Thank you for your patience as we continue to review and update our forms, templates, guidance, and other information following the lifting of the COVID-19 vaccination updates. In the meantime, our Advisory and Support Centre is available to discuss any governance or employment matters on 0800 782 435, or alternatively by email  –  (for employment advice) or  (for governance advice).



Privacy Act 2020


Protecting Personal Information in the internet age

The Privacy Act 2020 seeks to increase New Zealanders’ confidence that their personal information is secure and will be treated properly.


What is Personal Information?

Personal information is more than a person’s name, address and date of birth; it is all information about an identifiable individual. 

The growing use of internet-connected devices, social media, e-commerce, and cloud storage means large quantities of data can now be easily stored, retrieved, and disclosed anywhere around the world. This has many benefits, but it also creates new challenges for the protection of personal information by public and private sector agencies. These agencies include school boards and NZSTA.


Checklist for boards

Boards and their schools are agencies that collect, use, store and dispose of a lot of personal information. The personal information collected relates to students and their parents, caregivers and whānau, staff, contractors and board members. It also includes personal information from other agencies that interact with the school such as the Ministry of Education, Education Review Office and NZSTA, and others in the school and its wider communities, such as sports and community groups. 

We encourage boards to familiarise themselves with the changes contained in the Privacy Act 2020. Start by putting Privacy on the board meeting agenda and working through this checklist:

  • does your board have a privacy officer? 
  • does your board plan to allocate resources (time and money) to support the privacy officer’s training and work?
  • does your board have a privacy policy, and can the school recognise when a privacy breach may have occurred? 
  • what about procedures on what to do when someone asks for their personal information or their child’s information (privacy request) or if there is a privacy breach?
  • have your school’s privacy statements been reviewed recently, e.g. on forms when students enrol, and on the school website?
  • does your board and school store and dispose of personal information by following the school records retention/ disposal pack?
  • can the board be assured that its contracts for software and digital platform products used by the school meet the new privacy requirements for personal information sent outside New Zealand?
  • do the school’s ICT systems enable the board to give each board member a school-based email address?


More information

  • Free Privacy education here 
  • Privacy Commissioner's website
  • Archiving and disposing of school records
  • School records retention/disposal pack
  • Privacy Act 2020, section 22, (the 13 Information Privacy Principles)
Scroll Arrow Icon

© 2018 New Zealand School Trustees Association