These notes were prepared in June 2009. They are intended as general information not specific legal advice. If you want legal advice about a particular problem, you can contact me here.
What does the Privacy Act do?
It regulates the way agencies can collect, store and use information, and gives us rights of access to it. It also creates a complaints regime. Broadly speaking, agencies that come under the Act usually have to tell you when they’re collecting information about you, keep it secure, try to make sure it’s right, and only use or disclose it for the reasons it was collected.
Who does it apply to?
Almost everyone. All government agencies (Departments, Ministries, the Police, SOEs, other Crown entities, local government, you name it). Private sector agencies too – companies, charities, incorporated societies… even individuals.
Who doesn’t it apply to?
It doesn’t apply to the news media in their news gathering activities (although the rights of access do apply to TVNZ and Radio NZ). It doesn’t apply to judges and MPs acting in those capacities.
What are the rules?
They are broad and general, and are set out in a set of Information privacy principles. (Note that these can be superceded by a code, such as the Health Information Privacy Code)
Very generally, anyone collecting personal information should:
- make sure it’s relevant to what they do and that they’re lawfully allowed to collect it
- where possible, collect it from the person concerned rather than someone else
- explain that it’s being collected and why
- ensure that the collection is lawful, fair, and not unreasonably intrusive
- take reasonable steps to keep it secure
- before using the information, take reasonable steps to check that it’s relevant, up-to-date, complete, and not misleading
- discard it when it’s not needed any more
- only use or disclose it in keeping with the purpose for which it was collected (or a directly related purpose)
- allow the people concerned to access it if they want, and correct it if they can show it’s wrong
There are also rules on how “unique identifiers” – such as IRD numbers, bank client numbers and passport numbers – can be used).
Wow. Those seem pretty demanding.
Yes, but there are many exceptions. They’re set out in the Information privacy principles too. For example, you don’t have to explain that you’re collecting information if you’re getting it from a publicly available source, or it’s not reasonably practicable to do so, or it would prejudice the purposes of collection.
What’s personal information?
It’s information about a living human person. So it has to say something about someone who is identified in some way.
What’s not included?
Information about companies or dead people, and statistical information or photos etc that don’t identify anyone in particular.
Does this mean I’m collecting information if someone phones me up out of the blue and tells me something?
No. It doesn’t apply to unsolicited information.
Does it mean that I’m disclosing information if I’m gossiping over the back fence?
Probably not. It doesn’t cover information about someone’s “personal, household or family affairs”.
Can I complain if I think these rules have been broken?
Yes. But bear in mind that it’s not enough to show simply that the principles have been breached. You also need to demonstrate that you’ve suffered or may suffer some harm. (There’s one exception to this. If an agency has wrongly denied you access to information about you that you’re entitled to see, then you don’t need to show any further harm).
What counts as harm?
- Loss, detriment, damage, injury or
- Effect on right, benefit, privilege, obligation, interest or
- Significant humiliation, loss of dignity, injury to feelings
- (or denial of your rights of access to information about you)
Do I have to prove that the breach was negligent or intentional?
Can I get damages?
In some circumstances. The Privacy Commissioner can’t order the agency to pay you compensation, though she does encourage settlement of complaints, which might include a financial payment. Only the Human Rights Review Tribunal can order the agency to pay compensation, though, and awards are often not high.
What’s the complaints process?
First, you need to complain to the agency concerned. Each agency is supposed to have a “Privacy Officer”, so direct your complaint to that person. If you’re unsatisfied with the response, you can refer your complaint to the Office of the Privacy Commissioner. The Privacy Commissioner will decide whether to investigate. If the office agrees that you have a valid concern, it will try to settle the dispute. If it cannot reach agreement, it can refer the complaint to the Director of Human Rights Proceedings, who may take the complaint to the Human Rights Review Tribunal. (After that there are rights of appeal to the High Court and the Court of Appeal).
What if the Director of Human Rights Proceedings doesn’t want to take my case?
You can take it yourself. You can also do this if the Privacy Commissioner doesn’t think your case has merit.
What are those “rights of access” under the Privacy Act?
A person is entitled to ask for access to information about them held in readily retrievable form by an agency. Ideally, the request should mention the Privacy Act, but an agency should treat any serious and specific request as being made under the Act, particularly if it concerns a matter of importance to the requester.
Does that mean the agency has to grant access?
Not always. There are exceptions. Generally these allow an agency to hold back personal information if it would compromise national security, defence or international relations, cause unreasonable commercial prejudice, infringe someone else’s privacy, hurt the physical or mental health of the requester, breach legal professional privilege, or breach the confidentiality of certain evaluation processes, such as consultations on promotion applications. These are not the only grounds. The question of whether information can be withheld in a particular case can be quite curly: if in doubt, look at the exact words of the Privacy Act (sections 27-29), check out the information about the exceptions on the Privacy Commissioner’s website, or take legal advice.
Can agencies charge for such access?
Private sector agencies can impose a reasonable charge. Public sector agencies must provide access for free (unless the Privacy Commissioner gives them permission to charge).
How is access granted?
It’s usually up to the requester. People often want copies of documents, but the requester can ask to see the originals, or a transcript, or an excerpt or summary, or be given an oral briefing.
When must the information be released?
The agency should answer the request as soon as reasonably practicable and not later than 20 working days after receiving it (though it can extend this timeframe in some circumstances if the request is large or requires consultation, or it can transfer the request if it doesn’t hold the information or the request is more closely related to the functions of another agency).
What if I get access and think the information about me is wrong?
You can ask to have it corrected. It would be a good idea to explain why you think it’s wrong.
What if the agency disagrees?
Then it must, as a minimum, attach your version of the right information in such a way that anyone accessing the information sees your version too.
What other remedies might I have if someone interferes with my privacy?
If someone has publicised (or plans to publicise) private information about you, you could bring a lawsuit for invasion of privacy. If the interference with your privacy is by television or radio, you could complain to the Broadcasting Standards Authority. If it’s by a newspaper or magazine, you can complain to the Press Council. If it involves a pattern of behaviour that causes you distress, you might check out the remedies in the Harassment Act.
Other laws may also be relevant. These include the Clean Slate Act, the laws on illegal interceptions of communications and covert filming, and the laws of trespass.
How does the Privacy Act affect the media?
As discussed, the Privacy Act doesn’t affect the media in their news-gathering operations, except for TVNZ and Radio NZ because they are subject to the rules giving people the right to access information about them (though surprisingly few take advantage of it). And it can be a headache for the rest of the media, because sources are bound by it, and may say “Oh, I can’t tell you that because of the Privacy Act.” Journalists should politely ask them which part of the Privacy Act they are referring to. There are a large number of exceptions in the Act that usually permit disclosure of information when it’s important. Or it might have nothing to do with the Privacy Act at all.
If a public agency refuses to release information about one of the journalist’s sources, the journalist should ask the source to sign an authorisation for the agency to release information about them.