This makes sure your personal information is kept safe and secure.
Intent of the Act
The Privacy Act 2020 makes sure:
- you know what is happening with your personal information
- you know who has your information
- you can make sure your information is right
- your information is kept safe and secure.
It controls how organisations can collect, use, share, store and give access to your information.
There are also Privacy Codes of Practice that apply to specific areas, like health, telecommunications, and credit reporting.
Codes of practice(external link) — Office of the Privacy Commissioner
Your rights under the Privacy Act
Organisations which collect, use, and store personal information should:
- only collect the information they need for a lawful business purpose
- tell you how, when, and why they are collecting your information
- tell you what will happen if you don’t give your personal information
- keep your personal information safe
- only use your information if they are reasonably sure it’s accurate and up to date
- only use your information for the purpose for which they collected it, and dispose of it when they no longer need it
- let you see your information and correct any mistakes.
Generally speaking, organisations should not:
- ask for more information than they need
- let personal information be leaked, hacked, or found in any other way
- keep information longer than they need it — or are legally required to keep it
- pass your details on to another business or organisation
- collect information by illegal, unfair, or unreasonably intrusive means
- collect information about you from someone else
- release information overseas, unless it is safeguarded in a similar way to the Privacy Act protections
An organisation is not necessarily required to get your authorisation when collecting, using, or disclosing your personal information. However, it must take steps that are reasonable in the circumstances to ensure that you are aware of your rights under the Privacy Act.
A quick tour of the privacy principles(external link) — Office of the Privacy Commissioner
When the Privacy Act applies
The Act applies to all organisations (referred to as ‘agencies’ in the Privacy Act) in relation to any action they take regarding the collection, holding or use of personal information.
An organisation is any person or business that collects, uses, and stores personal information, including government departments, companies of all sizes, religious groups, schools, and clubs. This includes those organisations that operate overseas and in New Zealand under the Act
Personal information is information about an identifiable, living person. Anything that identifies you or is about someone who is identifiable could be personal information — e.g. a photo, an email, or a recorded conversation.
When the Privacy Act doesn't apply
The Act also doesn't apply:
- if another law allows or requires an action and that law states that this action is not a breach of an Information Privacy Principal (IPP).
- to organisations which collect or hold personal information solely for their own personal, family or household affairs (unless collecting, disclosing, or using that information would be highly offensive to an ordinary reasonable person)
- to information that is not personal information (e.g. information about companies or incorporated societies).
A few organisations and people aren't organisations, including:
- Members of Parliament when they are acting as MPs. It's up to Parliament or political parties to discipline MPs for breaches of privacy
- Courts and tribunals, in relation to their judicial functions. You have to challenge judicial decisions through the normal processes, such as an appeal.
- The news media when they're conducting their news activities. The Press Council, the Broadcasting Standards Authority and the courts govern the news media
In special circumstances, the Privacy Commissioner can authorise organisations to collect, use or disclose information that would otherwise be prohibited.
If things go wrong
If you think an organisation has interfered with your privacy, you can:
Contact their privacy officer
In the first instance, you should always try to resolve your privacy issue with the organisation concerned. Contact the organisation’s privacy officer and follow the complaints process (if it has one).
Contact the Privacy Commissioner
If you’re unhappy with how the organisation has dealt with your privacy concerns, you can make a complaint to the Privacy Commissioner.
Making a complaint(external link) — Office of the Privacy Commissioner
The Office of the Privacy Commissioner handles complaints regarding an organisation that has interfered with privacy.
An interference with privacy to an individual occurs when an organisation breaches one of the Information Privacy Principles(IPP) 1-5 and 8-13 under the Privacy Act and causes harm to that individual.
Examples of harm can include:
- financial loss
- breach of your rights
- damage to an interest you have
- significant humiliation, loss of dignity or injury to your feelings.
Information Privacy Principals 6 and 7 are about your rights to access or correct your personal information.
Once you have complained, the Privacy Commissioner may choose to investigate your matter. The Commissioner’s focus will be on facilitating a resolution between the parties wherever possible.
If your complaint is about access to your personal information and the Privacy Commissioner upholds your complaint, but the organisation concerned fails to meet its obligations, the Privacy Commissioner may issue an access direction to require the organisation to grant you access to your personal information.
The Privacy Commissioner can’t award you compensation for any privacy breaches but does have the power to fine organisations up to $10,000 for serious breaches of the Privacy Act. For more information on this, please see the Office of the Privacy Commission’s website here:
Privacy Commissioner(external link)
Apply to the Human Rights Review Tribunal
After going to the Office of the Privacy Commissioner the next step could include going to the Human Rights Review Tribunal (HRRT).
The HRRT is an independent judicial body that hears claims relating to breaches of human rights, including interferences with privacy under the Privacy Act.
Following the conclusion of the Privacy Commissioner’s investigation, you have six months to file a claim in the HRRT.
Make a claim(external link) — Human Rights Review Tribunal
The HRRT can award various remedies after hearing a case, including:
- a declaration that the organisation breached the law
- an order preventing repetition of the breach
- an order to do something to rectify the breach
- an award of costs against the losing party.
The HRRT has the power to make a binding decision on the parties, including awarding compensation.
You can't go to the Disputes Tribunal or to court to complain about a breach of your privacy.
Get support at any point from:
- Citizens Advice Bureau (CAB) — this is a free, independent service, run by volunteers. CAB can advise you on your consumer rights and obligations, in person, by phone, or online.
- Community Law Centre — this service offers free one-on-one legal advice to people with limited finances. The organisation has 24 community law centres throughout the country. You can find legal information and other resources on its website.
Find a CAB(external link) — Citizens Advice Bureau
Our law centres(external link) — Community Law Centres