New Zealand · OIA & Privacy

Official information and privacy for New Zealand, in one platform

AccessPoint manages Official Information Act 1982 requests and Privacy Act 2020 obligations — the 20-working-day clock, IPP 6 access and IPP 7 correction, and the notifiable privacy breach scheme — pre-configured for New Zealand and running inside your own Microsoft 365 tenant.

New Zealand at a glance

Response deadline
As soon as reasonably practicable, and no later than 20 working days (OIA and IPP 6)
Extensions
A reasonable extension for large or consultation-heavy requests (OIA s 15A)
Fees
No fixed application fee; agencies may make a reasonable charge for supplying official information
Privacy data-subject rights
IPP 6 access and IPP 7 correction, on the same 20-working-day clock
Breach notification
Notify the Privacy Commissioner and affected individuals of a breach likely to cause serious harm
Oversight
The Ombudsman (official information) and the Privacy Commissioner (privacy)

Built for New Zealand

One platform for the whole access-and-privacy mandate, pre-configured for this regime and running in your own Microsoft 365 tenant.

OIA request lifecycle

Intake to decision on the 20-working-day clock — with section 15A extensions, transfers, the Act's withholding grounds, charge estimates, and Ombudsman-ready records, all built on Microsoft 365.

Central and local government

Run central-government requests under the OIA and local-government requests under the parallel LGOIMA — the same 20-working-day rule and the same Ombudsman oversight — on one platform.

Privacy Act requests and PIAs

Handle IPP 6 access and IPP 7 correction requests on the same 20-working-day clock, and run Privacy Impact Assessments, on a guided questionnaire engine with screeners, an embedded risk register, and a regulator-ready export.

Notifiable privacy breaches

Log a privacy breach, assess it against the serious-harm test, and get a live checklist of what the Privacy Act requires — notice to the Privacy Commissioner and to affected individuals as soon as practicable.

Ombudsman and Commissioner reviews

Track Ombudsman complaints about OIA decisions and Privacy Commissioner complaints and access directions — each with its own clock, an investigation workspace, and a guided path to disposition.

In your own tenant

Every request, assessment, and record stays inside your own Microsoft 365 and Azure tenant — no third-party cloud, no cross-border transfers, no per-user fees.

Two regimes, two regulators

Official information answers to the Ombudsman. Privacy answers to the Commissioner. AccessPoint runs both.

New Zealand splits its information rights across two laws and two watchdogs. The Official Information Act sends access requests and their complaints to the Ombudsman, whose recommendations agencies have a statutory duty to observe. The Privacy Act 2020 gives people access and correction rights over their own information, a notifiable-breach duty, and a Privacy Commissioner who can issue compliance notices and binding access directions. Most offices run one side well. AccessPoint operates both — OIA requests, IPP 6 and IPP 7 requests, and breach notification — on one platform, in your own tenant, so a single team meets both regimes from a single system.

OIA requests The 20-working-day clock, with Ombudsman review.
Privacy requests IPP 6 access and IPP 7 correction on the same clock.
Breach notification Serious-harm assessment and Commissioner notice, computed for you.

Configured out of the box

Installing the nz-oia-privacy configuration pack seeds your tenant with everything this regime needs — a starting point you can adjust, not a lock-in.

Related guide: FOI Workflow Quick Check
  • The OIA (and LGOIMA) and the Privacy Act 2020 as the legal-authority spine
  • New Zealand public-holiday calendar and 20-working-day due-date rules
  • The OIA withholding grounds, colour-coded for redaction
  • Section 15A extension reasons and section 14 transfer rules
  • Charging categories aligned to the Ombudsman's charging guidance
  • Ombudsman complaint grounds and Privacy Commissioner complaint and access-direction dispositions
  • Privacy Act notifiable-breach rules on the serious-harm test
  • Correspondence templates with OIA and Privacy Act wording

New Zealand Questions

Does AccessPoint cover both the OIA and the Privacy Act 2020?

Yes. The New Zealand configuration ships both regimes in one pack — Official Information Act requests and Privacy Act 2020 obligations — with the shared 20-working-day clock, OIA withholding grounds and extensions, IPP 6 access and IPP 7 correction, the notifiable-breach scheme, and both the Ombudsman and the Privacy Commissioner reflected in the workflows.

Does it handle local government under LGOIMA?

Yes. Local authorities are covered by the Local Government Official Information and Meetings Act 1987, which mirrors the OIA — the same 20-working-day rule and the same Ombudsman oversight. AccessPoint runs central-government OIA requests and local-government LGOIMA requests on the same platform.

How does it handle a notifiable privacy breach?

Log a privacy breach and AccessPoint assesses it against the serious-harm test and produces a live checklist of what the Privacy Act 2020 requires — notice to the Privacy Commissioner and to affected individuals as soon as practicable — with a full audit trail.

Where does New Zealand data reside?

Entirely within your own Microsoft 365 and Azure tenant. Requests, documents, assessments, and audit history never leave your control — no third-party cloud and no cross-border data transfers.

Run the OIA and the Privacy Act in One Platform

Try AccessPoint free for 30 days, pre-configured for New Zealand. No credit card required.

Start Free Trial