Privacy Act 2020 Review: Impacts on Credit and Vehicle Check Businesses

Privacy Act 2020 Review in New Zealand: Affecting Businesses Running Credit and Vehicle Checks

The upcoming amendments to the Privacy Act 2020, set to take effect on May 1, 2026, will significantly impact businesses handling personal data, particularly those processing credit and vehicle check applications. These changes are part of a broader review aimed at enhancing privacy protections in New Zealand.

Key Takeaways

• New Requirement for Biometric Data Processing: Any historical biometric processing activities must be compliant with the Code from August 3, 2026.
• Information Privacy Principle 3A (IPP3A) Effective May 1, 2026: Businesses handling personal data will need to notify individuals when their personal data is collected indirectly through third parties, effective May 1, 2026.
• Retention of Adequacy Status: The amendment also includes measures to retain New Zealand’s adequacy status with the EU, ensuring privacy standards are maintained into the future.

Compliance and Business Implications

Understanding IPP3A: Notifying for Indirect Collection

Information Privacy Principle 3A (IPP3A) requires organisations to notify individuals when their personal data is collected indirectly. For example, if a business collects information about an individual through another party rather than directly from the individual themselves.

Example: A car dealership might use third-party agencies to gather driving history or credit reports for vehicle checks. Under IPP3A, this process must be transparent and require notification of secondary collection activities. Businesses will need to carefully review their existing data collection processes, including agreements with third parties, to ensure compliance by May 1st.

Historical Biometric Data Compliance

The grace period for historical biometric processing ends on August 3, 2026. This means any past or ongoing use of biometric information must adhere to the new principles and regulations put in place. Failure to comply could result in serious legal repercussions including fines and other penalties.

Retention and Future ADEQUACY

The amendment also aims to maintain New Zealand's adequacy status with the EU, a key factor for international businesses operating within these jurisdictions. Ensuring compliance not only protects individual privacy rights but also safeguards business operations by minimizing operational disruptions or financial losses resulting from regulatory non-compliance.

Conclusion

With the impending May 1st deadline and the August 3rd grace period ending, it is critical for businesses running credit and vehicle checks to proactively review their data collection practices. Ensuring transparency and compliance with IPP3A will not only help prevent legal issues but also maintain a positive reputation among consumers.

Businesses should consider engaging privacy experts or consultants to provide guidance on the new requirements and ensure they are prepared for these changes, thereby avoiding potential conflicts and fostering trust in customer relationships.