Most NZ organisations are, without knowing it. This free module explains exactly what the NZ Privacy Act 2020 requires when staff use AI tools, in plain language, with real NZ examples. Enter your work email and it opens immediately.
No password. No account. One email from Lee within 48 hours if your organisation has an immediate privacy exposure. That is it.
Tane is an HR manager at a Hamilton accounting firm with 70 staff. He has been using ChatGPT to help draft performance review summaries. He types in the staff member's name, their role, their manager's feedback, and their salary band, and asks ChatGPT to write a polished summary. It saves him about two hours a week. He has never considered whether this might be a problem.
It is a problem. Under the NZ Privacy Act 2020, what Tane is doing is a privacy breach. This module explains why, what the rules actually are, and how to use AI effectively while staying completely on the right side of the law.
The NZ Privacy Act 2020 is not a new law designed specifically for AI. It is the framework that governs how any person, business, or organisation in New Zealand collects, stores, uses, and discloses personal information. AI tools did not exist when earlier privacy laws were written, but the Privacy Act 2020 applies to them just as it applies to everything else.
When you type personal information into a free AI tool, that information is processed on servers outside New Zealand, typically in the United States. Depending on the tool and the plan you are on, that information may also be used to train future AI models. Under the Privacy Act, this constitutes disclosure and potentially storage of personal information with a third party overseas, and it triggers specific obligations that most NZ organisations are simply not meeting.
Research published in 2026 found that only 24% of NZ workers have received any AI training, and only 36% believe they have the skills to use AI appropriately. Privacy compliance is one of the biggest gaps. Staff are routinely entering personal information into free AI tools without knowing they are creating a legal exposure for their organisation.
Under the Privacy Act, personal information is any information about an identifiable individual. That sounds simple but it is broader than most people realise.
Personal information includes names, contact details, dates of birth, physical descriptions, and health information. It also includes employment details, financial information, performance records, and disciplinary history. It includes opinions about a person, which is why performance review notes are personal information. It even includes combinations of details that, together, could identify someone even if no single piece of information would on its own.
A person's first name alone is not personal information. Their job title alone is not personal information. But their first name, job title, and employer together might be enough to identify them uniquely. Once information becomes identifiable, it becomes personal information and the Privacy Act applies. This is why even apparently harmless details need care when combined.
The following categories of information must never be entered into a free AI tool without a proper data processing agreement in place between your organisation and the AI provider. This is not a suggestion. It is a legal obligation under the NZ Privacy Act 2020.
The Privacy Act does not prevent you from using AI tools. It requires that you use them appropriately. Here is what is safe to use.
When you use Microsoft Copilot inside your organisation's Microsoft 365 environment, your data stays within your organisation's Microsoft tenant. Microsoft processes the data under your organisation's existing Microsoft licence agreement, which includes data processing commitments that meet NZ Privacy Act requirements. This means Copilot is generally safer for work involving personal information, provided your organisation has a current Microsoft 365 licence and your IT environment is properly configured.
The same applies to Google Gemini within an organisational Google Workspace environment. Your data is processed under your organisation's Google Workspace agreement, not the free consumer terms.
The critical distinction is between your organisation's licensed environment and free consumer tools. A free ChatGPT account or a free Claude account operates under consumer terms of service that do not provide the same data processing commitments as an enterprise licence.
If you are using a tool you pay for through an organisational account and your IT or finance team set it up, it is likely covered by a proper agreement. If you are using a free account you signed up for yourself with a personal email address, assume consumer terms apply and treat personal information accordingly.
The Privacy Amendment Act 2025 introduced a new Information Privacy Principle called IPP 3A, which came into force on 1 May 2026. This is the most significant update to NZ privacy law since the Privacy Act 2020 itself came into force.
IPP 3A extends the notification obligation to indirect collection of personal information. Previously, organisations only had to notify individuals when collecting their personal information directly from them. Now, if your organisation collects personal information about an individual from a third party source such as a database, another organisation, or any source other than the person themselves, you must take reasonable steps to notify that individual about the collection.
