NZ Privacy Act 2020

13 Principles

Who does the Privacy Act apply to?

Who does the Privacy Act apply to?

The Privacy Act applies to ‘personal information’ – information which is about an identifiable individual.

Individual is defined as meaning any living natural person (so doesn’t include ‘legal persons’ like companies).

Information is defined broadly and includes physical documents (like written records or photos), electronic documents (emails, audio and video recordings, etc.), and can include information held in the mind of the agency’s employees as long as that information is readily retrievable.

Almost everyone who holds personal information is an 'agency' under the Privacy Act. An agency can be a public sector body like:

  • a government department; or
  • a Minister of the Crown.

Or it can be a private sector body like:

  • a company;
  • a law firm;
  • a business including self employed;
  • a club; or
  • a charity or other non-profit body.

However, the Privacy Act does not apply to:

  • courts and tribunals (in relation to their judicial functions);
  • news media (in relation to their news gathering and news reporting functions);
  • members of Parliament (when acting in an official capacity), excluding Ministers of the Crown.

The full list of exceptions can be found here in the Act. Otherwise, any agency operating in New Zealand is required to comply with the Privacy Act, regardless of where it is based. This means the Act applies to local (New Zealand) offices of overseas organisations. These will have all the same legal obligations as New Zealand organisations.

 

Definition of Agency in NZ Data Privacy Act 2020
  1. Meaning of New Zealand agency
    In this Act, New Zealand agency—
    (a) means—
    (i) an individual who is ordinarily resident in New Zealand (any person in New Zealand); or
    (ii) a public sector agency; or
    (iii) a New Zealand private sector agency (a business); or
    (iv) a court or tribunal, except in relation to its judicial functions; but
    (b) does not include—
    (i) the Sovereign; or
    (ii) the Governor-General or the Administrator of the Government; or
    (iii) the House of Representatives; or
    (iv) a member of Parliament in their official capacity; or
    (v) the Parliamentary Service Commission; or
    (vi) the Parliamentary Service, except in relation to personal information about any employee or former employee of the Parliamentary Service in their capacity as an employee; or
    (vii) an Ombudsman; or
    (viii) an inquiry; or
    (ix) a board of inquiry or court of inquiry appointed under any Act to inquire into a specified matter; or
    (x) a news entity, to the extent that it is carrying on news activities.

Principle 1: Purpose of collection of personal information
  1. Personal information shall not be collected by any agency unless—
    (a) the information is collected for a lawful purpose connected with a function or activity of the agency; and
    (b) the collection of the information is necessary for that purpose.
Principle 2: Source of personal information
  1. Where an agency collects personal information, the agency shall collect the information directly from the individual concerned.
  2. It is not necessary for an agency to comply with subclause (1) if the agency believes, on reasonable grounds,—
    (a) that the information is publicly available information; or
    (b) that the individual concerned authorises collection of the information from someone else; or
    (c) that non-compliance would not prejudice the interests of the individual concerned; or
    (d) that non-compliance is necessary—
    (i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; or
    (ii) for the enforcement of a law imposing a pecuniary penalty; or
    (iii) for the protection of the public revenue; or
    (iv) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or(e) that compliance would prejudice the purposes of the collection; or
    (f) that compliance is not reasonably practicable in the circumstances of the particular case; or
    (g) that the information—
    (i) will not be used in a form in which the individual concerned is identified; or
    (ii) will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or(h) that the collection of the information is in accordance with an authority granted under section 54.
Principle 3: Collection of information from subject
  1. Where an agency collects personal information directly from the individual concerned, the agency shall take such steps (if any) as are, in the circumstances, reasonable to ensure that the individual concerned is aware of—(a) the fact that the information is being collected; and
    (b) the purpose for which the information is being collected; and
    (c) the intended recipients of the information; and
    (d) the name and address of—
    (i) the agency that is collecting the information; and
    (ii) the agency that will hold the information; and
    (e) if the collection of the information is authorised or required by or under law,—
    (i) the particular law by or under which the collection of the information is so authorised or required; and
    (ii) whether or not the supply of the information by that individual is voluntary or mandatory; and
    (f) the consequences (if any) for that individual if all or any part of the requested information is not provided; and
    (g) the rights of access to, and correction of, personal information provided by these principles.
  2. The steps referred to in subclause (1) shall be taken before the information is collected or, if that is not practicable, as soon as practicable after the information is collected.
  3. An agency is not required to take the steps referred to in subclause (1) in relation to the collection of information from an individual if that agency has taken those steps in relation to the collection, from that individual, of the same information or information of the same kind, on a recent previous occasion.
  4. It is not necessary for an agency to comply with subclause (1) if the agency believes, on reasonable grounds,—
    (a) that non-compliance is authorised by the individual concerned; or
    (b) that non-compliance would not prejudice the interests of the individual concerned; or
    (c) that non-compliance is necessary—
    (i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; or
    (ii) for the enforcement of a law imposing a pecuniary penalty; or
    (iii) for the protection of the public revenue; or
    (iv) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
    (d) that compliance would prejudice the purposes of the collection; or
    (e) that compliance is not reasonably practicable in the circumstances of the particular case; or
    (f) that the information—
    (i) will not be used in a form in which the individual concerned is identified; or
    (ii) will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.
Principle 4: Manner of collection of personal information

