Source:
Our website uses cookies so we can analyse our site usage and give you the best experience. Click “Accept” if you’re happy with this, or click “More” for information about cookies on our site, how to opt out, and how to disable cookies altogether.
Source:
Privacy Week 2025 is a series of free webinars promoting privacy awareness. Our 2025 theme is “Privacy on Purpose”, which invites speakers to present on the need for businesses, organisations, and individuals to be purposeful with their privacy. Doing privacy well is a business advantage, not just a tick-box exercise.
Section 21c of the Privacy Act 2020 requires the Commissioner to take account of cultural perspectives on privacy – a somewhat unusual feature in the global context of data privacy regulation. In this webinar we discuss how this requirement might be more effectively leveraged to create a privacy regime that is more fit-for-purpose for Māori, and indeed for all New Zealanders. We discuss recent research on Māori data privacy, the potential for a long overdue Māori data code, and use case examples where Māori privacy considerations are put into practice to create better outcomes.- Local Govt privacy breaches (and things to avoid!)
– Interplay between the Privacy Act and other legislation e.g. LGOIMA
– Tips for protecting the privacy of individuals
– Common issues faced by elected members
– How Council officers can do privacy wellRebecca Hawkins, member of the Children’s Working Group of the Privacy Foundation NZ
| Webinar time | Topic | Description | Speaker(s) |
|
9am – 10am |
Hear from John Edwards, UK Information Commissioner |
Join former Privacy Commissioner John Edwards, live from the UK, as he talks about his experience as their Information Commissioner. He’ll share his observations on, and comparisons between, UK and New Zealand privacy approaches – including those created by the different legislative frameworks. He’ll also answer any questions people have or you can send those in ahead of time to privacyweek@privacy.org.nz Register for this webinar. |
John Edwards, UK Information Commissioner |
|
12pm – 1pm |
Privacy Officers Role: Getting Ahead of Risks Before They Become Breaches |
BEGINNER, INTERMEDIATE Join Marcin and Laura for a practical session focused on strengthening your organisation’s approach to privacy, rooted in a thorough understanding of risks and applying targeted mitigation strategies. We’ll explore what purposeful privacy management looks like – from data-mapping and understanding the personal information you hold and use, to identifying risks, and responding effectively when things go wrong. Register for this webinar. |
Dr Marcin Betkier, AI governance and privacy expert Laura Rodriguez, Privacy Professional and Senior Compliance Officer |
|
1.30pm – 2.30pm |
Where is the line of creepy? |
BEGINNER Your data is collected in many places and by many different agencies. What are you happy with them doing with your data? your children’s data? your community’s data? When is it that things can start to feel a bit creepy? The Privacy Act describes what we can do, legally, with personal information. But just because we can do something – should we do it? With the lived wisdom of people from different communities, we will explore the human side of personal data collection and use. How do our worldviews shape how we see our data? What harm can occur from legal data use with good intentions? Where do our individual lines of creepy lie? And what can we do when faced with the question: “should we”? Register for this webinar. |
The Centre for Data Ethics and Innovation – with Friends |
|
3pm – 4pm |
Answering your questions about Māori data sovereignty |
Join Chris Cormack and Ernestynne Walsh as they address a number of questions they received from their webinar in Privacy Week 2024 “Myth: Māori data sovereignty is too hard.” Register for this webinar. |
Ernestynne Walsh, Māori data service lead at Nicholson Consulting Chris Cormack, Kaihuawaere Matihiko at Catalyst IT |
During May each year we run Privacy Week, a series of free webinars that promote privacy awareness regardless of how much you already know. Contact us at privacyweek@privacy.org.nz
Privacy Week is held in conjunction with Privacy Awareness Week, an initiative by the Asia Pacific Privacy Authorities (APPA) network. Find out more about APPA and Privacy Awareness Week.
These presentations are brought to you for Privacy Week, an initiative supported by the Privacy Commissioner to promote the discussion of privacy. Each presentation is independent of the Privacy Commissioner and the views expressed are personal to the speakers. As the regulator, the Privacy Commissioner may have different views to those expressed in this presentation.
