New Zealand Privacy Laws — Privacy Act 2020 Access Request Requirements
New Zealand privacy access request requirements under the Privacy Act 2020. Rights, deadlines, OPC guidance, and compliance obligations.
Last updated: 2026-04-12
New Zealand's privacy framework is governed by the Privacy Act 2020, which replaced the Privacy Act 1993 and came into force on 1 December 2020. The Act applies to all agencies (both public and private sector) that collect, hold, use, or disclose personal information in New Zealand. Unlike some jurisdictions, there is no revenue threshold, company size exemption, or small business carve-out — if your organization handles personal information of New Zealand residents, the Privacy Act applies.
The Act is built on 13 Information Privacy Principles (IPPs) that establish rules for the full lifecycle of personal information, from collection through to access, correction, and disposal.
Disclaimer: This content is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your organization.
The 13 Information Privacy Principles
The IPPs set out how agencies must handle personal information:
- IPPs 1-4 — Collection: Personal information must be collected directly from the individual concerned (with limited exceptions), for a lawful purpose connected with the agency's function, by means that are lawful and fair, and the individual must be made aware of the collection and its purpose.
- IPPs 5-6 — Storage, access, and correction: Agencies must take reasonable steps to protect personal information from loss, unauthorized access, or misuse. Individuals have the right to access their personal information (IPP 6) and to request correction of inaccurate information.
- IPPs 7-8 — Accuracy and retention: Agencies must take reasonable steps to ensure personal information is accurate before using it, and must not keep personal information for longer than necessary.
- IPPs 9-12 — Use and disclosure: Personal information must only be used and disclosed for the purpose for which it was collected, with specific exceptions for law enforcement, public safety, and other narrowly defined circumstances. Cross-border disclosure is subject to additional requirements under IPP 12.
- IPP 13 — Unique identifiers: Agencies must not assign unique identifiers to individuals unless it is necessary for the agency's functions.
IPP 6 is the principle that underpins access requests. It gives every individual the right to request confirmation of whether an agency holds personal information about them, and if so, to be given access to that information.
Access Request Process
Under IPP 6, individuals have the right to request access to their personal information. The key requirements are:
- 20 working days deadline: Agencies must respond to an access request within 20 working days of receiving it. This is one of the shorter deadlines internationally and allows no standard extension period.
- No fee for individuals: Agencies in the public sector cannot charge for processing access requests. Private-sector agencies may charge a reasonable fee, but the fee must not be used to discourage requests.
- Manner of access: Agencies should provide information in the way the requester prefers, where reasonably practicable. This includes providing copies of documents or making them available for inspection.
- Refusal grounds: Access may be refused in specific circumstances, including where disclosure would endanger the safety of any individual, prejudice the maintenance of the law, breach legal professional privilege, or reveal a trade secret. The Privacy Act lists refusal grounds in detail, and agencies must cite the specific provision relied upon.
- Transfer of requests: If an agency receives a request for information it does not hold but believes another agency holds, it must transfer the request to the other agency promptly and inform the requester.
When an agency refuses access, it must notify the requester of the refusal, the reason, and the requester's right to complain to the Privacy Commissioner.
Mandatory Breach Notification
The Privacy Act 2020 introduced mandatory breach notification for the first time in New Zealand. Since 1 December 2020, agencies must notify the Office of the Privacy Commissioner and affected individuals when a privacy breach has caused serious harm or is likely to do so.
The notification must be made as soon as practicable after the agency becomes aware of the breach. It must include a description of the breach, the information involved, what the agency is doing in response, and what steps affected individuals can take to protect themselves.
Failure to notify a notifiable breach is an interference with privacy and can result in enforcement action by the Privacy Commissioner. The breach notification regime is one of the key improvements the 2020 Act introduced over its predecessor.
The Office of the Privacy Commissioner (OPC)
The Office of the Privacy Commissioner is New Zealand's independent regulator for privacy matters. The Commissioner investigates complaints, publishes guidance and codes of practice, and promotes public awareness of privacy rights.
Under the Privacy Act 2020, the Commissioner's enforcement powers were strengthened compared to the 1993 Act:
- Compliance notices: The Commissioner can issue compliance notices directing agencies to take specific actions to comply with the Act. This was a new power not available under the 1993 Act.
- Access directions: The Commissioner can direct an agency to provide access to personal information where a complaint about a refusal has been upheld.
- Human Rights Review Tribunal: Where the Commissioner's investigation finds an interference with privacy, the matter can be referred to the Human Rights Review Tribunal, which can award damages of up to NZD 350,000 for interference with privacy.
The Commissioner also has the power to publish codes of practice that modify the application of the IPPs for specific industries or types of information. Codes of practice have the force of regulation and create binding obligations on the agencies they cover.
Key Features for Access Request Compliance
- No exemptions by size: All agencies, regardless of size or revenue, must comply with the Privacy Act
- 20 working days: One of the shorter response deadlines internationally
- Broad scope: The right of access applies to all personal information held by the agency, in any format
- Complaint right: Individuals can complain to the Privacy Commissioner at no cost if an agency refuses access or fails to respond within the deadline
- Cross-border application: The Privacy Act can apply to overseas agencies if they carry on business in New Zealand or collect personal information from individuals in New Zealand
Guides
- New Zealand Privacy Act 2020 Access Request Requirements — full compliance breakdown including IPPs, access rights, deadlines, refusal grounds, and penalties
Related Resources
- How to Respond to a DSAR — step-by-step response process
- DSAR Response Deadlines — deadline comparison across jurisdictions