Personal information shall not be collected by an agency—
(a) by unlawful means; or
(b) by means that, in the circumstances of the case,—
(i) are unfair; or
(ii) intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Principle 5: Storage and security of personal information

An agency that holds personal information shall ensure—
(a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against—
(i) loss; and
(ii) access, use, modification, or disclosure, except with the authority of the agency that holds the information; and
(iii) other misuse; and
(b) that if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information.

Principle 6: Access to personal information
  1. Where an agency holds personal information in such a way that it can readily be retrieved, the individual concerned shall be entitled—
    (a) to obtain from the agency confirmation of whether or not the agency holds such personal information; and
    (b) to have access to that information.
  2. Where, in accordance with subclause (1)(b), an individual is given access to personal information, the individual shall be advised that, under principle 7, the individual may request the correction of that information.
  3. The application of this principle is subject to the provisions of Parts 4 and 5.
Principle 7: Correction of personal information
  1. Where an agency holds personal information, the individual concerned shall be entitled—
    (a) to request correction of the information; and
    (b) to request that there be attached to the information a statement of the correction sought but not made.
  2. An agency that holds personal information shall, if so requested by the individual concerned or on its own initiative, take such steps (if any) to correct that information as are, in the circumstances, reasonable to ensure that, having regard to the purposes for which the information may lawfully be used, the information is accurate, up to date, complete, and not misleading.
  3. Where an agency that holds personal information is not willing to correct that information in accordance with a request by the individual concerned, the agency shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the information, in such a manner that it will always be read with the information, any statement provided by that individual of the correction sought.
  4. Where the agency has taken steps under subclause (2) or subclause (3), the agency shall, if reasonably practicable, inform each person or body or agency to whom the personal information has been disclosed of those steps.
  5. Where an agency receives a request made pursuant to subclause (1), the agency shall inform the individual concerned of the action taken as a result of the request.
Principle 8: Accuracy, etc, of personal information to be checked before use

An agency that holds personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.

Principle 9: Agency not to keep personal information for longer than necessary

An agency that holds personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.

Principle 10: Limits on use of personal information
  1. An agency that holds personal information that was obtained in connection with one purpose shall not use the information for any other purpose unless the agency believes, on reasonable grounds,—
    (a) that the source of the information is a publicly available publication and that, in the circumstances of the case, it would not be unfair or unreasonable to use the information; or
    (b) that the use of the information for that other purpose is authorised by the individual concerned; or
    (c) that non-compliance is necessary—
    (i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; or
    (ii) for the enforcement of a law imposing a pecuniary penalty; or
    (iii) for the protection of the public revenue; or
    (iv) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
    (d) that the use of the information for that other purpose is necessary to prevent or lessen a serious threat (as defined in section 2(1)) to—
    (i) public health or public safety; or
    (ii) the life or health of the individual concerned or another individual; or
    (e) that the purpose for which the information is used is directly related to the purpose in connection with which the information was obtained; or
    (f) that the information—
    (i) is used in a form in which the individual concerned is not identified; or
    (ii) is used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
    (g) that the use of the information is in accordance with an authority granted under section 54.
  2. In addition to subclause (1), an intelligence and security agency that holds personal information that was obtained in connection with one purpose may use the information for any other purpose (a secondary purpose) if the agency believes on reasonable grounds that the use of the information for the secondary purpose is necessary to enable the agency to perform any of its functions.
Principle 11: Limits on disclosure of personal information
(1)