Source:
If you have any particular scenarios you want us to consider in our guidance let us know. You can send these to guidance@privacy.org.nz
Information updated 3 April 2025.
Source:
State houses at Arapuni Hydro Works from Archives NZ record number A1124
The guidance below is for tenants, landlords, and others in the rental accommodation sector to clarify what information may be requested at every stage of the rental process.
We have also launched a new monitoring and compliance programme to ensure that rental agencies and landlords stay on the right side of the Privacy Act.
If you have enquiries about the Privacy Act and rentals please email our Compliance Team.
We’ve also included questions for tenants and landlords in our Ask Us database.
Source:
The Privacy Commissioner has today announced his intention to issue a Biometrics Code.
He is releasing the Biometric Processing Privacy Code for consultation and is calling for submissions on the draft Code from the public and any agencies it would apply to.
“The Code will help agencies implement the technology, while giving people confidence it’s being done safely and fairly”, Privacy Commissioner Michael Webster says.
“New Zealand doesn’t currently have special rules for biometrics. The Privacy Act regulates the use of personal information in New Zealand, including biometric information, but biometrics needs special protections especially in specific circumstances.”
Biometric processing is the use of technologies, like facial recognition technology, to collect and process people’s biometric information to identify them or learn more about them.
A Biometrics Code would modify some of the principles in the Privacy Act and create more specific privacy rules for agencies using biometric technologies to collect and process biometric information.
The major additional rules in the Code are:
Mr Webster said that earlier in 2024, OPC had consulted on an exposure draft version of a Biometrics Code.
“We consulted on these draft rules and that showed we have broad support for these proposals, but also that some changes were needed, which we have made”.
The Code has been simplified to improve understanding of what processes were included and excluded and some rules, like the notice requirements, have been clarified.
The restrictions on using biometrics (fair use limits) are now targeted to the most intrusive and highest risk uses. We’ve also added a new requirement for organisations to tell people where they can find a rundown of their assessment of the pros and cons of using biometrics, where they’ve made this public.
Other changes included increasing the commencement period from 6 months to 9 months for organisations already using biometrics and adding a new provision to allow for a trial for organisations to assess biometric processing.
Draft guidance material has been developed to help organisations know what the rules are and explain how to comply with the Code. We are releasing this draft guidance alongside the Code consultation and also want people’s feedback on that.
“The feedback we’ve gained, and our own analysis has helped us to develop a code that will help ensure biometric technologies are used safely and fairly. But it’s important to get this right, so people have the chance to provide feedback through a public consultation to March 2025.
The Code is expected to come in force in 2025.
Source:
This issue includes a note that the Biometric Code consultation has now closed, and that the final version of the Code will likely be published mid-2025. It also includes policy advice for government agencies, Kordia research and what OPC said about that, the Global Privacy Assembly’s new comparison tables, and the delay of the UK’s adequacy review. We also announce a special guest for Privacy Week 2025.
Read the March 2025 issue.
Source:
New research just out from Kordia shows 35% of business leaders said cyber-attacks or data leaks coming through third-party suppliers were their biggest business concern.
Privacy Commissioner Michael Webster says, “The law is very clear that when an agency outsources services to a third-party provider, the agency remains responsible for ensuring the data remains secure and used in a way that is compliant with the Privacy Act.
“At the end of the day, if your third-party provider has a privacy breach, it’s your problem as well,” he said.
Mr Webster says OPC isn’t alone in emphasising that privacy and security considerations need to be at the fore when using third-party providers.
“Kordia’s research backs up what we’ve long said; that businesses need to factor third parties into business continuity and cyber-response plans.
“It’s clear that more consideration needs to be given to these privacy issues and it’s not a case of out of sight out of mind and thinking a third-party provider has everything covered.
“You can’t outsource the responsibility of taking care of personal information.”
Mr Webster, says it’s not just an issue for the private sector, with the recent PSC Inquiry and the Stats NZ report raising privacy issues linked to the use of third parties.
This research is yet more evidence that agencies need to pay more attention to privacy and cyber security risks when using third party providers and to make sure there’s a plan in place should that provider suffer a privacy or cyber breach.
