Skip navigation.

» Privacy

The following information deals with the Privacy Act 1993 and the obligations it imposes on organisations.

The Privacy Act 1993

The Privacy Act governs the responsibilities of a person or organisation that collects, stores, discloses or uses personal information about identifiable individuals.

The Privacy Act applies only to “personal information” about an identifiable individual. It does not apply to information about organisations, companies or other bodies.

Special rules apply when the information collected, stored, disclosed or used by an organisation relates to the health or disabilities of identifiable individuals.

View glossary | View resources | Return to top

The 12 privacy principles

The Act is based on 12 privacy principles. These set out broad rules (together with limited exceptions) relating to the collection, storage, security, accuracy, use and disclosure of personal information, as well as an individual’s rights to access and correct personal information.

Principle 1 entitles an organisation to collect personal information for a lawful purpose connected with the organisation’s activities, provided the information is necessary for that purpose.

Principle 2 requires an organisation to collect personal information directly from the individual concerned.

Principle 3 requires that, when an organisation collects personal information directly from an individual, the individual must be given certain details.

Principle 4 prevents an organisation from collecting personal information by unlawful or unfair means or by means that would intrude unreasonably on the privacy of the individual concerned.

Principle 5 requires an organisation to ensure that personal information that the organisation holds is kept secure against loss or unauthorised use, modification or disclosure.

Principle 6 requires an organisation to make available to an individual any personal information that the organisation holds about that individual, if the individual asks for this information.

Principle 7 entitles an individual to have any personal information, held by an organisation, corrected.

Principle 8 requires an organisation to ensure that any personal information that the organisation proposes to use is accurate, up-to-date, complete, relevant and not misleading.

Principle 9 prohibits an organisation from keeping any personal information for longer than is required for the purposes for which the information may be lawfully used.

Principle 10 requires an organisation to use personal information only for the purpose for which it was obtained. (There are some exceptions.)

Principle 11 prevents an organisation disclosing personal information about an individual to any other person. (There are some exceptions, including where the information will be disclosed for statistical or research reasons without identifying the individual.)

Principle 12 places limitations on the use of identification numbers for individuals and restricts an organisation’s right to require an individual to disclose any identification number that may have been given to him or her by another agency.

Breaches of the privacy principles

The 12 privacy principles cannot be directly enforced in Court. However, if a person believes that there has been an interference with his or her privacy, the person may complain to the Privacy Commissioner.

If the Privacy Commissioner is unable to settle the complaint, the Commissioner may refer the complaint to the Director of Human Rights Proceedings, who will decide whether to take the matter to the Human Rights Review Tribunal. The Review Tribunal may make a number of orders, including ordering compensation.

Exceptions allowing disclosure of information

The Privacy Act state a number of grounds that allow personal information to be disclosed. Examples of permitted disclosure include where:

  • the information was already publicly available, or the disclosure is to the individual concerned, or the disclosure was authorised by that individual
  • disclosure is necessary to avoid prejudice to the maintenance of the law, for the conduct of Court proceedings, or to prevent a serious or imminent threat to public health and safety or to the life and health of an individual.

The Privacy Commissioner may also authorise disclosure even if the disclosure would be contrary to the privacy principles in the Privacy Act. In these cases the Commissioner must be satisfied that the public interest outweighs the privacy of the individual.

View glossary | View resources | Return to top

Your organisation and the Privacy Act

Types of information that your organisation might hold

An organisation is likely to hold and collect personal information about its members, former members and employees. It may also hold information about individuals who make donations, financial or otherwise, to the organisation.

If an organisation employs staff, it will be dealing with applications for employment (such as CVs), storing personal information about current employees, and possibly providing references to other prospective employers about a person.

An organisation may also hold and collect personal information about other people, such as volunteers and clients of the organisation.

Privacy officers

Each organisation must appoint a member or employee to be the organisation’s privacy officer. Their job is to:

  • encourage compliance with the Privacy Act
  • deal with requests made to the organisation relating to personal information
  • help the Privacy Commissioner investigate any complaint.

Dealing with requests for personal information

An organisation must not charge any person for requesting access to their personal information or for requesting a correction to personal information held by the organisation.

However, if personal information is provided to the person, or the correction the person has requested is made, an organisation can require them to pay a reasonable charge.

View glossary | View resources | Return to top

Health Information Privacy Code

This code applies to any person or organisation that provides health or disability services. “Health services” are goods, services and facilities provided to people for health or related purposes. “Disability services” include goods, services and facilities provided to people with disabilities for, or incidental to, their care or support or to promote their independence.

Information covered by the code must be about an identifiable individual, and includes:

  • information about health or medical histories
  • information about disabilities
  • information about health services or disability services that are being provided or that have been provided
  • information provided by the individual in connection with him or her donating any body part or bodily substance, or with the testing of a body part or bodily substance
  • information that is collected incidental to providing any health service or disability service.

If an organisation provides health or disability services, it must appoint a person to deal with complaints of breaches of the code. Complaining to that person is a preliminary procedure before complaining to the Privacy Commissioner.

If the Health Information Privacy Code applies to an organisation, in most cases that organisation may not charge an individual for access to health information or the correction of health information about that individual.

View glossary | View resources | Return to top

Resources

Websites

  • www.privacy.org.nz
    The website of the Office of the Privacy Commissioner has more information and resources.

Publications

  • Health Information Privacy Code 1994 – Fact Sheet No. 10. Available from the Office of the Privacy Commissioner or from www.privacy.org.nz

Return to top

1