Can my NZ business collect biometric information from staff or customers?

Yes, but only if you comply with the new Biometric Processing Privacy Code, which took effect in 2025. The Code sits on top of the Privacy Act 2020 and adds specific rules for any agency that collects or processes biometric information. You must carry out a proportionality assessment (essentially a PIA), have clear notification, consider less privacy-intrusive alternatives, and meet heightened transparency requirements. Retail, workplace and identity verification use cases are all in scope.

What did the Biometric Processing Privacy Code change?

The Code introduced specific obligations for biometric processing that don't apply to ordinary personal information. The most important changes are: a mandatory proportionality test before deployment, specific notification requirements, restrictions on certain use cases, and a requirement to consider alternatives. The Code applies to biometric identification and categorisation, including facial recognition, fingerprint, voice and behavioural biometrics. If your business uses any biometric technology, you need to document your compliance now.

Do I need consent to use facial recognition in my business?

Consent is not always required, but it is usually the safest legal basis. The Privacy Act 2020 allows collection of personal information for a lawful purpose connected to a function or activity of the agency, but the Biometric Processing Privacy Code adds a proportionality test. For retail loss prevention, that test is particularly demanding and the Privacy Commissioner has issued guidance indicating that many deployments will not meet it. Don't deploy facial recognition without a written assessment and, ideally, legal sign off.

What are the core obligations under the Privacy Act 2020?

The Privacy Act 2020 requires every agency (which includes most businesses) to comply with 13 Information Privacy Principles, to appoint a Privacy Officer, to notify the Privacy Commissioner and affected individuals of notifiable privacy breaches, and to respond to access and correction requests. The IPPs cover the full lifecycle of personal information: collection, use, disclosure, storage, access, correction and destruction. IPP 12 adds restrictions on sending personal information overseas.

Do I need to appoint a Privacy Officer?

Yes. Every agency must have at least one Privacy Officer under section 201 of the Privacy Act 2020. The role can be held by a staff member (it does not need to be a lawyer) and is responsible for ensuring compliance, dealing with complaints and requests, and working with the Privacy Commissioner. For smaller businesses, outsourcing the Privacy Officer function to an external adviser is a lawful and cost-effective option, particularly where you want independence from operational decisions.

How does IPP 12 affect cross-border data transfers?

IPP 12 restricts disclosure of personal information to a foreign person or entity unless one of the prescribed safeguards applies. The most common routes are: the recipient is in a country with comparable privacy laws; the recipient is bound by contract to comparable standards; or the individual authorises the transfer. If you use overseas cloud providers, SaaS tools, offshore contractors or global AI vendors, IPP 12 almost certainly applies. Contract terms need to do the work here.

What should a New Zealand data sharing agreement include?

A good data sharing agreement sets out: the purpose and legal basis for the sharing; the scope of the data; the IPP compliance allocation; security and breach obligations; audit rights; term and termination (including return or destruction of data); liability caps and indemnities; and any specific obligations under the Privacy Act 2020 for joint controllers or processors. For public-private arrangements, Te Tiriti and Māori data considerations also need to be built in. Don't rely on a boilerplate MSA.

When does a commercial contract need a Data Processing Agreement?

A DPA should be attached whenever one party is processing personal information on behalf of the other. In NZ that includes most SaaS agreements, outsourced services, marketing automation, payroll, customer support platforms and AI tools. The DPA sets out the processor's obligations, security standards, breach notification timing, sub-processor approval, and audit rights. It also allocates liability. I draft and negotiate DPAs regularly and can usually turn a short one around quickly.

What is a privacy maturity assessment?

A privacy maturity assessment is a structured review of how well your organisation manages privacy across people, processes, systems and governance. Unlike a PIA, which looks at a single project, a maturity assessment looks at the whole business. It benchmarks where you are today against a recognised framework (such as the Privacy Maturity Assessment Framework), identifies the gaps, and produces a roadmap to lift your maturity over 6, 12 and 24 months. Boards and senior leaders increasingly expect one.

Why should my business consider a privacy maturity assessment?

