AI systems aligned to the Privacy Act 2020 before the Privacy Commissioner asks.
We help New Zealand organisations interpret the 13 Information Privacy Principles for AI systems, conduct Privacy Impact Assessments, and implement data-handling procedures that satisfy the Privacy Commissioner and protect customers.
Built for
The Privacy Act applies to AI. It was not written for it.
Your AI systems collect, process, and make decisions using personal information. The Privacy Act 2020 does not mention AI. You are interpreting 13 information privacy principles for technology that did not exist when the legislation was drafted, while the Privacy Commissioner actively monitors AI practices.
- 01No AI-specific regulation
General guidance, specific exposure.
The Privacy Commissioner has issued general guidance on privacy and AI. No dedicated AI-specific regulation exists under the Privacy Act 2020. Organisations must interpret the 13 Information Privacy Principles for AI training data, automated decisions, and cross-border data flows with limited regulatory direction. Your interpretation today determines your compliance posture tomorrow.
- 02Training data exposure
Purpose limitation, accuracy, individual rights.
Did you collect that training data for the purpose you are now using it? Is it accurate enough for automated decisions? Can individuals access or correct information your AI learned from? The Privacy Act's purpose limitation, accuracy, and individual rights principles apply to every piece of personal information used in AI systems, including data collected years before AI was part of your strategy.
- 03Black-box explainability
Individual rights get complicated with AI.
Someone requests access to their personal information. What do you disclose when an AI model learned patterns from their data but does not store it directly? How do you explain an automated decision when the model is a black box? The Privacy Act 2020 gives individuals rights to access, correction, and explanation. Your organisation needs procedures that honour those rights even when AI makes the answers complex.
Four steps to Privacy Act compliance for AI.
We translate abstract Privacy Act principles into practical compliance requirements for AI systems. Operational procedures your teams can use, tailored to how organisations in Aotearoa actually deploy AI.
01
Audit against the 13 IPPs
We examine how AI systems collect, store, use, and disclose personal information. Every system mapped to all 13 Information Privacy Principles. Exposure identified: training data without proper consent, automated decisions without explainability, cross-border transfers without adequate safeguards, accuracy issues in data used for consequential decisions. The output is a privacy gap analysis, risk register, and principle-by-principle assessment.
02
Privacy Impact Assessments
For AI systems making significant automated decisions or processing sensitive information, formal PIAs aligned with Privacy Commissioner expectations. We document what information you collect, why you need it, who can access it, how long you keep it, and what rights individuals have. For healthcare organisations, PIAs align with the Health Information Privacy Code 2020. The output is PIA documentation for each high-risk AI system.
03
Operational procedures
Consent mechanisms in plain language New Zealanders understand. Processes for handling access requests when AI models are involved. Data accuracy requirements for training datasets. Breach notification procedures aligned with the Privacy Act's mandatory reporting requirements. Protocols for evaluating third-party AI vendors against all 13 IPPs. Output: data-handling procedures, consent templates, vendor assessment frameworks, breach response protocols.
04
Train the team
Developers, product managers, and business users need to understand what the Privacy Act 2020 requires when they deploy AI. Training covers the principles that matter most in AI contexts: purpose limitation, accuracy obligations, individual rights to access and correction, transparency for automated decisions, and cross-border disclosure rules. Output: training materials, quick-reference guides, ongoing compliance checklists.
The Information Privacy Principles that bite hardest on AI.
The Privacy Act 2020 contains 13 Information Privacy Principles. Six of them carry the most weight when AI is in the loop. This is the framework we use to assess your compliance.
Principle 1: Purpose of collection
AI training requires vast amounts of data. You can only use personal information for the purpose you originally collected it. Scraped data, repurposed internal datasets, and third-party data all create exposure. If you collected customer information for service delivery and now want to train an AI model, you likely need fresh consent or a documented legal basis under the Privacy Act 2020.
Principle 3: Collection of information
Personal information must be collected directly from the individual concerned, with limited exceptions. When AI systems infer new information about individuals or collect data indirectly through automated means, this principle requires careful analysis. We help you determine when direct collection requirements apply and how to design compliant data collection for AI training and inference.
Principle 8: Accuracy
Training data must be accurate enough for your AI's decisions. Hiring decisions based on outdated employment records, credit decisions based on incomplete financial data, or service decisions based on inaccurate demographic information all breach this principle. Organisations must verify the accuracy and representativeness of data used in AI systems, particularly when outputs affect individuals in New Zealand.
Principle 10: Use of personal information
Your AI cannot use personal information beyond the original collection purpose. Using customer data to train a model you sell or license to other businesses is a disclosure issue. Even internal use for an AI application that differs significantly from the original purpose may violate this principle. We help you map data flows and identify where purpose limitation creates compliance risks.
Principle 12: Cross-border disclosure
Most AI tools send data offshore to providers in the United States, Europe, or Asia. The Privacy Act 2020 does not prohibit cross-border disclosure. IPP 12 requires organisations to take reasonable steps to ensure the overseas recipient will protect the information in a manner consistent with the Act. That means assessing vendors' privacy practices, negotiating data processing agreements, and understanding precisely where your data goes.
Principle 13: Unique identifiers
AI systems create or use unique identifiers to track, profile, or link individuals across datasets. The Privacy Act restricts how organisations assign and use unique identifiers. When AI systems create new identifiers or combine data in ways that enable re-identification of anonymised information, specific Privacy Act obligations apply.
