Privacy law in Australia and New Zealand both aim to protect individuals’ rights over their personal information, but the way each country defines and regulates that information reveals some important differences, especially when it comes to how employee personal information is treated.

Piloting new technology is exciting. It’s a chance to explore innovation, test ideas quickly, and see how emerging tools might transform the way we work. Whether it’s an AI solution, a new analytics platform, or a digital service prototype, pilots feel like safe spaces to experiment. But there’s a growing issue that’s easy to overlook in the rush to innovate: privacy.

In an age where cameras are everywhere, from shop ceilings to street corners, the question isn’t whether we can watch, but whether we should and to what extent.

The terms privacy and security are often spoken in the same breath, sometimes even as if they mean the same thing. Yet while they are deeply connected, they are not identical. Understanding the distinction between them is essential for any organisation that handles personal information in today’s digital environment.

When something goes wrong with personal information two phrases get tossed around a lot: privacy breach and breach of the Privacy Act. They sound similar, and they often get blurred together in day-to-day conversations. But they mean very different things and confusing them can lead to the wrong response by an organisation.

In many organisations, the responsibility for privacy rests with just one person. That single privacy person is expected to be the responder to breaches, the handler of privacy requests, the privacy by design specialist, the reviewer of vendor arrangements and the trainer of staff, all at once. It’s a role that sits at the heart of trust and compliance, but it is also one that can feel incredibly lonely.

Australia has introduced new transparency rules for organisations that rely on these Automated Decision Making (ADM) technologies. From 10 December 2026, the Privacy Act will require organisations to explain their use of ADM when those decisions significantly affect the rights and interests of an individual.

It’s a scenario that makes many organisations pause: the police call, email or turn up asking for personal information. There’s a strong instinct to help, however, there’s the requirement to protect the privacy of the people whose information you hold.

Last week Parliament passed the Privacy Amendment Bill through its third reading, confirming the introduction of a new Information Privacy Principle IPP 3A focused on indirect collection. This isn’t a change that can be left until the week before commencement. The work must start now.

When most people think about the Privacy Act 2020, they picture government agencies, and big corporates. But here’s the truth: it applies just as much to your local sports club, a neighbourhood charity, or a professional society as it does to corporates. Being a not-for-profit doesn’t mean you’re exempt.

In the rush to show progress on privacy, many organisations begin by building data catalogues of personal information. They invest in tools, run workshops, and inventory every system, every database, every field. On the surface, this feels like progress: “we’ve mapped our personal information.” But the truth is, without context, cataloguing is a dead end.

In conversations with New Zealand organisations about their privacy programme, one theme comes up again and again: “We’re using a processor in Europe, so the GDPR must apply to us.” Simply using an EU-based processor does not mean that GDPR applies unless other conditions are met.

Scroll through many organisations’ websites in New Zealand and you’ll find a link to something called a “Privacy Policy.” Nine times out of ten, though the content isn’t a policy at all it’s a privacy statement. And while the difference might seem like splitting hairs, in practice it reveals a lot about how seriously an organisation takes privacy and the level of privacy maturity.

When a customer signs up for a service, the focus is often on speed and convenience. Seamless onboarding is seen as the gold standard. Yet, in that very moment, one of the most important privacy decisions is made: do you actually know who this person is?

When organisations in New Zealand talk about personal information, two words often surface: anonymisation and pseudonymisation. They are often used interchangeably but the difference between them is more than semantics. It defines whether the Privacy Act 2020 applies and how much risk individuals are exposed to.

Walk into a New Zealand supermarket today and it’s no longer unusual to see CCTV cameras silently watching over the aisles. Increasingly though, those cameras aren’t just recording, they may also be recognising individuals. Facial recognition technology (FRT) is shifting from futuristic possibility to everyday reality in retail.

Biometric time and attendance systems that rely on fingerprints, facial scans, or voice prints promise fewer “buddy punches” and more accurate payroll. But the very systems that make this possible handle some of the most sensitive information an organisation can collect about its staff.

When people talk about privacy, they often fall back on the term PII (Personally Identifiable Information) instead of “personal information.” At first glance it might seem harmless, even interchangeable. But in reality, it’s a tell-tale sign of low privacy knowledge and maturity within an organisation. It says: we haven’t really stopped to think about the privacy laws in New Zealand.

The Biometric Processing Privacy Code has now been issued. It will come into force in two tranches:

• 3 November 2025 – for biometric processing that starts after 3 November 2025

• 3 August 2026 – for biometric processing already in use on or before 3 November 2025

Think outsourcing means you’ve handed over the responsibility for personal information? Think again.

Under the Privacy Act, even if you outsource operations to a third party, your organisation remains accountable for the personal information they access and manage on your behalf.