Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Protections - Privacy Act 2020

52: Certain contraventions relating to storage and security treated as breaching information privacy principle 5

You could also call this:

“Breaking rules about storing or protecting personal info is like breaking a privacy rule”

If you’re holding someone’s personal information and you break a rule about how to store it or keep it safe, you’ll be treated as if you’ve broken a privacy principle. This privacy principle is about keeping information secure.

When this happens, parts of the Privacy Act will apply to you. These parts of the Act deal with how privacy breaches are handled.

There are specific rules about storing and keeping information safe. These rules include:

  • Rules about protecting information from being lost
  • Rules about stopping people from accessing, using, changing, or sharing the information when they’re not allowed to
  • Rules about protecting the information from being misused in other ways

The law calls these rules “CPD storage and security requirements”. If you break these rules, it’s the same as breaking the privacy principle about keeping information secure.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS851540.

Topics:
Money and consumer rights > Consumer protection Rights and equality > Privacy
Previous

51: Access request not IPP 6 request but contravention is interference with privacy, or

"Breaking rules about giving you your information is like messing with your privacy"

Next

53: Chief executive may require person to supply information or produce documents, or

"The boss can ask you for information to help with their job"

Part 3 Protections
Privacy Act 2020

52Certain contraventions relating to storage and security treated as breaching information privacy principle 5

  1. If, in relation to any personal information, a data holder contravenes a CPD storage and security requirement, the data holder must be treated as breaching information privacy principle 5 set out in section 22 of the Privacy Act 2020 for the purposes of Parts 5 and 6 of that Act.

    Guidance note

    See section 135(4)(b), which provides for all or part of the costs of the Privacy Commissioner in acting under the Privacy Act 2020 in connection with a contravention referred to in this subsection to be met from levies.

  2. In this section, CPD storage and security requirement means any of the following:

  3. section 39(3) or 45(2):
    1. a requirement that is imposed under this Act in connection with 1 or more of the following and that is specified by the regulations for the purposes of this section:
      1. protecting data against loss:
        1. protecting data against access, use, modification, or disclosure that is not authorised by the data holder or an accredited requestor:
          1. protecting data against other misuse.