Automated decision-making under the Privacy Act 2020.
When AI makes or significantly informs decisions about individuals, the Privacy Act 2020 creates heightened obligations around transparency, accuracy, and individual rights. Organisations must be able to explain how automated decisions are made, ensure the underlying data is accurate and complete, and provide meaningful avenues for individuals to challenge decisions that affect them.
This intersects with the OECD AI Principles adopted by Aotearoa New Zealand's National AI Strategy, which emphasise transparency and explainability as core governance requirements. The Algorithm Charter for Aotearoa reinforces government agencies' commitments to transparent and accountable use of algorithms in public services.
We help organisations develop explainability frameworks that meet both Privacy Act obligations and OECD Principles requirements. Documentation that records how automated decisions work, what data inputs drive outcomes, and what safeguards exist to prevent bias or error. The same documentation serves regulatory compliance and builds trust with the New Zealand public.
Using overseas AI vendors? Your organisation stays responsible.
Most AI tools send data offshore. Large language models, cloud AI services, and specialised solutions typically process data in the United States, Europe, or Asia. The Privacy Act 2020 does not prohibit this. IPP 12 requires your organisation to take reasonable steps to prevent misuse: assessing vendors' privacy practices against New Zealand standards, negotiating data processing agreements that reflect the 13 IPPs, and understanding where your data goes at every stage of processing.
Cross-border data flows are one of the most common areas of Privacy Act exposure when deploying AI. The Privacy Commissioner has been clear that responsibility remains with the disclosing organisation, not the overseas vendor. We help you evaluate AI vendors against Privacy Act requirements, draft appropriate contractual protections, and implement monitoring to maintain ongoing compliance.
Who this is for.
Privacy Act compliance pressure plays out differently in each sector. Our engagements adapt to the regulator and the data your team handles.
Financial services
Using AI for credit decisions, fraud detection, or customer service. The FMA and RBNZ expect you to manage privacy risks under existing obligations. Privacy Act 2020 compliance is foundational for any financial services organisation deploying AI in New Zealand, from major banks through to fintech businesses and insurers.
Healthcare providers
Health information receives extra protection under the Health Information Privacy Code 2020, which sits alongside the Privacy Act. If your AI processes patient data, you need compliance with both the Privacy Act's 13 Information Privacy Principles and the HIPC's additional safeguards. Te Whatu Ora and private healthcare organisations alike must ensure AI systems protect patient privacy throughout the data lifecycle.
Government agencies
Public sector AI must comply with the Privacy Act 2020 and align with the Public Service AI Framework's transparency requirements. Government agencies also carry Treaty of Waitangi obligations around Māori data governance that intersect with privacy compliance. We help agencies meet overlapping obligations through a single, integrated compliance framework.
HR and recruitment technology
Using AI to screen candidates, assess performance, or make employment decisions. Sensitive personal information and automated decisions that significantly affect individuals: the highest-risk scenario under the Privacy Act 2020. New Zealand organisations using AI in human resources need documented compliance frameworks to manage both privacy and employment law obligations.
Frequently asked questions.
Does the Privacy Commissioner actually enforce these requirements for AI?
The Privacy Commissioner does not have AI-specific rules. They enforce the Privacy Act 2020 for all data processing, including AI. Recent enforcement actions have focused on automated decision-making and data accuracy, both central to AI systems. The Commissioner's office has also signalled increased scrutiny of cross-border data flows and algorithmic transparency. Proactive compliance is significantly cheaper than responding to a complaint or formal investigation.
What happens if someone requests access to personal information used to train our AI model?
Under the Privacy Act 2020, you must provide access to their personal information, explain how you used it, and allow corrections if it is inaccurate. If your model learned patterns from their data but does not store it directly, you still need procedures for explaining what happened and what information was processed. We help organisations develop protocols for these complex access requests that satisfy the 13 IPPs.
Can we use customer data to train AI models we will sell or license?
Only if your original collection notice covered this use. Most New Zealand organisations collected data for their own business purposes, not to train commercial AI products. Repurposing data for AI training requires either new consent or a careful legal analysis of whether the new use is reasonably related to the original purpose under the Privacy Act 2020. The distinction between internal use and commercial disclosure is particularly important.
Do we need a Privacy Impact Assessment for every AI system?
Not necessarily. PIAs are most critical when privacy risks are significant: automated decision-making, processing of sensitive information, large-scale data processing, or new technologies. We help you assess which AI systems need formal PIAs and which can be addressed through lighter-touch privacy reviews, consistent with New Zealand's principles-based regulatory approach.
How does Privacy Act compliance relate to Māori data governance?
The Privacy Act 2020 protects individual privacy rights. Māori data governance addresses collective rights and Treaty of Waitangi obligations. These are complementary but distinct frameworks. When AI systems process Māori data, organisations in Aotearoa New Zealand must consider both Privacy Act compliance and Māori data sovereignty principles, including kaitiakitanga and the protection of mana. We help organisations build integrated frameworks that honour both sets of obligations.
Make your AI systems compliant with the Privacy Act 2020.
A privacy compliance review identifies where your AI systems are exposed against the 13 Information Privacy Principles and outlines the procedures you need to satisfy the Privacy Commissioner.