AI and privacy: what NZ businesses need to know about using AI with personal data

Artificial intelligence is increasingly being used by NZ businesses to process personal information — from automated credit scoring to AI-driven fraud detection. When that personal information comes from third-party sources, the intersection of AI and privacy law creates new compliance challenges.

IPP3A and AI

If your AI system processes personal information collected from a third-party source, IPP3A still applies. The fact that the processing is automated does not remove the notification obligation. In fact, it may strengthen it — the OPC has indicated that automated processing of personal information warrants more transparency, not less.

Transparency obligations

When an AI system makes decisions that affect individuals based on third-party data, best practice (and likely future law) requires:

• Informing the individual that their data was collected from a third party.

• Informing them that the data was processed by an AI system.

• Explaining the general logic of the AI system.

• Providing a mechanism to challenge the decision.

Current law vs future law

The Privacy Act 2020 does not specifically regulate AI. However, the existing principles — particularly IPP3A (notification), IPP6 (access), and IPP8 (accuracy) — apply to AI systems that process personal information. The 2026 review is expected to introduce AI-specific provisions.

DEIS and AI

DEIS allows you to tag lookups that are processed by AI systems, creating a specific compliance record that demonstrates transparency. As the law evolves, DEIS will add AI-specific compliance pathways.