An agency that holds personal information must not disclose the information to any other agency or to any person unless the agency believes, on reasonable grounds,—

(a)

that the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained; or

(b)

that the disclosure is to the individual concerned; or

(c)

that the disclosure is authorised by the individual concerned; or

(d)

that the source of the information is a publicly available publication and that, in the circumstances of the case, it would not be unfair or unreasonable to disclose the information; or

(e)

that the disclosure of the information is necessary—

(i)

to avoid prejudice to the maintenance of the law by any public sector agency, including prejudice to the prevention, detection, investigation, prosecution, and punishment of offences; or

(ii)

for the enforcement of a law that imposes a pecuniary penalty; or

(iii)

for the protection of public revenue; or

(iv)

for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or

(f)

that the disclosure of the information is necessary to prevent or lessen a serious threat to—

(i)

public health or public safety; or

(ii)

the life or health of the individual concerned or another individual; or

(g)

that the disclosure of the information is necessary to enable an intelligence and security agency to perform any of its functions; or

(h)

that the information—

(i)

is to be used in a form in which the individual concerned is not identified; or

(ii)

is to be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or

(i)

that the disclosure of the information is necessary to facilitate the sale or other disposition of a business as a going concern.

(2) This IPP is subject to IPP 12.
Principle 12: Disclosure of personal information outside New Zealand
  1. An agency (A) may disclose personal information to a foreign person or entity (B) in reliance on IPP 11(1)(a), (c), (e), (f), (h), or (i) only if—
    (a) the individual concerned authorises the disclosure to B after being expressly informed by A that B may not be required to protect the information in a way that, overall, provides comparable safeguards to those in this Act; or
    (b) B is carrying on business in New Zealand and, in relation to the information, A believes on reasonable grounds that B is subject to this Act; or
    (c) A believes on reasonable grounds that B is subject to privacy laws that, overall, provide comparable safeguards to those in this Act; or
    (d) A believes on reasonable grounds that B is a participant in a prescribed binding scheme; or
    (e) A believes on reasonable grounds that B is subject to privacy laws of a prescribed country; or
    (f) A otherwise believes on reasonable grounds that B is required to protect the information in a way that, overall, provides comparable safeguards to those in this Act (for example, pursuant to an agreement entered into between A and B).
  2. However, subclause (1) does not apply if the personal information is to be disclosed to B in reliance on IPP 11(1)(e) or (f) and it is not reasonably practicable in the circumstances for A to comply with the requirements of subclause (1).
  3. In this IPP,—
    prescribed binding scheme means a binding scheme specified in regulations made under section 213
    prescribed country means a country specified in regulations made under section 214.
Principle 13: Unique identifiers
  1. An agency (A) may assign a unique identifier to an individual for use in its operations only if that identifier is necessary to enable A to carry out 1 or more of its functions efficiently.
  2. A may not assign to an individual a unique identifier that, to A’s knowledge, is the same unique identifier as has been assigned to that individual by another agency (B), unless—
    (a) A and B are associated persons within the meaning of subpart YB of the Income Tax Act 2007; or
    (b) the unique identifier is to be used by A for statistical or research purposes and no other purpose.
  3. To avoid doubt, A does not assign a unique identifier to an individual under subclause (1) by simply recording a unique identifier assigned to the individual by B for the sole purpose of communicating with B about the individual.
  4. A must take any steps that are, in the circumstances, reasonable to ensure that—
    (a) a unique identifier is assigned only to an individual whose identity is clearly established; and
    (b) the risk of misuse of a unique identifier by any person is minimised (for example, by showing truncated account numbers on receipts or in correspondence).
  5. An agency may not require an individual to disclose any unique identifier assigned to that individual unless the disclosure is for one of the purposes in connection with which that unique identifier was assigned or is for a purpose that is directly related to one of those purposes.