Three reasons. First, it gives your board and executive team an honest, independent picture of your privacy risk, not just whether you comply, but how robust your controls actually are. Second, it prioritises investment, so you spend money on the gaps that matter most. Third, it creates a defensible record that you are taking privacy seriously, which is valuable if the Privacy Commissioner ever comes knocking or a deal partner asks for assurance. For banks, insurers, health providers and other regulated businesses, a maturity assessment is fast becoming the minimum expected standard.

Why should a privacy maturity assessment be done by a lawyer?

This is the question I get asked most often, and my answer is: because a maturity assessment is a legal risk exercise dressed up as an operational review. A consultant can tell you whether you have a policy. A privacy lawyer can tell you whether that policy actually protects you under the Privacy Act 2020, whether your information sharing arrangements are lawful, whether your cross-border transfers comply with IPP 12, and whether your AI and biometric deployments would survive regulatory scrutiny. Just as importantly, a lawyer-led assessment is protected by legal professional privilege, which means the findings (including uncomfortable ones) are confidential and cannot be used against you by a regulator or in litigation. A consultant report has none of that protection. For serious maturity work, privilege is the single biggest reason to use a lawyer.

What does the assessment actually cover?

A proper maturity assessment covers ten areas: governance and accountability, policies and procedures, privacy notices and consent, data inventory and mapping, information lifecycle management, security and breach response, individual rights (access, correction, complaints), third party and vendor management, training and culture, and monitoring and assurance. For each area, I score your current state against the framework, identify the gaps, flag the legal risks, and recommend specific, prioritised actions. The output is a board ready report plus a practical action plan your operational team can work from.

How long does a privacy maturity assessment take?

For a small to mid-sized NZ business, expect four to six weeks from kickoff to final report. That includes initial scoping, document review, interviews with key staff (typically 6-10 people), benchmarking, drafting, and a presentation to the leadership team or board. For larger or more complex organisations it can run longer. I scope every engagement upfront, many with a fixed fee, so there are no surprises, and I work alongside your team so you build internal capability as we go.

What does responsible AI actually mean for a NZ business?

In practical terms, responsible AI means you have a documented process for deciding when to use AI, how to use it, and how to stop using it if things go wrong. It covers risk assessment, data quality, human oversight, bias testing, explainability, contractual allocation of risk, and ongoing monitoring. NZ does not have dedicated AI legislation yet, but existing laws, the Privacy Act 2020, the Fair Trading Act 1986, the Human Rights Act 1993, and common law negligence, all apply to AI deployments. Ignoring them is a commercial risk, not just a compliance one.

How does the Privacy Act 2020 apply to AI?

The Privacy Act applies to AI in two ways. First, if you train a model on personal information, each of the 13 IPPs applies, including the need for a lawful purpose, notification, and limits on use and disclosure. Second, if you use an AI tool that processes personal information (for example, summarising customer emails or screening CVs), you are collecting and using that information under the Act. The Privacy Commissioner has been clear that AI vendors and AI users are both accountable. Contract terms with your AI vendor matter.

What should an AI governance framework include?

A workable framework has five elements: (1) a clear scope of what counts as AI in your organisation; (2) a risk tiering model so low-risk uses don't get bogged down; (3) a pre-deployment assessment process (similar to a PIA but broader); (4) clear ownership and escalation; and (5) ongoing monitoring and review. It should also deal with staff use of third-party AI tools like ChatGPT or Claude, which is where most NZ businesses have unmanaged risk right now.

Do contracts with AI vendors need special clauses?

Yes. Standard SaaS contract templates are not fit for purpose. At a minimum you need clauses covering: training data rights, prohibition on using your data to train general models, indemnities for IP infringement in outputs, transparency about model versions and changes, audit rights, incident notification, and clear allocation of liability for automated decisions. I regularly review vendor contracts and flag the gaps, it is often the fastest way to reduce AI risk in a business.

When does my business need to do a Privacy Impact Assessment?

There is no general legal requirement to carry out a PIA in NZ. But the Privacy Commissioner strongly expects one before you launch any project that involves new or high risk personal information use. That includes biometrics, AI systems, large-scale data sharing, profiling, and cross-border data transfers. Government agencies are expected to complete PIAs under the Government Chief Privacy Officer model. For private businesses, a PIA is the single best tool to show you took reasonable steps to comply with the Privacy Act 2020 if something later goes wrong.

