Search MENU
Back to all Rights Back

Your Rights

Privacy

Privacy

The Privacy Act 1993 governs how private and public bodies (agencies) collect, use and give access to any personal information they might have about you. Generally, agencies have to get your permission to collect any information about you. They also have to store your personal information securely so that other people can’t access it unless you have given them permission.

This section gives you some information about your privacy rights.

Who is protected by the Privacy Act?

The Privacy Act guides how any person’s personal information can be collected, used and accessed.
Almost every person or organisation that holds personal information is an ‘agency’ and must follow the law of the Privacy Act. The Privacy Act covers government departments, companies of all sizes, religious groups, schools and clubs.

When can an agency collect personal information from me?

An agency can only ask you for personal information if it’s relevant to what the agency do and they need the information to perform their functions. For example, a sports club might need to know your age so they can put you into the right team, but they shouldn’t ask you how much you earn, because that’s not relevant to the club’s activities. If an agency wants information about you, they have to ask you for it, not someone else (unless you’re a minor, in which case they can ask your parents/guardians).

Exceptions apply when:

  • The information is already publicly available (like your phone number in the phone book);
  • You agree for the agency to get information about you from someone else;
  • The agency is preventing, investigating or detecting an offence;
  • A government agency has an “information matching programme” in place which allows it to share information about you with another government agency.

What does an agency have to tell me when it is getting information from me?

When collecting personal information, an agency has to take reasonable steps to tell you:

  • that it’s collecting the information;
  • why it wants the information;
  • who that information is going to;
  • the name and address of who is collecting and holding the information;
  • what will happen if you do not give some or all of the information;
  • that you have a right to see that information and collect it (and if needed, ask for it to be corrected if it’s wrong).

The agency has to tell you these things before it gets the information, or as soon as possible afterwards. If the agency has received similar information from you recently and already told you these things, it doesn’t have to tell you again.

When can an agency not collect information about me?

An agency can’t get information from you in any way which might be illegal or unfair, such as telling you that you have to give the information when you don’t. It also can’t acquire information in a way which might be too intrusive. For instance, if you were being interviewed at school, the person interviewing you would need to make sure that people who do not need to be at the interview (like other students or teachers) aren’t present also.

Do agencies have to store my personal information safely?

An agency has to take reasonable security safeguards against a number of risks including unauthorised disclosure. Agencies that hold information about you must make reasonable measure to ensure that your personal information is kept safe from being hacked or stolen, or from being seen or used by anyone who is not allowed to see or use it.

Can I have access to my personal information?

Yes. You have the right to know when an agency has information about you and a right to see it. You can request this verbally or in writing. It’s a good idea to make the request in writing, stating that you are making a request under the Privacy Act 1993 and specifying to the agency which information you want to see.  You should also give the agency your contact details in case someone wants to talk with you about the request. Keep a copy of the letter on hand so that you can remember what you asked for and the date that you asked for it.

How long will it take to access my personal information?

The agency usually has to tell you whether they’re going to give you all the information you’ve asked for, or only some of it (if there is a good reason), within 20 working days of the request being made. If you’ve asked for a lot of information or if the agency needs to obtain consultation but couldn’t reasonably do so within 20 working days, it can extend the 20-day time limit provided that the extension is reasonable. They have to tell you about the extension and how much longer it’ll take. If they won’t give you the information or don’t give it to you within 20 working days, you can complain to the Privacy Commissioner.

How will I receive my personal information?

The agency can give you a copy of the document, ask you to go to a location and let you look at the document, provide you with a summary of what is in the document, or tell you what’s in the document. They should make the information available in the way you prefer. If they can’t, they must explain why.

When can an agency refuse to give me access to my personal information?

Under the Privacy Act, an agency can legally refuse to give you access where:

  • Giving the information is likely to be bad for national security or law enforcement;
  • Giving the information is likely to endanger someone else;
  • That information would be bad for your health;
  • Giving you information would mean unreasonably giving you information about someone else;
  • You are under 16 and the information would be contrary to your interest;
  • The information is protected by law.

If you don’t agree with the agency’s reason for not giving you the information, you can complain to the Privacy Commissioner.
The agency can also give you some of the information while crossing out the parts where they’ve legally refused access.

Do I have to pay to see or get copies of my information?

Public agencies like government departments and local authorities don’t usually charge for the cost of giving you copies of information. Private sector agencies can charge you a reasonable amount. If you think the amount charged is too much, you can complain to the Privacy Commissioner, but you should contact the agency first to discuss the costs.

Can I correct my personal information?

Yes. You can ask an agency to correct the information if it is incorrect. If the agency won’t correct it, you can ask them to attach your version of the facts to the information so that anyone looking at it will be able to see your version too. If an agency wants to use information about you, they have to make sure it’s accurate, up-to-date, complete, relevant and not misleading.

If the agency does not correct the information, you may contact the Privacy Commissioner.

Can I get someone else to request for my information for me?

If you want another person to access your information on your behalf (such as a parent or your lawyer), this is allowed provided that you give the other person some documentation showing that you agree to them accessing your information.

How long can an agency keep my personal information?

An agency can only keep information about you for as long as it needs to. So, for example, if you stop being a member of a club, the club can’t keep information about you just in case it might become handy in the future.

Can an agency give my information to someone else?

As a general rule, an agency can’t give information about you to another agency or person without your permission.

They’ll be allowed to if it’s necessary to prevent serious harm to you or someone else, or where the information will be used for a directly related purpose from which the information was originally obtained, or where that information is already publicly available.

An agency will also be allowed to disclose information where it is authorised to do so by law. For instance, under s16 of the Children, Young Persons and Their Families Act 1989, everyone who makes an allegation concerning child abuse, in good faith, to the police will be protected against a Privacy Act breach complaint.

What do I do if my privacy has been breached?

In cases where you feel that your rights under the Privacy Act may have been breached, you should first contact the person or organisation and try to sort the problem out with them.   This could be through the organisation’s privacy officer, or failing that, someone in a senior position, such as a manager.

If you’re not satisfied with the response given by the agency, you can refer the matter to the Privacy Commissioner.  The powers of the Privacy Commissioner are limited – he or she can’t fine or prosecute anyone, nor can they order an organisation to pay compensation.  The main role of the Commissioner is to settle any dispute between the two parties and to make sure the agency complies with the Act in the future.

I’m not satisfied with the Privacy Commissioner outcome, what can I do?

If the Commissioner takes the view that there has been a breach of privacy, in very rare cases he or she may refer the matter to the Director of Human Rights Proceedings who may determine that the matter should be considered by the Human Rights Tribunal.  If the Tribunal finds that there has been a breach of the Privacy Act, you may be entitled to compensation or a formal declaration that your rights have been breached.

back to top