Date of assent 30 June 2020 Commencement see section 2
Contents Page 1 Title 9 2 Commencement 9 Part 1 Preliminary provisions Subpart 1—Preliminary matters 3 Purpose of this Act 10 4 Application of this Act 10 5 Transitional, savings, and related provisions 11 6 Act binds the Crown 11 Subpart 2—Interpretation and related matters 7 Interpretation 11 8 Meaning of New Zealand agency 17 9 Meaning of overseas agency 17 10 Personal information held by agency if held by officer, employee, 18 or member of agency Note The Parliamentary Counsel Office has made editorial and format changes to this version using the powers under subpart 2 of Part 3 of the Legislation Act 2019. Note 4 at the end of this version provides a list of the amendments included in it. This Act is administered by the Ministry of Justice. Privacy Act 2020 Version as at 6 December 2023 11 Personal information treated as being held by another agency in 18 certain circumstances 12 Actions of, and disclosure of information to, staff of agency, etc 19 Part 2 Privacy Commissioner Subpart 1—Appointment of Privacy Commissioner 13 Privacy Commissioner 19 14 Deputy Privacy Commissioner 19 15 Holding of other offices 20 16 Superannuation or retiring allowances 20 Subpart 2—Functions of Privacy Commissioner 17 Functions of Commissioner 21 18 Other functions of Commissioner 22 19 Responsible Minister must present copy of report on operation of 23 Act to House of Representatives 20 Duty to act independently 23 21 Commissioner to have regard to certain matters 23 Part 3 Information privacy principles and codes of practice Subpart 1—Information privacy principles 22 Information privacy principles 24 23 Application of IPPs in relation to information held overseas 32 24 Relationships between IPPs and other New Zealand law 32 25 IPPs 1 to 4 do not apply to personal information collected before 33 1 July 1993 26 Restricted application of IPP 13 to unique identifiers assigned 33 before 1 July 1993 27 Restricted application of IPPs to personal information collected or 33 held for personal or domestic affairs 28 IPPs 2, 3, and 4(b) do not apply to personal information collected 33 by intelligence and security agencies 29 IPPs 6 and 7 do not apply to certain information 34 30 Commissioner may authorise collection, use, storage, or disclosure 34 of personal information otherwise in breach of IPP 2 or IPPs 9 to 12 31 Enforceability of IPPs 36 Subpart 2—Codes of practice 32 Codes of practice in relation to IPPs 36 33 Issue of code of practice 37 34 Urgent issue of code of practice 38 35 Commencement of code 38 36 Application of Legislation Act 2019 to codes 38 Version as at 6 December 2023 Privacy Act 2020 37 Amendment and revocation of codes of practice 39 38 Effect of codes of practice 39 Part 4 Access to and correction of personal information Subpart 1—Access to personal information 39 Interpretation 40 40 Individuals may make IPP 6 request 40 41 Urgency 40 42 Assistance 40 43 Transfer of IPP 6 request 40 44 Responding to IPP 6 request 41 45 Decision to grant access to personal information 41 46 Decision to refuse access to personal information 42 47 Decision to neither confirm nor deny personal information is held 42 48 Extension of time limits 43 49 Protection, etc, of individual as reason for refusing access to 43 personal information 50 Evaluative material as reason for refusing access to personal 44 information 51 Security, defence, international relations as reason for refusing 45 access to personal information 52 Trade secret as reason for refusing access to personal information 46 53 Other reasons for refusing access to personal information 46 54 Agency may impose conditions instead of refusing access to 47 personal information 55 Withholding personal information contained in document 47 56 Ways personal information in document may be made available 48 57 Responsibilities of agency before giving access to personal 49 information Subpart 2—Correction of personal information 58 Interpretation 49 59 Individuals may make correction requests 49 60 Urgency 49 61 Assistance 50 62 Transfer of correction request 50 63 Decision on request to correct personal information 50 64 Decision on request to attach statement of correction 51 65 Extension of time limits 51 Subpart 3—Charges 66 Charges 52 67 Commissioner may authorise public sector agency to impose 53 charge Privacy Act 2020 Version as at 6 December 2023 Part 5 Complaints, investigations, and proceedings 68 Interpretation 53 69 Interference with privacy of individual 54 Subpart 1—Complaints 70 Complaints 55 71 Who may make complaint 55 72 Form of complaint 55 73 Procedure on receipt of complaint 55 74 Commissioner may decide not to investigate complaint 56 75 Referral of complaint to another