OPC enforcement trends: what the Privacy Commissioner is focusing on in 2024

The Office of the Privacy Commissioner (OPC) released its 2023–24 enforcement priorities, and third-party data collection is squarely in the spotlight.

Key focus areas

Third-party collection without notification. The OPC has received a growing number of complaints from individuals who discovered — often by accident — that businesses had run credit checks, vehicle history lookups, or company searches on them without any notification or consent.

Retention beyond purpose. Businesses that store lookup results indefinitely, long after the original purpose has been fulfilled, are also under scrutiny. The Privacy Act requires that personal information is not kept longer than necessary.

Inadequate evidence trails. When the OPC investigates a complaint, they ask for evidence of the consent or notification pathway. Businesses that cannot produce this evidence face enforcement action.

Penalties

The Privacy Act 2020 introduced compliance notices and the power to issue fines of up to $10,000 for individuals and higher amounts for organisations that fail to comply with a compliance notice. While these are not the headline-grabbing fines of the GDPR, they come with reputational damage and the cost of remediation.

What this means for you

If your business accesses any NZ data source — Carjam, PPSR, Companies Office, Centrix, Equifax, or others — you need to demonstrate that each lookup was compliant at the time it was performed. Retrospective consent is not sufficient.

DEIS captures the compliance pathway at the point of lookup, creating an immutable evidence trail that satisfies OPC requirements.