Privacy Act 2020 and AI
The Privacy Act 2020 is New Zealand's primary data protection legislation and its most significant AI governance framework. The Act's 13 Information Privacy Principles (IPPs) apply to personal information processed by AI systems, creating obligations that parallel those of Australia's Privacy Act. The most relevant principles for AI governance: IPP 1 requires that personal information is collected for a specified, lawful purpose and not for a purpose that would be unfair to the individual. Using data collected for one purpose to train an AI model for a different purpose may not satisfy IPP 1. IPP 3 requires that personal information is collected directly from the individual where practical — AI systems that aggregate personal information from multiple sources without individual knowledge may not satisfy this principle. IPP 10 prohibits using personal information for purposes other than those for which it was collected — AI systems that use customer data collected for service delivery to train predictive models may require specific consent or a new purpose specification.
The Algorithm Charter
New Zealand's Algorithm Charter for Aotearoa NZ represents a significant government commitment to transparent and accountable use of algorithms in the public sector. Agencies that sign the Charter commit to: maintaining a plain language summary of algorithms that affect individuals, being clear about where algorithms are and are not used in agency decisions, testing for bias and considering impacts on privacy before deployment, ensuring humans maintain meaningful oversight, engaging with affected communities, and providing a mechanism for complaints. While the Charter is voluntary, the approximately 30 signatory agencies include major government departments — MBIE, MSD, Statistics NZ, ACC, and Inland Revenue — that collectively affect most New Zealanders' interactions with government.