person 57 76 Referral of complaint to overseas privacy enforcement authority 57 77 Exploring possibility of settlement and assurance without 58 investigating complaint 78 Referral of complaint to Director without conducting investigation 58 Subpart 2—Investigations by Commissioner 79 Application of this subpart 58 80 Commencing investigation 59 81 Conducting investigation 59 82 Commissioner may regulate own procedure 59 83 Exploring possibility of settlement and assurance during 60 investigation 84 Referral of complaint to Director without completing investigation 60 85 Compulsory conferences of parties to complaint 60 86 Power to summon persons 61 87 Power to require information and documents 61 88 Disclosure of information may be required despite obligation of 62 secrecy 89 Protection and privileges of persons required to provide 63 information, etc 90 Disclosed information privileged 64 91 Procedure after completion of investigation relating to access to 65 personal information 92 Access direction 66 93 Procedure after completion of investigation relating to charging 66 94 Procedure after completion of other investigations 67 95 Special procedure relating to intelligence and security agency 68 96 Commissioner to report breach of duty or misconduct 68 Subpart 3—Proceedings before Human Rights Review Tribunal Proceedings in relation to complaints or investigations 97 Director may commence proceedings in Tribunal 69 98 Aggrieved individuals may commence proceedings in Tribunal 69 Version as at 6 December 2023 Privacy Act 2020 99 Right of Director to appear in proceedings commenced under 71 section 98 100 Apology not admissible except for assessment of remedies 71 101 Onus of proof 72 102 Remedies in respect of interference with privacy 72 103 Damages 72 Access order 104 Enforcement of access direction 74 Appeal against access direction 105 Appeal to Tribunal against access direction 74 106 Time for lodging appeal 74 107 Interim order suspending Commissioner’s direction pending appeal 74 108 Determination of appeal 75 Miscellaneous 109 Proceedings involving access to personal information 75 110 Costs 76 111 Certain provisions of Human Rights Act 1993 to apply 76 Part 6 Notifiable privacy breaches and compliance notices Subpart 1—Notifiable privacy breaches 112 Interpretation 77 113 Assessment of likelihood of serious harm being caused by privacy 78 breach 114 Agency to notify Commissioner of notifiable privacy breach 78 115 Agency to notify affected individual or give public notice of 78 notifiable privacy breach 116 Exceptions to or delay in complying with requirement to notify 79 affected individuals or give public notice of notifiable privacy breach 117 Requirements for notification 80 118 Offence to fail to notify Commissioner 81 119 Section 211 does not apply to processes and proceedings relating 81 to failure to notify notifiable privacy breach 120 Liability for actions of officers, employees, agents, and members 82 of agencies 121 Knowledge of officers, employees, agents, and members of 82 agencies to be treated as knowledge of employers, principal agencies, and agencies 122 Publication of identity of agencies in certain circumstances 83 Subpart 2—Compliance notices 123 Compliance notices 83 Privacy Act 2020 Version as at 6 December 2023 124 Issuing compliance notice 83 125 Form of compliance notice 84 126 Agency response to compliance notice 85 127 Commissioner may vary or cancel compliance notice 85 128 Commissioner’s power to obtain information 85 129 Publication of details of compliance notice 86 Proceedings 130 Enforcement of compliance notice 86 131 Appeal against compliance notice or Commissioner’s decision to 87 vary or cancel notice 132 Interim order suspending compliance notice pending appeal 87 133 Remedies, costs, and enforcement 88 134 Application of Human Rights Act 1993 88 135 Commissioner may be represented in proceedings 89 Part 7 Sharing, accessing, and matching personal information Subpart 1—Information sharing 136 Purpose of this subpart 89 137 Relationship between subpart 1 and other law relating to 89 information disclosure 138 Interpretation 90 139 Information sharing between agencies 92 140 Information sharing within agencies 93 141 Parties to information sharing agreement 93 142 Agreement may apply to classes of agencies 93 143 Lead agency 94 144 Form and content of information sharing agreement 94 145 Governor-General may approve information sharing agreement by 95 Order in Council 146 Requirements for Order in Council 96 147 Further provisions about Order in Council 97 148 Status of Order in Council [Repealed] 98 149 Matters to which relevant Minister must have regard before 98 recommending Order in Council 150 Consultation on proposed information