What does a proper PIA cover?

A useful PIA goes well beyond a compliance checklist. It maps the information flows, tests the project against each of the 13 Information Privacy Principles, assesses the risks to individuals, identifies mitigations, and records the decisions made. It should also cover Te Tiriti and Māori data considerations where relevant. The output should be a document you can hand to the Privacy Commissioner and say: here is how we thought about this. A rushed tick-box PIA is often worse than no PIA at all.

Should we do the PIA in-house or bring in an external lawyer?

Simple, low-risk projects can often be handled internally using a PIA template. For anything involving biometrics, AI, cross-border transfer, sensitive data or public sector partners, an external privacy lawyer adds independence and defensibility. I typically work alongside your team, so you keep ownership of the project, but you have a senior privacy voice challenging assumptions and drafting the final document.

The Manage My Health inquiry: what every New Zealand organisation should take from it

May 27
7 min read

On 1 January 2026, Manage My Health Limited told the Office of the Privacy Commissioner that hackers had stolen large amounts of health information from its patient portal. The Commissioner's Phase 1 report, released in May 2026, sets out what went wrong and why.

It is one of the largest known breaches of sensitive personal information in New Zealand's history. It is also one of the more interesting privacy reports the Commissioner has produced, because of what it says about who is responsible when a third party holds your data, what "reasonable security" actually requires, and where the law may be heading.

What stood out

These are the points that struck me most, and a guide to what the rest of this article covers:

Who is responsible when a third party holds the data. The Commissioner found Manage My Health responsible in its own right, because of its direct relationship with patients, rather than only an agent for the GPs and Health NZ.
It reaches well beyond healthcare. The findings apply to any organisation that handles sensitive information or hands it to a third party.
"Reasonable security" is not a low bar. It is measured against how sensitive the information is, and a small provider is not held to a lower standard.
The privacy impact assessments and the contract fell short. The quality of a PIA matters, and the contract was the wrong kind of agreement for the task.
This looks like a turning point. The Commissioner intends to issue compliance notices, and Phase 2 will look well beyond the breach itself.
The law may change. The report recommends making third-party providers directly liable for security, along the lines of the European GDPR.
The human cost was real. Behind the numbers are people whose most sensitive information was exposed.

What happened

The report describes hackers using a patient's stolen but valid login to get into the portal, then exploiting a weakness that let them reach thousands of other accounts and copy files over several days. Multi-factor authentication was available but not required. Manage My Health did not detect the intruders, and only learned of the problem when Health NZ told it the data was being offered for sale.

The Commissioner found that both Manage My Health and Health NZ breached Rule 5 of the Health Information Privacy Code 2020, which requires reasonable security safeguards, and intends to issue both with a compliance notice under section 123 of the Privacy Act 2020. Around 99,416 people were affected, about 91% of them in Northland.

Who is responsible when a third party holds the data?

The most interesting legal question in the report is who legally "held" the information. Under section 11 of the Privacy Act, where a provider holds information on behalf of another organisation, the information is generally treated as held by that organisation, not the provider. So a provider that is only processing data for a client can sit outside direct responsibility.

Manage My Health argued, in effect, that it held the data on behalf of the GPs and Health NZ. The Commissioner did not accept that. The deciding factor was the direct relationship between Manage My Health and the patient: patients self-register, agree to Manage My Health's own terms of use and privacy policy, control their own login, can upload their own records, and decide whether the account stays open. On that basis the Commissioner concluded that Manage My Health held the information in its own right and was directly responsible for its security under Rule 5(1)(a), whatever the source of the data. Even hospital documents, once delivered into a patient's account, were held by Manage My Health, because Health NZ could no longer see or control them.

It is a helpful clarification of how that "holding" test applies to portals and software providers. The Commissioner was also candid that the outcome turned on a close look at how this particular company operates, and that other providers might be treated differently. That is part of the reason the report goes on to recommend changing the law.

It reaches beyond healthcare

IPP5 of the Privacy Act and Rule 5 of the Code are almost identical, and the Commissioner says the findings apply to any organisation that handles sensitive information or engages a third party to handle it. If a provider holds personal information for you, the report is worth a read whether or not you are anywhere near the health sector.

