New Zealand Privacy Act

The key legislation in New Zealand governing privacy and data protection is the Privacy Act 2020 (“Privacy Act”) which became effective on December 1, 2020.  


The Privacy Act applies to “agencies” within New Zealand, and governs how agencies collect, store, use, and share personal data. Per section 4 of the Act, “agency” includes a New Zealand agency, an overseas agency in respect of actions taken while carrying on business in New Zealand, and most public and private sector New Zealand organizations, regardless of where the personal data is collected, held, or located. The Privacy Act does not use the terms “data controller” or “data processor.” 

The Privacy Act aims to promote and protect individual privacy by (1) providing a framework for protecting an individual’s right to privacy of personal data, and (2) giving effect to internationally recognized privacy obligations and standards.  

Information Privacy Principles and Codes of Practice

The Privacy Act has 13 information privacy principles and codes of practice (“IPPs”) that govern how agencies should collect, handle, and use personal data. The IPPs apply to the processing of personal information from start to finish, and establish standards for the collection, use, disclosure, quality, and security of personal information The IPPs can be summarized by the following main categories of obligations: 

Collection - Agencies may only collect information if the information is collected for a lawful purpose and connected with a function or an activity of the agency, and the collection of the information is necessary for that purpose. Additionally, collection must occur directly from the data subject, subject to listed exceptions.  

Use and Disclosure of Personal Data - Agencies may only use and disclose personal data with consent and generally for the purpose for which the information was collected. 

Protection and Security of Personal Data - Agencies must ensure that the personal data they collect is protected by reasonable security safeguards to protect against loss, access, use, modification, disclosure, and other misuse. 

Data Subject’s Rights - Agencies must comply with, and respond to, an individual’s requests for access to, and rectification of, personal data. Additionally, agencies must maintain personal data in such a way that the agency can confirm the existence of, correct, or provide access to the information on the request of the data subject. 

Proofpoint’s Data Privacy and Security Practices 

Proofpoint retains very few data elements that fall into the category of personal data, most of which relate to threat actors. Such data elements are only used for the purpose set forth in our customer agreements – to provide and improve Proofpoint products and services. Additionally, Proofpoint maintains a documented information security program that aligns with the requirements of NIST 800-53 and ISO 27001 and that describes which technical and administrative security controls are implemented to protect personal data. 

The Proofpoint Trust site, which is accessible at:, is a resource intended to assist with our customers’ due diligence processes and to provide additional information related to data privacy and security.

© 2024. All rights reserved. The content on this site is intended for informational purposes only.
Last updated May 15, 2024.

Proofpoint Trust

Proofpoint helps companies protect their people from the ever-evolving threats in the digital ecosystem.