AI and the Privacy Act 2020: What NZ Businesses Need to Know

AI and Privacy: Getting It Right

When implementing AI automation, New Zealand businesses must navigate the Privacy Act 2020. This guide explains the key considerations in practical terms—not legal advice, but a framework for understanding your obligations.

The Basics: What the Privacy Act Requires

The Privacy Act 2020 governs how organisations collect, use, store, and disclose personal information. The 13 Information Privacy Principles (IPPs) provide the framework.

For AI implementations, the most relevant principles are:

IPP 1: Purpose of Collection

You must have a lawful purpose for collecting personal information, and that purpose must be connected to your business function.

AI Implication: If you're training AI on customer data, you need a clear purpose that relates to serving those customers. "We might find it useful someday" isn't sufficient.

IPP 3: Collection Directly from Subject

Where possible, collect information directly from the person it's about.

AI Implication: Using AI to infer or generate information about individuals creates new data that wasn't directly collected. Be clear about what's actual vs. inferred information.

IPP 6: Access to Personal Information

Individuals have the right to access information you hold about them.

AI Implication: Can you explain what data you hold and how it's being used in AI systems? If your AI makes decisions about individuals, can you explain the logic?

IPP 8: Accuracy

Take reasonable steps to ensure information is accurate before using it.

AI Implication: AI can perpetuate or amplify errors in training data. What processes ensure accuracy of AI-processed information?

IPP 10: Use of Personal Information

Only use information for the purpose it was collected, or a directly related purpose the individual would reasonably expect.

AI Implication: Using customer service data to train a sales AI might exceed reasonable expectations. Purpose matters.

Practical Compliance Steps

Step 1: Data Mapping

Before implementing AI, understand your data landscape:

• What personal information do you collect?
• Where is it stored?
• Who has access?
• How long do you keep it?
• What will AI systems do with it?

Document this thoroughly. You'll need it for privacy assessments and responding to access requests.

Step 2: Privacy Impact Assessment

For any significant AI implementation, conduct a Privacy Impact Assessment (PIA). Consider:

• What personal information will the AI process?
• What's the purpose?
• What risks does this create for individuals?
• How will you mitigate those risks?
• Is this use proportionate to the benefit?

The Office of the Privacy Commissioner provides PIA guidance on their website.

Step 3: Transparency

Be clear with individuals about AI use:

• Update your privacy policy to cover AI processing
• Inform customers when they're interacting with AI
• Explain what data AI systems use and why
• Provide opt-out options where appropriate

Step 4: Data Minimisation

Only use the data you actually need:

• Can you achieve your AI goal with less data?
• Can you use anonymised or aggregated data?
• Do you need to retain data after processing?

Less data means less risk.

Step 5: Third-Party Due Diligence

Many AI solutions involve third-party providers. Verify:

• Where will data be processed and stored?
• What are the provider's security practices?
• Do they use your data to train their own models?
• Can you meet access request obligations through them?
• What happens to data if you end the relationship?

Common AI Privacy Scenarios

Customer Service Chatbots

Data involved: Customer enquiries, conversation history, account information.

Key considerations:

• Inform customers they're talking to AI
• Limit access to only necessary account data
• Don't retain conversation data longer than needed
• Enable human escalation for sensitive matters

Automated Decision-Making

Data involved: Whatever informs the decision—financial data, behaviour history, etc.

Key considerations:

• Be able to explain decision logic if asked
• Don't make significant decisions affecting individuals on AI alone
• Provide human review options
• Test for bias in decision outcomes

Data Analytics and Insights

Data involved: Customer behaviour, transaction history, preferences.

Key considerations:

• Ensure original collection purpose covers analytics use
• Prefer aggregated over individual-level analysis
• Be cautious about inferring sensitive information
• Anonymise where possible

Cross-Border Considerations

If your AI provider is overseas (common with cloud-based AI services), additional rules apply:

• You must believe the overseas recipient has comparable privacy protections
• Or the individual authorises the transfer
• Or you have appropriate contractual protections

Many reputable AI providers offer Data Processing Agreements that address this.

When to Seek Legal Advice

This guide provides a framework, but seek legal advice when:

• Processing sensitive information (health, ethnicity, political views, etc.)
• Making automated decisions with significant impact on individuals
• Handling children's data
• Operating in regulated industries (finance, health, etc.)
• Uncertain about compliance

Getting Started

For most SME AI implementations, compliance is achievable with reasonable care:

1. Document your data practices before adding AI
2. Assess privacy impact of proposed AI use
3. Be transparent with customers
4. Choose reputable providers with strong privacy practices
5. Minimise data to what's actually needed
6. Review regularly as AI capabilities expand

Our AI Audit includes a privacy compliance review, identifying potential issues before implementation begins.

Resources

• Office of the Privacy Commissioner - Official guidance and tools
• Privacy Act 2020 - Full legislation
• AI Principles - Government guidelines on algorithm use

Privacy and AI can coexist. The key is thoughtful implementation that respects individuals while capturing business value.