Is Privacy Law the New Holidays Act?

I've recently been pondering whether privacy law is the new Holidays Act. The two may not seem obviously connected, but bear with me.
An article by Partner Rachael Judge, published in Business Desk on Thursday 9 July [paywalled].
A decade ago, the complex Holidays Act was sitting quietly on the books, widely ignored and poorly understood. We employment lawyers occasionally provided advice, and inevitably that advice flagged compliance issues. However, in general, employers were not auditing their compliance with the Holidays Act, employees and unions were not raising potential non-compliance as an issue, and the regulator was not pushing enforcement.
Then, almost overnight, that changed. Proactive audits became commonplace, as did enforceable undertakings. In turn, employees and unions became alive to the issue of Holidays Act non-compliance and started to raise it themselves. Employers began compliance work, and compliance became a key issue when looking to buy a new business. Holidays Act remediation became a significant and expensive undertaking across the economy.
The extent of the issue was perhaps most clearly demonstrated by the fact that MBIE (the Ministry responsible for enforcement of the Holidays Act) identified non-compliance within its own payroll operations and had to remediate its own payroll as a result. With the Employment Leave Bill currently before Parliament, I hope that New Zealand will have a clearer leave framework in the not-too-distant future.
A familiar pattern
My concern is that the Privacy Act 2020 is sitting on the same precipice as the Holidays Act once was. Although the Privacy Act includes a series of succinct "information privacy principles" (IPPs), the rules are more complex than may appear at first glance. They set out strict criteria in relation to how any organisation may collect, hold, use, disclose, store, and dispose of personal information about identifiable individuals. With the introduction of a new IPP 3A on 1 May 2026, which includes prescriptive rules about what must be disclosed to an individual when collecting their personal information from a third party, the IPPs have become even more stringent.
When I work through these issues with clients, there are often elements of non-compliance. Sometimes, organisations have not even thought about how the IPPs could impact upon their operational activities in relation to personal information. Often, the scope of the obligations is simply misunderstood. For now, most organisations are getting away with it. However, this is not always the case.
When it goes wrong
- The "Cake Case": a former employee of Credit Union Baywide posted a picture on her private social media of a cake containing icing that spelt out expletives referencing her former employer. The Credit Union coerced a junior employee to access the photo from the former employee's Facebook page, shared it with the employee's new employer to pressure them to terminate her employment, and also distributed it to recruitment agencies in the Hawkes Bay region to warn them away from hiring her. These actions were found to have breached the former employee's privacy. Taking into account damages for humiliation, loss of income, legal expenses, and loss of a salary benefit, the former employee was awarded a total of $168,070.88.
- Former Conservative Party leader Colin Craig breached the privacy of his former press secretary by disclosing details contained in a confidential settlement agreement through press conferences, media interviews, and a booklet distributed to 1.6 million New Zealand households. As a result, his former press secretary was awarded $128,780 in damages for emotional harm, plus costs.
- In a more recent example, a mother and son's privacy were breached when an external agency disclosed sensitive information about the mother's medical history, including about past drug use and sex work, to her son's Auckland primary school by way of an 11-page child protection report. The school, having improperly possessed and retained this information, went on to use it to form prejudicial views about the mother and child, resulting in them being treated poorly and differently to others. The mother and son were awarded $29,100 in damages as a result.
The conditions for change are in place
Beyond the Human Rights Review Tribunal, the Office of the Privacy Commissioner can issue compliance notices and publicly name non-compliant organisations, as well as make binding directions requiring agencies to provide individuals with access to their personal information. Non-compliance with either a compliance notice or an access direction can attract a fine of up to $10,000.
With the introduction and acceleration of AI tools, it is now easier than ever for people to know their rights in respect of matters such as privacy. I am increasingly seeing personal information access requests, and concerns under the Privacy Act, being pursued as a form of leverage or as a claim in their own right. I would not be surprised if this trend continues to increase and privacy claims become more commonplace.
How best to prepare?
I recommend taking a proactive approach rather than waiting to get caught out. Organisations should ensure they have a competent and well-trained Privacy Officer, check that their privacy policies and disclosures are up to date and fit for purpose (including in light of new IPP 3A obligations), audit current privacy practices, and educate relevant staff on what a good privacy culture looks like.
The parallels with the Holidays Act are striking. Privacy law has long been on the books, its complexity has been quietly underestimated, and the conditions for a shift in enforcement and awareness are firmly in place. Organisations that act now, rather than waiting for the regulatory tide to turn, will be far better placed when that shift inevitably comes.
Get in touch
If you have a similar issue in your workplace, and would like to discuss any issues, get in touch with one of our experts.
Contacts

Rachael Judge




