Intent of the Act
The Privacy Act makes sure:
- you know what is happening with your personal information
- you know who has your information
- you can make sure your information is right
- your information is kept safe and secure.
It controls how agencies can collect, use, share, store and give access to your information.
There are also Privacy Codes of Practice that apply to specific areas, like health, telecommunications and credit reporting.
Introduction to Privacy Act & Codes(external link) — Office of the Privacy Commissioner
Your rights under the Privacy Act
Agencies who collect, use and store personal information should:
- only collect the information they need for business purposes
- tell you how, when and why they are collecting your information
- tell you what will happen if you don’t give your personal information
- keep your personal information safe
- only use your information if they are reasonably sure it’s accurate and up-to-date
- only use your information for the purpose for which they collected it, and dispose of it when they no longer need it
- let you see your information and correct any mistakes.
Agencies should not:
- ask for more information than they need
- let personal information be leaked, hacked or found in any other way
- keep information longer than they need it — or are legally required to keep it
- use your information in ways or for reasons they haven't told you about
- pass your details on to another business or organisation without authority
- collect information by illegal, unfair or unreasonably intrusive means
- collect information about you from someone else without authority
- spam customers — sending unwanted emails, text messages or instant messages is illegal.
A quick tour of the privacy principles(external link) — Office of the Privacy Commissioner
When the Privacy Act applies
The Act applies to all agencies. An agency is any person or business that collects, uses and stores personal information, including government departments, companies of all sizes, religious groups, schools and clubs.
Personal information is information about identifiable, living people. Anything that identifies you or is about someone who is identifiable could be personal information — eg a photo, an email or a recorded conversation.
When the Privacy Act doesn't apply
A few organisations and people aren't agencies, including:
- Members of Parliament, when they are acting as MPs. It's up to Parliament or political parties to discipline MPs for breaches of privacy
- Courts and tribunals, in relation to their judicial functions. You have to challenge judicial decisions through the normal processes, such as an appeal.
- The news media when they're conducting their news activities. The Press Council, the Broadcasting Standards Authority and the courts govern the news media.
The Act also doesn't apply:
- if another law is inconsistent with the Privacy Act — that other law will 'trump' the Privacy Act
- to individuals who collect or hold personal information for their own personal, family or household affairs — unless collecting, disclosing or using that information would be highly offensive to an ordinary reasonable person
- to information about legal persons, eg companies, incorporated societies.
In special circumstances, the Privacy Commissioner can authorise agencies to collect, use or disclose information that would otherwise be prohibited.
If things go wrong
If you think a business or agency has interfered with your privacy:
Contact their privacy officer
Follow that organisation’s complaints process.
How to complain
Contact the Privacy Commissioner
If you’re unhappy with the result of a direct complaint, you can make a complaint to the Privacy Commissioner.
Making a complaint(external link) — Office of the Privacy Commissioner
The Privacy Commissioner handles complaints that an agency has interfered with privacy by breaching one of the privacy principles. The breach must have caused you some kind of harm, eg:
- financial loss
- breach of your rights
- damage to an interest you have
- significant humiliation, loss of dignity or injury to your feelings.
You don’t have to have suffered any harm if your complaint is about access to or correction of personal information.
Industries may have their own codes of practice, eg:
If the Commissioner finds there is a basis for the complaint, they will try to resolve the dispute initially using mediation or conciliation. If this is not successful, the Commissioner will do a formal investigation, which may result in a settlement. If no settlement is reached, the Commissioner will release a final opinion, but this is not binding on either party.
The Privacy Commissioner can’t award you compensation or fine the agency for any breaches.
Apply to the Human Rights Review Tribunal
If you’re unhappy with the Privacy Commissioner’s opinion or refusal to investigate your complaint, you can apply for a hearing with the Human Rights Review Tribunal (HRRT).
Make a claim(external link) — Human Rights Review Tribunal
The Tribunal can award various remedies after hearing a case, including:
- a declaration that the agency breached the law
- an order preventing repetition of the breach
- an order to do something to rectify the breach
- an award of costs against the losing party.
The HRRT has the power to make a binding decision on the parties, including awarding compensation.
You can’t go to the Disputes Tribunal or to court to complain about a breach of your privacy.
Get support at any point from:
- Citizens Advice Bureau (CAB) — this is a free, independent service, run by volunteers. CAB can advise you on your consumer rights and obligations, in person, by phone, or online.
- Community Law Centre — this service offers free one-on-one legal advice to people with limited finances. The organisation has 24 community law centres throughout the country. You can find legal information and other resources on its website.
Find a CAB(external link) — Citizens Advice Bureau
Our law centres(external link) — Community Law Centres