For AI use, this means that if an AI tool collects or generates information about an identifiable individual that your organisation then uses, additional notification obligations may apply. Check the Office of the Privacy Commissioner guidance at privacy.org.nz for specific advice on how IPP 3A applies to your organisation's AI use.
Privacy breaches involving AI tools are not theoretical. They are happening in NZ organisations right now. The Privacy Commissioner can investigate complaints, require organisations to change their practices, and in serious cases refer matters to the Human Rights Review Tribunal which can order compensation of up to $350,000.
Beyond the legal consequences, a privacy breach involving an AI tool can damage your organisation's reputation, undermine client trust, and create liability that is difficult to manage after the fact.
The good news is that compliance is not complicated. The anonymisation rule alone prevents the vast majority of AI-related privacy breaches. Most tasks can be done safely with simple adjustments that take less than a minute.
| The task | Unsafe approach | Safe approach |
|---|---|---|
| Writing a performance review summary | ✗ Pasting the staff member's name, role, salary, and manager feedback into ChatGPT free | ✓ Using anonymised placeholders: Staff Member A, Senior Role, Feedback: [description without name] |
| Drafting a client support letter | ✗ Entering the client's name, address, health condition, and case history into a free AI tool | ✓ Describing the situation without identifying details: client in their forties, condition X, seeking support for Y |
| Summarising meeting notes | ✗ Pasting meeting minutes that include names, personal opinions about named individuals, and sensitive discussions | ✓ Using Copilot in Teams (covered by your Microsoft agreement) or removing names before pasting into a free tool |
| Creating a job advertisement | ✓ Safe. No personal information about individuals is involved in creating a job advertisement | ✓ Safe regardless of which tool you use |
| Analysing a spreadsheet of client data | ✗ Uploading a spreadsheet containing client names, contact details, and financial data to any free AI tool | ✓ Anonymising the spreadsheet first, or using Copilot in Excel within your organisational Microsoft environment |
Tane now understands what he was doing wrong. He was entering real staff names, salary information, and performance data into a free ChatGPT account operating under consumer terms of service. Under the NZ Privacy Act 2020, this is a disclosure of personal information to a third party that his organisation never authorised and the staff members were never informed about.
The fix is simple. He switches to anonymised placeholders in his prompts. Staff Member A instead of the person's name. Senior Accountant instead of the salary band. Manager feedback described in general terms rather than quoted verbatim. He gets the same quality output, saves the same amount of time, and is now operating entirely within the law. He also asks his IT manager whether the firm has Copilot available through their Microsoft 365 licence, which would allow him to work with real data inside the firm's compliant environment.
The Office of the Privacy Commissioner is New Zealand's primary resource for privacy guidance. Their website at privacy.org.nz has specific guidance on AI and privacy, including information on the new IPP 3A obligations. They also have a free helpline and can provide advice to organisations working through how the Privacy Act applies to their AI use. Contact them at privacy.org.nz or 0800 803 909.
Five questions based on real NZ workplace situations. Wrong answers always show the correct answer and explain why.
Print this and keep it near anyone who uses AI tools for work involving people. One page. Everything you need.
You now understand what the NZ Privacy Act 2020 requires of your organisation when using AI tools. The anonymisation rule alone prevents most AI-related privacy breaches. That knowledge is genuinely valuable and most NZ organisations do not have it yet.
Share the cheat sheet with your team, particularly anyone who handles HR, client records, health information, or finance. Stick it near their desk or pin it in your team chat.
Check which AI tools your team is currently using and whether they are using free consumer accounts or organisational licensed accounts. That distinction determines what is safe to use.
Review your organisation's AI policy or create one if it does not exist. PolicyLayer at policylayer.co.nz can help your organisation build a clear AI policy that covers Privacy Act obligations.
Or email Lee directly at lee@purelayer.co.nz