[email protected]
HelpStore
Comsys Pacific

Privacy Act 2020 IT Checklist

The Privacy Act 2020 (the Act) impacts how New Zealand businesses collect, store, use, and disclose personal information. While Comsys Pacific NZ does not provide legal advice, we understand the IT infrastructure and processes that underpin compliance. This checklist is designed to help procurement, IT, and finance decision-makers review their current systems against key principles of the Act. It focuses on practical IT considerations rather than legal interpretation. Consult your legal counsel for specific advice on your compliance obligations.

Understanding the Privacy Act 2020 for IT

The Privacy Act 2020 introduced significant changes to New Zealand's privacy landscape. For IT departments and procurement teams, this means a renewed focus on data governance, security, and lifecycle management. Key principles, such as accountability, transparency, and data minimisation, have direct implications for system design, data storage solutions, and third-party vendor selection. Proactive measures are essential to mitigate risks and ensure personal information is handled appropriately.

IT Checklist for Privacy Act 2020 Compliance

This checklist provides a framework for evaluating your organisation's IT posture in relation to the Privacy Act 2020. It is not exhaustive and should be used in conjunction with legal advice and internal policy reviews.

Data Collection and Purpose

  • Are IT systems configured to collect only personal information necessary for a lawful purpose?
  • Are individuals informed about the purpose of data collection at the point of collection (e.g., through privacy statements on web forms)?
  • Is there a clear process for reviewing and approving new data collection initiatives from an IT perspective?

Data Storage and Security

  • Are personal information databases and storage solutions adequately secured against unauthorised access, loss, or damage?
  • Do IT systems implement appropriate encryption for data at rest and in transit?
  • Are access controls granular and regularly reviewed, ensuring only authorised personnel can access personal information?
  • Is there a robust backup and recovery strategy in place for all systems holding personal information?
  • Are third-party cloud providers and data centres assessed for their security practices and compliance with NZ privacy standards?

Data Use and Disclosure

  • Are IT systems configured to ensure personal information is used only for the purpose for which it was collected, or a directly related purpose?
  • Are there technical controls to prevent unauthorised disclosure of personal information, both internally and externally?
  • Is personal information anonymised or de-identified where appropriate and technically feasible?
  • Do IT systems facilitate the secure transfer of personal information when disclosure is authorised?

Individual Rights and Data Access

  • Can your IT systems efficiently locate and retrieve all personal information held about an individual for access requests?
  • Are there processes and technical capabilities to amend or correct personal information when requested?
  • Can personal information be securely deleted or destroyed when no longer required, in accordance with retention policies?

Data Breach Management

  • Does your organisation have an IT-specific data breach response plan that aligns with the Act's notification requirements?
  • Are IT systems capable of detecting and logging potential data breaches?
  • Is there a clear process for IT to assess the severity of a breach and its impact on personal information?

Accountability and Governance

  • Are IT staff trained on their responsibilities under the Privacy Act 2020?
  • Are privacy-by-design principles incorporated into the development and procurement of new IT systems and applications?
  • Is there a regular audit schedule for IT systems to assess privacy compliance?

Frequently asked questions

What is the Privacy Act 2020?
The Privacy Act 2020 is New Zealand's primary legislation governing how agencies collect, use, store, and disclose personal information. It replaced the 1993 Act and introduced new obligations, including mandatory data breach notifications and extraterritorial effect. This is general information only — consult your lawyer for advice specific to your situation.
Does Comsys provide legal advice on the Privacy Act?
No, Comsys Pacific NZ does not provide legal advice. Our expertise is in IT hardware, software, and services. We can help you implement technical solutions that support your compliance efforts, but you should always consult a legal professional for specific guidance on the Privacy Act 2020.
What are 'privacy-by-design' principles in IT?
Privacy-by-design involves integrating privacy considerations into the design and architecture of IT systems and business practices from the outset. This means building in data protection measures, such as data minimisation and security, as default settings, rather than adding them as an afterthought.
How does the Act affect data stored offshore?
The Privacy Act 2020 has extraterritorial effect, meaning it can apply to organisations outside New Zealand that handle personal information collected in NZ. If you transfer data offshore, you must ensure the recipient protects it to a comparable standard as required by the Act. This is general information only — consult your lawyer for advice specific to your situation.
What is a 'privacy breach' under the Act?
A privacy breach occurs when personal information is accessed without authorisation, or is lost or altered in a way that is likely to cause serious harm to an individual. The Act requires agencies to notify the Privacy Commissioner and affected individuals of such breaches. This is general information only — consult your lawyer for advice specific to your situation.
Can Comsys help with secure data storage solutions?
Yes, Comsys Pacific NZ supplies a range of secure data storage solutions, including on-premise servers, network-attached storage (NAS), and cloud storage options. We can help you evaluate solutions that meet your security and compliance requirements for protecting personal information.

Talk to Comsys About Your IT Requirements

Navigating the IT aspects of the Privacy Act 2020 can be complex. Comsys Pacific NZ supplies a wide range of hardware, software, and services that can support your organisation's compliance efforts. From secure storage solutions to data management platforms and cybersecurity tools, our team can help you identify and implement the right technology. Contact us to discuss your specific IT needs and how we can assist. We can help you request a quote for suitable solutions.

Request a quote or talk to our team

Tell us what you need — a quote, a question, or just a conversation. We respond within one NZ business day. Or email [email protected].

Or call our team

By submitting this form you agree to be contacted about your enquiry. We do not share your details with third parties. See our privacy policy.

Privacy Act 2020 IT Checklist for NZ Businesses | Comsys NZ – Comsys NZ