AI tools and privacy – The OPC releases new guidance

28 Sep 23

The OPC has released detailed guidance outlining how AI relates to the Privacy Act’s 13 Information Privacy Principles

The Office of the Privacy Commissioner (OPC) released guidance to help businesses using artificial intelligence (AI) tools ensure they’re meeting their obligations under the Privacy Act 2020 (Privacy Act).

This guidance builds off the OPC’s initial set of expectations around AI use, published in May 2023.

See the recent guidance here. A one-page summary is also available here.

AI and the IPPs

The Privacy Act applies whenever you collect, use, or share personal information (including in connection with using digital or AI tools)[1]. The Privacy Act’s 13 Information Privacy Principles (IPPs) set out how businesses and organisations subject to the Act[2] must handle personal information. The IPPs will apply to the use and development of AI tools by New Zealand businesses and certain overseas businesses.[3]

The guidance sets out key questions for businesses to consider in relation to the use of AI tools, in the context of compliance with the IPPs, including:

  • Is the training data behind an AI tool relevant, reliable, and ethical?
  • What was the purpose for collecting personal information? Is your use related?
  • How are you keeping track of the information you collect and use with AI tools?
  • How are you testing that AI tools are accurate and fair for your intended purpose? Are you talking with people and communities with an interest in these issues?
  • What are you doing to track and manage new risks to information from AI tools?

The OPC emphasises that early engagement with privacy issues is critical when considering the use of any AI tool. Privacy Commissioner, Michael Webster stating “The best time to [ensure compliance with the Privacy Act] is as soon as possible, especially for AI tools and other emerging technologies. Take proactive steps early on, including doing a privacy impact assessment before you start, which is a great way to check you’re upholding your Privacy Act obligations”.

Key expectations

The guidance also confirms the OPC’s key expectations for businesses using and developing AI tools, these being to:

  • have senior leadership approve AI use only after fully considering risks and mitigations;
  • review the necessity and proportionality of using a generative AI tool, given the potential privacy impacts, and consider a different approach;
  • conduct a privacy impact assessment prior to using AI tools;
  • communicate to people how, when, and why the tool is being used, so as to be transparent;
  • consult with Māori regarding risks and impacts to the taonga of their information;
  • establish procedures in order to facilitate accuracy and access to the information by individuals;
  • reduce risks of inaccuracy and bias by making sure that there is human review before acting on AI outputs; and
  • prevent the AI tool from retaining or disclosing personal information.


[1] With specific exceptions for news activity, the court system, and MPs other than Ministers.

[2] Persons subject to the Privacy Act, being referred to as “agencies”.

[3] The Privacy Act and the IPPs will also apply to overseas businesses’ use of AI tools to extent the business uses the relevant tool in the course of carrying on business in New Zealand.


Want to know more?

The OPC plans to update the guidance over time and has invited public engagement on the guidance and AI and privacy generally.

If you have any questions about the OPC’s guidance or how it might impact you or your business, please contact our specialist Technology & Digital team.

PDF version here.

For more information contact:

Megan Pearce