The Office of the Privacy Commissioner has recently issued guidance to help agencies working with third-party providers understand their responsibilities in this area. It takes businesses through all the considerations they should make before engaging a third-party provider.
Source:
The February 2025 issue of Privacy News includes a reminder about giving feedback on the Biometrics Code, a piece about the Public Services Commission and Stats NZ reports, how to apply to speak in Privacy Week 2025, and new guidance for tenants and landlords on our website. You can also read about the EU Guidelines and task force on AI, and a note about privacy.org.nz being updated.
Read the February 2025 issue.
Source:
Today’s release of two reports into the protection of personal information show agencies must be better at privacy, says Privacy Commissioner Michael Webster.
The Inquiry into how government agencies protected personal information for the 2023 Census and COVID-19 vaccination programme (the PSC Inquiry) and the Independent investigation and assurance review of allegations of misuse of 2023 Census information (the Stats NZ report), show the protection of personal information needs to be treated as a priority.
Several matters have now been referred to the Office of the Privacy Commissioner (these are detailed below).
Privacy Commissioner Michael Webster said he is carefully reviewing the referrals raised in the two reports. That work will be done in the context of the Privacy Act and the need to ensure individuals’ rights to privacy is protected and respected.
“New Zealanders need to be confident that when they do activities, like filling in their Census form, or giving over information for medical services, that their information is collected, used, and shared as the law outlines it should be,” says Mr Webster.
“The Privacy Act is very clear that agencies collecting personal information need to keep it safe and treat it with care. This responsibility extends to the use of third-party service providers.
Agencies need to be confident that personal information is protected wherever and whatever organisation is handling it.”
The Office of the Privacy Commissioner has recently issued guidance to help agencies working with third-party providers understand their responsibilities.
Mr Webster said he was encouraged to see that work on a new information sharing standard is underway, supporting the information stewardship framework at the core of the Privacy Act.
“Its important people can trust that their information is treated with care. In our 2024 Privacy Survey the percentage of people who said they are “more concerned” about privacy issues over the last few years has increased to 55%, a 14% increase from two years ago. New Zealanders were clear in their response to these concerns:
“Good privacy is an essential part of providing services and doing business in a digital economy. Today’s findings should be a reminder to government organisations that good privacy practices aren’t an optional extra but are fundamental to the work they do,” says the Commissioner.
A number of questions have now been referred to the Privacy Commissioner by the PSC Inquiry:
A further matter has been referred to the Privacy Commissioner by the Stats NZ report about the collection and management of personal information and confidential census data.
While the review of the referrals takes place, the Office will not be making any further comment.
Source:
The hunt to land a flat over summer shouldn’t come at the expense of people’s privacy rights, warns Privacy Commissioner Michael Webster.
“There’s often a lot of pressure on people, especially students, to find a flat quickly, which risks privacy shortcuts being taken and that can put both tenants and landlords at risk.
Tenants should be aware they have privacy rights when applying for a flat and that landlords have obligations under the Privacy Act, Mr Webster says.
“Tenants are often desperate to find a flat, so they might disclose a whole lot of personal information that isn’t legally required. Essentially, they’re giving others power over their own details and that isn’t a great strategy.”
The desire to get a tenant quickly could also lead some landlords to take privacy shortcuts, which puts people at risk.
“The majority of landlords care about their tenants’ privacy, but there can be a lot of factors to weigh up when considering applications and it can be tempting to over collect personal information and to get details that aren’t legally allowed. It can also mean they can end up with a large amount of information with no way to manage or store it safely.
“Landlords need to know what information they can legally collect, and when. They also need to make sure personal information collected during the rental application process is kept secure and is not disclosed without authorisation.”
“Personal information has value and is protected under the Privacy Act at all stages of the rental process. It’s important shortcuts aren’t taken to fill a flat and that only the necessary personal information is supplied and only when its needed.”
Personal characteristics, including relationship status, age, gender identity and employment status are protected under the Human Rights Act. Things like spending habits, experience of family violence, employment history and social media URLS are protected under other Acts.
To help educate landlords and tenants OPC had updated its guidance for the rental sector to help make sure that privacy is respected throughout the application process.
Read our updated privacy guidance for tenants and landlords.