whether the threshold is met, it is generally safer to report than to stay silent.

What the Manage My Health Inquiry Signals for In-House Teams

The Privacy Commissioner's inquiry into the Manage My Health breach, announced in January 2026, is worth watching closely. The inquiry is examining the adequacy of security safeguards in place at the time of the breach, as well as the scale of data affected and whether certain communities were disproportionately impacted.

This inquiry is being conducted under section 17(1)(i) of the Privacy Act. It signals that the Commissioner is willing to use formal inquiry powers where the breach involves sensitive data at scale. For in-house teams, the message is clear: the Commissioner is looking not just at what happened, but at whether the organisation was adequately prepared.

The first phase of the inquiry is expected to report by 30 April 2026, and its findings may well set expectations for what "reasonable security safeguards" look like in practice.

What the Privacy Commissioner Expects From Organisations

The OPC's guidance makes several expectations clear. Organisations should have a breach response plan in place before an incident occurs. They should be able to identify and contain a breach quickly. And they should be ready to notify within 72 hours of determining the breach is notifiable.

The Commissioner has also signalled a desire for stronger enforcement powers. In late 2025, the Commissioner stated publicly that the Privacy Act "needs further changes." While no legislative reform has been introduced yet, in-house teams should be aware that the regulatory direction is towards greater accountability, not less.

The Human Rights Review Tribunal can award damages of up to $350,000 per affected person for interferences with privacy. That figure alone should prompt organisations to take the notification assessment seriously.

Practical Steps Worth Taking

Consider building a breach assessment framework now, before a breach occurs. A simple decision tree that maps the "serious harm" factors to your organisation's data types can save critical time during an incident.
It may be worth reviewing your breach response plan to check it includes clear escalation paths, designated decision-makers, and template notification letters for both the OPC and affected individuals.
Think about whether your team knows where your most sensitive personal information is held. If you cannot quickly identify what data was affected in a breach, your 72-hour clock becomes much harder to meet.
Consider running a tabletop exercise with your team. Walking through a simulated breach scenario exposes gaps in your process that are easier to fix before the pressure is real.
It may be worth seeking legal advice on your current breach readiness, particularly if your organisation handles health data, financial information, or large volumes of personal information.

Every business is different, and whether these issues apply to you will depend on your specific circumstances. If you would like to talk through what this means for your business, I would love to help. Get in touch at rachel@obrienlegal.co.nz or visit obrienlegal.co.nz.

This post is general information only and is not legal advice. If you have specific questions about your situation, please seek independent legal advice.