13 Nov 2025, 09:00

Read the full Annual Report (PDF, 3 MB)

"As I reflected on the range of initiatives and activity set out in this year’s Annual Report, I was struck by a particular thought – that is, the need to re-frame the language of privacy, and protecting and respecting personal information.

We need to break what I call the false dichotomy narrative – that we live in a world of either/or. That you can either have public safety or privacy. That you can either have law and order, or maintain a right to privacy. That you can either have technological innovation or privacy. That you can either embrace AI within your organisation or protect and respect personal information.

I believe we need to own and communicate that privacy is not an either/or – but that it’s an “and”, or a “while”. We need to stress this in the language we use, in addressing complex public policy problems, and in developing new business strategies. It’s things like keeping people safe while protecting individuals’ privacy rights. It’s rolling out AI in the health sector and ensuring sensitive personal health information remains protected. It’s implementing biometric processing technology, while giving people confidence it’s being done safely and fairly. It’s doing privacy well.

The Inquiry into Foodstuffs North Island’s trial use of Facial Recognition Technology (FRT) saw this Office develop important expectations around how privacy can be protected while using such privacy intrusive technology. The trial findings will help other businesses to ask the right questions about whether FRT is necessary and appropriate for them, and to understand what they would need to do to set FRT up and run it in a privacy protective way.

The delivery and implementation of the Biometric Processing Privacy Code strengthens and clarifies the privacy protections relating to sensitive biometric information. It provides agencies with a legal framework for how to implement biometric technologies. The Code, supported by detailed guidance, ensures businesses and organisations understand how to do privacy well when using these technologies.

The right to privacy is one of our nation’s taonga. A society that values privacy is one where its people can have confidence that their personal information will be protected and respected. We have a way to go but we’re making progress. That’s especially true when I reflect on how my Office, as regulator, has been clear and fair in working with businesses and public sector agencies looking to introduce new ways of delivering on their objectives.

The Statement of Intent 2023–2027, sets out my Office’s purpose as, ‘ensuring that privacy is a core focus for agencies’. We do this to protect the privacy of individuals, enable agencies to achieve their own objectives, and safeguard a free and democratic society.

This Annual Report marks the second year in our push towards achieving four objectives:

1. Work in partnership with Māori to take a te ao Māori perspective on privacy.
2. Engage and empower people and communities who are more vulnerable to serious privacy harm.
3. Set clear expectations to provide agencies with greater certainty about their responsibilities.
4. Promptly use our full range of investigation and compliance powers to hold agencies accountable for serious privacy harm.

It’s been a successful year

We are a nimble Office staffed by people who care deeply for the rights of New Zealanders and who work well together to deliver results.

Significant highlights include the following:

• Developing and then issuing the Biometric Processing Privacy Code to ensure clarity and a legal framework around the automated use of biometric technologies. We’re helping keep New Zealanders’ sensitive personal information safe while allowing businesses and organisations to innovate. We know that legislation can be a challenge to interpret so we also wrote specific and detailed guidance to help people understand how the new rules apply to them and their business.
  
  
• We found that the live Facial Recognition Technology model trialled by Foodstuffs North Island is compliant with the Privacy Act 2020. As well as delivering the results of our Inquiry, our report showed any business considering or using FRT what they need to do to make sure they set things up right to stay within the law.
  
  
• At its heart, privacy is about people and we’ve delivered a range of guidance, or draft guidance for public feedback on topics like biometrics, health, and the upcoming new indirect notification principle that was drafted and consulted on as part of the Privacy Amendment Bill. We support this work by speaking to audiences across the motu, ensuring technical subjects are explained in a way that is understandable.
  
  
• Our Māori Reference Panel was established this year. We are now fortunate to work with a group of experts who bring a te ao Māori perspective to our work. Their work helps us engage effectively with Māori to ensure policy projects and other significant work programmes appropriately consider te ao Māori perspectives.
  
  
• We received and processed 1,598 complaints from people across New Zealand, in many cases, finding that they had experienced harm from privacy breaches. We also negotiated financial reparation for 6.5% of the privacy complainants that we accepted for consideration.
  
  
• This year 1,093 privacy breach notifications were notified to us. Our team provided advice and guidance to organisations and helped them manage what had gone wrong, which then helped people who’d been affected by those breaches.
  
  
• We reviewed the Government’s legislative programme as it was progressed and made 12 submissions to Select Committees during the year to ensure privacy was considered. We also provided sound privacy advice to dozens of agencies which helped them strengthen their policy projects.
  
  
• People want to do privacy well but sometimes need help to understand how that happens. We’ve written guidance about protecting the privacy of children and young people when taking photos and videos, and created privacy posters in English and te reo Māori to ensure students, educators, and parents understand how to protect children’s privacy. We also progressed the other guidance in our Children’s Privacy project, which will be available online.
  
  
• Privacy Week 2025 was a highlight in May for us. More than 8,500 viewers watched 21 free webinar options with topics like AI, children’s privacy, and Māori data sovereignty.
  
  
• We hosted the 63rd Asia Pacific Privacy Authorities Forum, a virtual meeting of 14 privacy authorities in the Asia Pacific region. Talking to our counterparts, and hearing from them, helps us gain new insights and ideas into how to do privacy well.
  