The Commissioner was also clear that this is not a criticism of patient portals. Done well, the report says, they can enhance privacy by giving people better access to and control over their own information.

"Reasonable security" is not a low bar

The report is a useful reminder that "reasonable" security is not the same as basic security. The Commissioner's position is that safeguards must be proportionate to the risk, that the more sensitive the information the stronger the protections expected, and that a small organisation whose business involves high-risk information is not held to a lower standard simply because of its size or because security costs money. As the report puts it, security is a fundamental requirement.

The report also treats security as more than IT settings. It includes organisational controls: due diligence before engaging a provider, fit-for-purpose contracts, governance during a project and after it goes live, risk management, and ongoing testing and review. On governance, the Commissioner noted that the project's steering group included senior leaders but no direct privacy or security representation, which is not what you would expect for a project of that scale and novelty.

The PIAs and the contract fell short

Two findings stood out for me here. The Commissioner reviewed the privacy impact assessments behind the project and described one as "extremely weak". The report says the assessments were generic rather than specific to the actual information flows, did not properly assess how the data would move and be processed, applied some privacy principles incorrectly, and in places repeated the vendor's own assessment. One was finished about a month before the contract was signed and read more like a tick on the sign-off checklist than a tool used to design the project. The Commissioner was careful to say the problem was not the author, but that the work had fallen to someone who had a template and no privacy expertise.

The contract did not fare much better. The Commissioner found it was the wrong kind of agreement: a standard software licence drafted by the vendor, rather than a data-sharing and processing arrangement. It did not clearly describe the information being collected and processed, did not specify the safeguards that would apply, leaned on the vendor's own policies that the vendor could change at will, and contained no incident response or breach notification obligations.

One practical point is worth noting alongside this. Once you commission a test, an assessment or a PIA, you create a record of what you knew and when, and a regulator can later ask to see it. Where that work is genuinely legal advice, it may be possible to protect the candid findings under legal professional privilege, which can make it easier to be honest about weaknesses and then fix them.

Why this one matters

Two things make this report more than a routine breach post-mortem.

First, the Commissioner intends to issue compliance notices to both organisations. Compliance notices have been rare, and on the public record they have gone to public-sector bodies such as the Reserve Bank. A notice to a private company would be a notable step.

Second, this is only Phase 1, and it deals only with the security failure. Phase 2 will look more widely, including whether patients were properly asked to authorise their accounts, whether they were told how the portal would be used, how their information was retained and deleted, and how well the breach was communicated. In other words, a breach can open the door to a much broader look at an organisation's privacy practices.

Where the law may be heading

The report makes two recommendations worth watching. The first is that the Ministry of Health set up a central programme to verify that key health-sector vendors meet relevant security standards, so that organisations are not each left to check the same provider. The second is that the Ministry of Justice amend the Privacy Act so that third-party providers are directly liable for security under IPP5, even when they only process information for someone else. The Commissioner points to Article 32 of the European GDPR as a model, and notes that Australia is considering a similar controller and processor distinction.

If that change happens, the provider that fails would share the legal responsibility, rather than leaving the organisation that engaged it to rely on the contract.

The human cost

It is easy to read a breach like this as a compliance or business issue. The report is a reminder that it happened to people. More than 150 affected people wrote to the Commissioner, and the report records that many described anxiety, stress, embarrassment and anger. Among the experiences it sets out:

one person had stored their entire medical file with Manage My Health when they moved to New Zealand, so the breach exposed every aspect of their health;
Māori correspondents said the loss affected their wider whānau, not only themselves, and had damaged their trust in the health system, with some now more hesitant to seek care;
for several people, the exposure was worsening their PTSD or other conditions;
some feared the disclosure could affect their employment;
many still did not know what had actually been taken, and many had not realised their information was stored in the portal at all.

When security fails, the harm is not abstract. That is the real reason these obligations exist.

A final thought

The Manage My Health inquiry is not a reason to avoid portals or third-party providers. It is a careful look at what goes wrong when an organisation hands sensitive information to a provider and assumes its security is someone else's problem.

If you rely on third-party providers to hold or handle personal information, it is a good prompt to check that your due diligence, your contracts and your governance would stand up to the same questions. I have put together a to help you start.

You can read the Privacy Commissioner's full Phase 1 report here.