sharing agreement 98 151 Commissioner may prepare and publish report on approved 99 information sharing agreement 152 Requirement to give notice of adverse action 99 153 When requirement to give notice of adverse action applies 100 154 Responsibilities of lead agency 100 155 Report of lead agency 101 156 Commissioner may specify frequency of reporting by lead agency 101 157 Amendment of approved information sharing agreement 101 Version as at 6 December 2023 Privacy Act 2020 158 Review of operation of approved information sharing agreement 102 159 Report on findings of review 103 160 Relevant Minister must present copy of report under section 159(1) and report setting out Government’s response to House of Representatives 161 Power to amend Schedule 2 by Order in Council 104 Subpart 2—Identity information 162 Purpose of this subpart 104 163 Relationship between this subpart and other law relating to information disclosure 164 Interpretation 105 165 Access by agencies to identity information 106 166 Manner and form of access 106 167 Annual reporting requirement 106 168 Power to amend Schedule 3 by Order in Council 106 Subpart 3—Law enforcement information 169 Purpose of this subpart 107 170 Relationship between this subpart and other law relating to information disclosure 171 Interpretation 107 172 Access by accessing agencies to law enforcement information 108 173 Power to amend Schedule 4 by Order in Council 108 Subpart 4—Authorised information matching programmes 174 Purpose of this subpart 108 175 Application of this subpart 108 176 Relationship between this subpart and other law relating to information disclosure 177 Interpretation 109 178 Information matching agreements 110 179 Use of results of authorised information matching programme 110 180 Extension of time limit 111 181 Notice of adverse action proposed 111 182 Reporting requirements 113 183 Reports on authorised information matching programmes 114 184 Reports on information matching provisions 114 185 Responsible Minister must present copy of report under section 184 and report setting out Government’s response to House of Representatives 186 Avoidance of controls on information matching through use of exceptions to information privacy principles 187 Avoidance of controls on information matching through use of official information statutes 115 115 115 188 Power to amend Schedule 5 by Order in Council 115 Privacy Act 2020 Version as at 6 December 2023 189 Power to amend Schedule 6 by Order in Council 116 190 Amendments to other enactments related to this subpart [Repealed] 191 Repeal of section 190 and Schedule 7 117 Part 8 Prohibiting onward transfer of personal information received in New Zealand from overseas 192 Interpretation 117 193 Prohibition on transfer of personal information outside New Zealand 194 Commissioner’s power to obtain information 118 195 Transfer prohibition notice 118 196 Commissioner may vary or cancel transfer prohibition notice 119 197 Offence in relation to transfer prohibition notice 119 198 Appeals against transfer prohibition notice 119 199 Application of Human Rights Act 1993 120 200 Power to amend Schedule 8 by Order in Council 120 Part 9 Miscellaneous provisions General 201 Privacy officers 121 201A Responsibility under Parts 4 to 6 for interdepartmental executive board 202 Commissioner may require agency to supply information 122 203 Inquiries 122 204 Powers relating to declaratory judgments 122 205 Protection against certain actions 122 206 Commissioner and staff to maintain secrecy 123 207 Commissioner may share information with overseas privacy enforcement authority 208 Consultation 124 209 Exclusion of public interest immunity 124 210 Adverse comment 125 Liability and offences 211 Liability of employers, principals, and agencies 125 212 Offences 126 Regulations 213 Regulations: prescribed binding schemes 126 214 Regulations: prescribed countries 127 215 Other regulations 127 Version as at 6 December 2023 Privacy Act 2020 s 2 Repeal, revocation, and consequential amendments 216 Repeal and revocation 128 217 Consequential amendments [Repealed] 129 218 Repeal of section 217 and Schedule 9 129 Schedule 1 Transitional, savings, and related provisions Schedule 2 Approved information sharing agreements Schedule 3 Identity information Schedule 4 Law enforcement information Schedule 5 Information matching provisions Schedule 6 Information matching rules Schedule 7 Amendments to other enactments related to subpart 4 of Part 7 [Repealed] Schedule 8 Basic principles of national application set out in Part Two of OECD Guidelines Schedule 9 Consequential amendments [Repealed] 130 134 147 150 160 161 164 165 167 The Parliament of New Zealand enacts as follows:
This Act is the Privacy Act 2020.
