NZ

Privacy management that crosses the Tasman.

Privacy Management Software for New Zealand Organisations

PIMS helps organisations manage their privacy obligations under the Privacy Act 2020 — whether you're based in New Zealand or doing business there from overseas. Conduct Privacy Impact Assessments aligned to the 13 Information Privacy Principles, train your staff, map your personal information flows, and report on your privacy posture. Built for organisations operating in New Zealand, Australia, or both.

Request Demo View All Features

Understanding New Zealand Privacy Requirements

The Privacy Act 2020 applies broadly to any agency handling personal information in New Zealand — covering government, private sector, and not-for-profits regardless of size. There's no turnover threshold like Australia's $3 million rule.

Privacy Act 2020

Replaced the Privacy Act 1993. Modernised New Zealand's privacy framework with stronger protections and enforcement.

  • 13 Information Privacy Principles (IPPs) — governing collection, storage, use, disclosure, access, and correction of personal information
  • Mandatory breach notification — notify the Privacy Commissioner and affected individuals within 72 hours of breaches likely to cause serious harm
  • Extraterritorial reach — applies to any organisation doing business in New Zealand, regardless of where they're based
  • Oversight by the Office of the Privacy Commissioner (OPC), with binding codes of practice for specific sectors

Privacy Impact Assessments in New Zealand

Not strictly mandatory, but the OPC strongly recommends PIAs for any project involving personal information — and expects them for biometrics and AI projects.

The OPC provides a PIA toolkit including:

  • A step-by-step guide to completing a PIA
  • A brief privacy analysis template (threshold assessment)
  • A risk and mitigation framework mapped to the IPPs

Government agencies are expected to conduct PIAs as standard practice under Digital Government standards.

Health Information Privacy Code 2020

Organisations handling health information are subject to the Health Information Privacy Code, which modifies certain IPPs for the health sector.

Similar in concept to Australia's treatment of health information as sensitive information, but implemented through a binding code of practice rather than the Act itself.

Applies to health agencies, disability services, aged care providers, and any organisation collecting or holding health information about identifiable individuals.

How PIMS Supports New Zealand Organisations

Whether you're a government agency, a healthcare provider, a private business, or a not-for-profit operating in New Zealand, PIMS provides the tools to manage privacy compliance.

Run Your Privacy Program

Establish and manage your organisation's privacy program from a single hub.

Regulatory Framework Configuration

Select New Zealand and PIMS identifies the Privacy Act 2020 and NZ Information Privacy Principles as applicable. Organisations operating across both NZ and Australia can configure both jurisdictions.

Program Overview

Your privacy program summary, contacts, key dates, and compliance posture in one place.

Data Breach Reporting

Document your breach response process with links to OPC guidance and the NotifyUs breach reporting tool.

Policies and Procedures

Centralise your privacy governance documents.

Train Your Staff on NZ Privacy Law

Interactive training modules covering NZ privacy obligations.

Interactive Training Modules

Covers the Privacy Act 2020 and the 13 Information Privacy Principles.

NZ-Specific Content

IPPs explained in plain language with practical examples relevant to New Zealand organisations.

Breach Notification Training

What constitutes a notifiable breach, the 72-hour notification requirement, and how to assess whether a breach could cause serious harm.

Cross-Tasman Coverage

If your organisation operates in both NZ and Australia, training covers both jurisdictions with content filtered to what's relevant.

Assess Privacy Risks

Structured workflows to conduct, track, and approve Privacy Impact Assessments.

PIA Templates Aligned to NZ IPPs

Customisable templates that guide assessors through the principles relevant to their project.

Threshold Assessment

Determine whether a full PIA is needed, aligned with the OPC's brief privacy analysis approach.

Simple or Tiered Workflows

Straightforward assessments for routine projects, more detailed assessments for complex or high-risk initiatives.

Risk Register

Identify, score, and track privacy risks with treatment plans and action items.

Map Your Data

Understand what personal information you hold, where it lives, and how it flows.

Information Asset Register

Catalogue systems processing personal information.

Data Dictionary

Classify the personal information elements your organisation handles.

Personal Information Maps

Visualise data flows between systems.

Report and Demonstrate Compliance

Generate evidence your privacy program is working — for regulators, boards, and auditors.

Stakeholder Reports

Tailored views for privacy officers, executives, and auditors.

Dashboards

PIA status, risk posture, and compliance metrics at a glance.

Complete Audit Trail

Every action logged, ready for OPC review or internal audit.

Operating Across the Tasman?

Many organisations operate in both New Zealand and Australia. The privacy frameworks are similar — both have principle-based approaches with 13 principles each — but they differ in detail, enforcement, and application.

PIMS is built for this. Configure both countries in your regulatory framework and PIMS automatically identifies all applicable legislation — the NZ Privacy Act 2020, the Australian Privacy Act 1988, relevant state and territory Acts, and associated privacy principles. Training content covers both jurisdictions. PIAs can be aligned to whichever framework applies to the specific initiative.

Key Differences Between NZ and Australian Privacy Law

Aspect New Zealand Australia
Coverage All agencies regardless of size $3M turnover threshold for private sector
Breach notification 72 hours 30 days for assessment
Principles 13 NZ IPPs 13 APPs (different structure)
Enforcement No direct fines; refers to Human Rights Review Tribunal Civil penalties up to $50M
Health information Health Information Privacy Code Sensitive information within Privacy Act

Who Uses PIMS in New Zealand?

PIMS serves organisations operating in New Zealand — locally headquartered or international businesses with NZ operations.

Government Agencies
Healthcare Providers
District Health / Health NZ
Not-for-Profits
Education
Financial Services
Private Sector
Trans-Tasman Businesses
International Companies Operating in NZ
View full PIMS features and capabilities

NZ Privacy Compliance Checklist

Is your organisation meeting its obligations under the Privacy Act 2020?

☐ Privacy officer appointed (mandatory under section 201)
☐ Privacy policy published and accessible
☐ Staff trained on the 13 Information Privacy Principles
☐ Data breach response plan in place
☐ NotifyUs breach reporting process understood and documented
☐ Privacy Impact Assessments conducted for new projects involving personal information
☐ Personal information holdings catalogued
☐ Cross-border disclosure safeguards assessed (IPP 12)
☐ Health Information Privacy Code compliance confirmed (if handling health data)

PIMS helps you manage every item on this list. Configure your privacy program, train your staff, conduct PIAs, and maintain audit-ready records — all in one platform.

Ready to Strengthen Your Privacy Compliance?

See how PIMS can help your New Zealand organisation manage privacy obligations under the Privacy Act 2020 — whether you operate locally or across the Tasman.

Request a Demo Learn More About PIMS