We recognise that your privacy is very important and we are committed to protecting your personal information provided by you to us. We are bound by the Privacy Act 1993 and in particular the twelve Information Privacy Principles (IPPs) which are set out in that Act.
Purpose of collection of personal information
Personal information must not be collected unless:
the collection is for a lawful purpose connected with a function or activity of the agency collecting the information; and
it is necessary to collect the information for that purpose.
Source of personal information
Personal information must be collected directly from the individual concerned. The exceptions to this are when the agency collecting the information believes on reasonable grounds that:
the information is publicly available; or
the individual concerned authorises collection of the information from someone else; or
the interests of the individual concerned are not prejudiced; or
it is necessary for a public sector agency to collect the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings; or
complying with this principle would prejudice the purposes of collection; or
complying with this principle would not be reasonably practical in the particular case; or
the information will not be used in a form that identifies the individual; or
the Privacy Commissioner has authorised collection under section 54.
Collection of information
When an agency collects personal information directly from the individual concerned, it must take reasonable steps to ensure the individual is aware of:
the fact that the information is being collected;
the intended recipients;
the names and addresses of who is collecting the information and who will hold it;
any specific law governing provision of the information and whether provision is voluntary or mandatory;
the consequences if all or any part of the requested information is not provided; and
the individual’s rights of access to and correction of personal information.
These steps must be taken before the information is collected or, if this is not practical, as soon as possible after the information is collected. An agency is not required to take these steps if they have already done so in relation to the same personal information, or information of the same kind, on a recent previous occasion. It is also not necessary to comply with this principle if the agency collecting the information believes on reasonable grounds that:
collection is already authorised by the individual concerned; or
it is not prejudicing the interests of the individual concerned; or
it is necessary for a public sector agency to collect the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings;
or complying with this principle will prejudice the purposes of collection; or
complying with this principle is not reasonably practical in the particular case; or
the information will not be used in a form in which the individual concerned is identified.
Manner of collection of personal information
Personal information must not be collected by:
unlawful means; or
means that are unfair or intrude unreasonably on the personal affairs of the individual concerned.
Storage and security of personal information
An agency holding personal information must ensure that:
there are reasonable safeguards against loss, misuse or disclosure; and
if it is necessary to give information to another person, such as someone working on contract, everything reasonable is done to prevent unauthorised use or unauthorised disclosure of the information.
Access to personal information
Where personal information is held in a way that it can readily be retrieved, the individual concerned is entitled to:
obtain confirmation of whether the information is held; and
have access to information about them.
An agency may refuse to disclose personal information for a range of reasons, including that it would:
pose risks to New Zealand’s security or defence;
breach confidences with another government;
prevent detection of criminal offences or the right to a fair trial;
endanger the safety of an individual;
disclose a trade secret or unreasonably prejudice someone’s commercial position;
involve an unwarranted breach of another individual’s privacy;
breach confidence where the information has been gained solely for reasons to do with the individual’s employment, or to decide whether to insure the individual;
be contrary to the interests of an individual under the age of 16;
breach legal professional privilege;
reveal the confidential source of information provided to a Radio New Zealand or Television New Zealand journalist; or
constitute contempt of court or the House of Representatives.
Requests can also be refused, for example, if the agency does not hold the information or if the request is frivolous or vexatious.
Correction of personal information
Everyone is entitled to:
request correction of their personal information;
request that if it is not corrected, a statement is attached to the original information saying what correction was sought but not made.
If agencies have already passed on personal information that they then correct, they should inform the recipients about the correction.
Accuracy of personal information to be checked before use
An agency must not use or disclose personal information without taking reasonable steps to check it is accurate, complete, relevant, up to date, and not misleading.
Personal information not to be kept for longer than necessary
An agency holding personal information must not keep it for longer than needed for the purpose for which the agency collected it.
Limits on use of personal information
Personal information obtained in connection with one purpose must not be used for another. The exceptions include situations when the agency holding personal information believes on reasonable grounds that:
the use is one of the purposes for which the information was collected; or
the use is directly related to the purpose the information was obtained for; or
the agency got the information from a publicly available publication; or
the individual concerned has authorised the use; or
the use is necessary for a public sector agency to collect the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings; or
the use is necessary to prevent or lessen a serious and imminent threat to public health or safety, or the life or health of any individual; or
the individual concerned is not identified; or
the use is authorised by the Privacy Commissioner under section 54.
Unique identifiers – such as IRD numbers, bank customer numbers, driver’s licence and passport numbers – must not be assigned to individuals unless this is necessary for the organisation concerned to carry out its functions efficiently. The identifiers must be truly unique to each individual (except in some tax related circumstances), and the identity of individuals must be clearly established. No one is required to disclose their unique identifier unless it is for, or related to, one of the purposes for which the identifier was assigned.
The Government is not allowed to give people one personal number to use in all their dealings with government agencies.
Exceptions to the principlesMany of the principles have built-in exceptions.
It’s important to read the principles together with their exceptions to see how they relate to particular circumstances. The exceptions to principle 6 are set out in sections 27-29 of the Act. It’s up to the person wanting to claim that an exception applies to prove that the exception applies.
Section 7 of the Privacy Act states, in effect, that if another statute is contrary to the privacy principles, that other statute will “trump” the Privacy Act.
The privacy principles do not cover an individual who collects or holds personal information solely or principally for personal, family or household reasons.
This fact sheet is designed to provide general information about the Privacy Act 1993. It is not a detailed legal analysis. If you need more specific information, please see the Privacy Act in full, contact the Office of the Privacy Commissioner on 0800 803 909, email email@example.com or seek legal advice.