Our lawyers keep up with the latest trends and issues in New Zealand law and business, and regularly publish articles and reports on current topics.

Email me when new articles are published

Privacy Warrant of Fitness

Written by David Alizade PARTNER; Darryl King PARTNER on November 19th, 2020.    

Privacy 2020 final image-636

  Privacy Warrant of Fitness                                                                                                 


The Privacy Act 2020 (Act) comes into force on 1 December 2020.  This warrant of fitness is designed to help you assess how well placed you are to comply with the Act, and what changes you might need to make.



Privacy Officer

Appoint a privacy officer (if you haven’t already).
Ensure your privacy officer is up to speed with privacy laws including the changes under the Act.

Collecting Information

Audit what information you collect (and how you collect it), including any information you collect online.
Check whether your privacy policy allows you to collect the information you are collecting.
Check whether you need to collect the personal information you are collecting.
If you collect personal information from children or young people, check that you are collecting it fairly.

Disclosing information

Identify who you disclose personal information to (and where in the world it goes).

If you send personal information overseas, check whether you comply with the changes to the Act.   
Check that your privacy policy accurately and clearly describes who you disclose information to, and how you will protect information you transfer overseas (if applicable).
Check that your agreements with third parties allow you to comply with your obligations under the Act (for example, by including a process for reporting breaches and restrictions on transferring data overseas).

Privacy Breaches

Create a data breach response plan and update your privacy policy with how you will respond to a breach.
Test your breach response plan internally – you can use the Privacy Commissioner’s online NotifyUs tool to run through example situations without submitting information to the Privacy Commissioner.

Storage and Security

Review the safeguards and policies you have in place for protecting the personal information you collect.

If you deal with account numbers, drivers licence numbers or other unique identifiers, consider how you can protect against these being misused.

Ensure that you are not keeping personal information longer than you need to.

Check that you are disposing of personal information securely when you have finished with it.


Check you have a process in place to respond to requests for access to or correction of personal information you hold within the statutory timeframes. 


Ensure that your staff understand your organisation’s privacy obligations under the Act, the process to follow if there is a privacy breach, and your internal privacy policies.

Update your documents

Depending on the nature of your organisation, as part of completing this warrant of fitness you will need to review and update a number of documents you use.  These could include:

Privacy policyyour privacy policy should be easy to understand and accurately set out:

- the information you collect and who you disclose it to;
what you will use the information for;
- how the information is stored, kept secure and disposed of;
- whether the information is sent overseas (and if so how it will be protected);
- how an individual can access and correct their information; and

how you will respond to a privacy breach. 
Internal documentsfor example, your internal privacy policy, cybersecurity policy, obligations register and/or staff manuals.  To comply with the new changes to the Act, you will need to add a privacy breach response plan, and a process for managing any data sent overseas.  You may also want to update your other privacy related policies after completing this warrant of fitness if they are out of date or not sufficiently detailed.
Customer agreements and sign up forms ­– remove any personal information you don’t need to collect, update references to the Privacy Act 2020, and make changes if information is sent overseas. Don’t forget online forms. 
Third party agreements (e.g. supplier agreements)updates should include clauses that:
- ensure information sent overseas is protected; and
- specify a privacy breach process.  
Cloud storage agreements ­– check whether your agreements enable you to comply with your obligations under the Act, including your obligation to report privacy breaches, and provide individuals with access to and correction of their information.  
Insurance – check whether your insurance policy covers you for a privacy breach.

Please contact us if you would like help with complying with the Act and the changes you might need to make. We can provide you with clear advice on the Act, and the updates you need for your privacy policy and agreements. We can also assist you with training on compliance with the Act.

Disclaimer: The information contained in this publication is of a general nature and is not intended as legal advice.  It is important that you seek legal advice that is specific to your circumstances.

All rights reserved © Jackson Russell 2020

David Alizade Publications
David Alizade,

Darryl King Publications
Darryl King,

Level 13, 41 Shortland Street, Auckland 1010, New Zealand

PO Box 3451, Auckland 1140, New Zealand

+64 9 303 3849

Linkedin Circle-26