When a customer signs up for a service, the focus is often on speed and convenience. Seamless onboarding is seen as the gold standard. Yet, in that very moment, one of the most important privacy decisions is made: do you actually know who this person is?

When organisations in New Zealand talk about personal information, two words often surface: anonymisation and pseudonymisation. They are often used interchangeably but the difference between them is more than semantics. It defines whether the Privacy Act 2020 applies and how much risk individuals are exposed to.

Walk into a New Zealand supermarket today and it’s no longer unusual to see CCTV cameras silently watching over the aisles. Increasingly though, those cameras aren’t just recording, they may also be recognising individuals. Facial recognition technology (FRT) is shifting from futuristic possibility to everyday reality in retail.

Biometric time and attendance systems that rely on fingerprints, facial scans, or voice prints promise fewer “buddy punches” and more accurate payroll. But the very systems that make this possible handle some of the most sensitive information an organisation can collect about its staff.

When people talk about privacy, they often fall back on the term PII (Personally Identifiable Information) instead of “personal information.” At first glance it might seem harmless, even interchangeable. But in reality, it’s a tell-tale sign of low privacy knowledge and maturity within an organisation. It says: we haven’t really stopped to think about the privacy laws in New Zealand.

The Biometric Processing Privacy Code has now been issued. It will come into force in two tranches:

• 3 November 2025 – for biometric processing that starts after 3 November 2025

• 3 August 2026 – for biometric processing already in use on or before 3 November 2025

Think outsourcing means you’ve handed over the responsibility for personal information? Think again.

Under the Privacy Act, even if you outsource operations to a third party, your organisation remains accountable for the personal information they access and manage on your behalf.

Understanding the relationship between the parties is especially important when it comes to indirect collection — that is, receiving personal information from a third party rather than directly from the individual.

The UK Data (Use and Access) Act — DUAA for short — has passed into law, and it’s set to shake up how websites serving UK residents (including NZ businesses targeting UK audiences) deal with cookies.

In reality, it’s often both, and recognising the overlap is critical for organisations seeking to comply with the Privacy Act and maintain trust. There’s a strong and sometimes overlooked intersection between fraud and privacy breaches.

Did you know that every organisation in New Zealand is required by law to have a Privacy Officer? That includes businesses of all sizes, public agencies, and not-for-profits — no one is exempt.

It’s common practice for employers to take photos of staff during the course of their employment. These photos may be used for training materials, internal communications, team events, or external promotion such as recruitment campaigns and marketing content.

When a privacy breach occurs, organisations often consider the impacts to them rather than the impacted individuals. They assess the reputational risks around notification, compliance obligations and legal liability. But what can easily get lost in the noise is consideration for the individuals involved and the harm that has or may occur to them.

It is common for organisations to utilise many tracking technologies on their websites to monitor performance, identify user experience issues and market to individuals.

The legislative requirements for providing notice and seeking consent for tracking technologies vary.

Employee browsing or the unauthorised access and misuse of personal information is one of the most common privacy breaches according to the Privacy Commissioner. Whether it’s curiosity, misplaced helpfulness, or something more malicious, unauthorised access to personal information continues to crop up in headlines.

Most organisations typically have some insight into what information they collect indirectly from large organisations but not a full picture.