The handling of personal information in New Zealand is governed by the Privacy Act, privacy codes and other legislation.
Privacy Act 2020
On 1 December 2020, the Privacy Act 2020 replaced the Privacy Act 1993. The reforms aim to encourage public and private sector agencies to identify risks and prevent incidents that could cause harm.
The major changes include:
- notifiable privacy breaches
- compliance notices
- enforceable access directions
- disclosing information overseas
- extraterritorial effect
- new criminal offences
- additional withholding grounds for access requests.
The purpose of the Privacy Act is to promote and protect individuals’ privacy by establishing principles on the collection, use, and disclosure of personal information, and access by individuals to the personal information held about them. Personal information can relate to information about customers, clients, employees, and others.
Enforcement of the Act is through the Privacy Commissioner who has the power to investigate any action which appears to interfere with the privacy of an individual, either on a complaint made to the Commissioner or on the Commissioner’s own initiative.
The Government Chief Privacy Officer provides guidance to help government agencies understand and meet their responsibilities under the Act.
- Privacy Act 2020
- Office of the Privacy Commissioner
- Government Chief Privacy Officer
- Office of the Privacy Commissioner — Key changes in the Privacy Act 2020
- Office of the Privacy Commissioner section-by-section comparison of the 2 Acts
- Office of the Privacy Commissioner — Reporting privacy breaches (NotifyUs)
- Office of the Privacy Commissioner — Privacy Act 2020 training module
Privacy principles and Privacy Act requests
Information Privacy Principles (IPPs)
At the core of the Privacy Act are 13 Information Privacy Principles that set out how agencies are to:
- collect personal information (IPPs 1 to 4)
- store personal information (IPP 5)
- provide access to (IPP 6) and correct (IPP 7) personal information
- use (IPPs 8 to 10) and disclose (IPP 11 and 12) personal information
- only keep personal information for as long as necessary (IPP 9)
- use unique identifiers (IPP 13).
IPP 6 provides individuals with the right to access the personal information that an agency holds about them, unless 1 of the Privacy Act exceptions applies.
Privacy Act requests
The Privacy Act provides that an agency must respond to a Privacy Act request within 20 working days after receiving the request, or transfer the request to another agency within 10 working days. On the Privacy Commissioner homepage there’s a response calculator to calculate the date a request is due.
All Privacy Act requests, regardless of how they’re made, trigger the same obligations under the Privacy Act.
The Privacy Act gives the Privacy Commissioner the power to issue codes of practice that become part of the law.
These codes may modify the operation of the Privacy Act for specific industries, agencies, activities or types of personal information.
Codes often modify 1 or more of the IPPs to take account of special circumstances which affect a class of agencies (for example, credit reporters) or a class of information (for example, health information).
The Privacy Commissioner has issued the following 6 codes of practice:
- Civil Defence National Emergencies (Information Sharing) Code 2020
- Credit Reporting Privacy Code 2020
- Health Information Privacy Code 2020
- Justice Sector Unique Identifier Code 2020
- Superannuation Schemes Unique Identifier Code 2020
- Telecommunications Information Privacy Code 2020
Agencies are often subject to additional legislation governing how they can handle personal information. For example, many agencies are required to retain personal information in accordance with the Public Records Act 2005.
Some legislation provides agencies with a legal basis to collect certain personal information (for example, IRD and Police) while other legislation restricts how agencies may use or disclose personal information.
Legislation specific to an agency, for example, the Tax Administration Act 1994 and the Customs and Excise Act 2018, may also mandate how an agency can collect, use and/or disclose personal information.