  
• The New Zealand Supreme Court released its majority decision in Tamiefuna v R, a case in which we had made privacy submissions as an intervener, and with the Court taking notice of our 2022 joint report with the Independent Police Conduct Authority on Police photography of members of the public.

It’s been a great year for demonstrating the value of privacy. I want to thank and congratulate everyone in my Office who has worked hard to help New Zealanders understand why privacy matters so much to people, business, and society.

New Zealanders want their privacy rights respected and protected

More and more New Zealanders know they have privacy rights and want to do something about that. In this year’s privacy survey of over 1,000 New Zealanders, we learnt that 82% of people wanted more control and choice over the collection and use of their personal information.

In a single year there has been a significant jump in how many privacy complaints we’ve received. This year it’s up 21% on the year before.

This year we also had a 27% increase in privacy breach notifications. It’s clear that agencies need to respond to the challenge to be better at safeguarding New Zealanders’ personal information.

My Office will continue championing the privacy rights of New Zealanders. We will continue to take a constructive approach to the opportunities and challenges that New Zealand organisations and businesses are navigating. We will continue to advocate for changes to make the Privacy Act 2020 fit-for-purpose in the digital age.

I look forward to what we will achieve in 2025/26."

~ Michael Webster, Privacy Commissioner

Our strategic framework

Open our strategic framework (below) as a PDF document (page 8 of the 2025 Annual Report) (PDF, 195KB).

See a PDF diagram that demonstrates the privacy system is broad and challenging (page 10 of the 2025 Annual Report) (PDF, 197KB).

We focused on three key things in 2024/25

In our second year under the Statement of Intent 2023–2027 we pursued three key areas of strategic focus.

Read about our progress towards our strategic objectives (pages 17-39 of the Annual Report) (PDF, 1.7 MB).

The weaving of a cloak, the weaver of people

Our Statement of Intent introduced the whakataukī of tuitui kākahu, tuitui tāngata – it speaks to the process of weaving a kākahu or traditional Māori cloak and aligns that to the weaving of people.

It is a whakataukī that works well in describing the privacy system, the role of the Office of the Privacy Commissioner, and the place of Te Tiriti o Waitangi. This includes:

• tiaki – protecting and safeguarding the privacy of all New Zealanders
• taunaki – supporting the aspiration of rangatiratanga as expressed by Māori over their taonga, their data, and their privacy
• tūhono – partnering with Māori.

Tuitui kākahu, tuitui tāngata describes the process of weaving and the completion of the garment, or cloak that can then be used by individuals, whānau, hapū, iwi, and Māori to protect their privacy.

Tuitui kākahu, tuitui tāngata represents how the principles of Te Tiriti o Waitangi and the Act work together to achieve the outcomes of the privacy system.

Open this information as a PDF (page 9 of the 2025 Annual Report) (PDF, 259KB).

Privacy benefits all New Zealand

We have set our purpose as ‘ensuring that privacy is a core focus for agencies’ because we believe it’s the best way to improve the outcomes of the privacy system. Our interventions are designed to drive improvements to the privacy understanding and capabilities of agencies and to increase the priority and importance of privacy in their decision making.

Our indicators on the performance of the privacy system and privacy outcomes are outlined in the section, ‘Progressing toward our objectives and privacy outcomes’.

1. Individuals are more confident that their privacy is protected

When people trust that their personal information will be treated as a taonga, it gives them confidence in an agency.

When people trust that their personal information will be treated as a taonga, it gives them confidence in an agency.

Good privacy practices reduce the likelihood of a breach happening, and if it does occur, they reduce the harms caused by privacy breaches, whether emotional, reputational, financial, or physical. In 2024/25, when we helped settle a privacy complaint with a financial settlement, the average settlement amount was over $13,000. When the Human Rights Review Tribunal has considered privacy cases this year and determined there should be a financial settlement, the average settlement amount for emotional harm or injury to feelings was over $21,000.

2. Agencies can better achieve their own objectives through respecting the privacy rights of New Zealanders

Agencies use the personal information that people give to them to deliver goods or services, either for profit or as a public service.

Privacy breaches create high costs to agencies both in remedying what went wrong and, in some cases, reimbursing customers. It can also impact the ability of the business to deliver products or services, as important data may have been lost, and there could be a loss of existing customers or clients. In our 2025 survey of New Zealander’s attitudes to privacy, 67% of respondents said they would likely change service providers if they heard that their provider had poor privacy and security practices.

3. The right to privacy and the protection of personal information is valued in New Zealand.

The outcomes of the privacy system extend beyond the interactions of individuals and agencies.

Collectively, a society that values privacy and personal information is one where its people can have greater trust in government and institutions because they know that the information that is precious to them will be well treated. This trust helps drive better outcomes by encouraging engagement in democratic and consultation processes, helping to inform the design of effective services, and tackling complex problems. This trust is especially important for whānau, hapū, and iwi in achieving their aspirations for fair and just outcomes and data sovereignty. We contribute to this trust through our statutory independence that provides the public with a ‘watch dog’ who advocates on their behalf.

Read our content about how privacy benefits all New Zealand as a PDF (page 11 and 12 of the 2025 Annual Report) (PDF, 255 KB).

New Zealand needs Privacy Act modernisation

Read about the need for Privacy Act modernisation as a PDF (page 13 of the Annual Report) (PDF, 193 KB).

Read other parts of our Annual Report