The following provisions come into force on the day after the date on which this Act receives the Royal assent:
subpart 2 of Part 3; and
sections 213 to 215.
The rest of this Act comes into force on 1 December 2020.
Privacy Act 2020 Version as at 6 December 2023
Subpart 1—Preliminary matters
The purpose of this Act is to promote and protect individual privacy by—
providing a framework for protecting an individual’s right to privacy of personal information, including the right of an individual to access their personal information, while recognising that other rights and interests may at times also need to be taken into account; and
giving effect to internationally recognised privacy obligations and stand‐ ards in relation to the privacy of personal information, including the OECD Guidelines and the International Covenant on Civil and Political Rights.
This Act (except section 212) applies to—
a New Zealand agency (A), in relation to any action taken by A (whether or not while A is, or was, present in New Zealand) in respect of personal information collected or held by A:
an overseas agency (B), in relation to any action taken by B in the course of carrying on business in New Zealand in respect of personal informa‐ tion collected or held by B:
an individual (C) who is not ordinarily resident in New Zealand, in rela‐ tion to any action taken by C in respect of—
personal information collected by C while present in New Zea‐ land, regardless of where the information is subsequently held by C or where the individual to whom the information relates is, or was, located:
personal information held by C while present in New Zealand (but not collected by C while present in New Zealand), regardless of where the individual to whom the information relates is, or was, located.
For the purposes of subsection (1)(a) and (b), it does not matter—
where the personal information is, or was, collected by the agency; or
where the personal information is held by the agency; or
where the individual concerned is, or was, located.
For the purposes of subsection (1)(b), an agency may be treated as carrying on business in New Zealand without necessarily— Version as at
Privacy Act 2020 Part 1 s 7
being a commercial operation; or
having a place of business in New Zealand; or
receiving any monetary payment for the supply of goods or services; or
intending to make a profit from its business in New Zealand.
Subpart 3 of Part 7 also applies to a court in relation to its judicial functions.
Section 212 applies to—
a New Zealand agency:
an overseas agency:
an individual who is present in New Zealand:
a person who is outside New Zealand if—
any act or omission forming part of any offence under section 212 occurs in New Zealand; or
any event necessary to the completion of any offence under sec‐ tion 212 occurs in New Zealand.
The transitional, savings, and related provisions set out in Schedule 1 have effect according to their terms.
This Act binds the Crown. Compare: 1993 No 28 s 5 Subpart 2—Interpretation and related matters
In this Act, unless the context otherwise requires,— action includes failure to act, and also includes any policy or practice agency means a person described in section 4 to whom this Act applies binding scheme means an internationally recognised scheme in which the par‐ ticipants agree to be bound by—
specified measures for protecting personal information that is collected, held, used, and disclosed; and
mechanisms for enforcing compliance with those measures Chairperson means the Chairperson of the Human Rights Review Tribunal, and includes a Deputy Chairperson of the Tribunal code of practice means a code of practice issued by the Commissioner under section 32
Privacy Act 2020 Version as at 6 December 2023 collect, in relation to personal information, means to take any step to seek or obtain the personal information, but does not include receipt of unsolicited information Commissioner means the Privacy Commissioner holding office under section 13 and appointed in accordance with section 28(1)(b) of the Crown Entities Act 2004 correct, in relation to personal information, means to alter that information by way of correction, deletion, or addition, and correction has a corresponding meaning country includes a self-governing State, province, or territory department means—
a government department named in Part 1 of Schedule 1 of the Ombuds‐ men Act 1975:
an interdepartmental venture:
a departmental agency hosted by a government department named in Part 1 of Schedule 1 of the Ombudsmen Act 1975:
an interdepartmental executive board serviced by a government depart‐ ment named in Part 1 of Schedule 1 of the Ombudsmen Act 1975 (see also section 201A) departmental agency has the meaning given in section 5 of the Public Service Act 2020 Deputy Commissioner means the Deputy Privacy Commissioner appointed under section 14 Director of Human Rights Proceedings or Director means the Director of Human Rights Proceedings or alternate Director of Human Rights Proceedings appointed under section 20A of the Human Rights Act 1993 document means a document in any form, and includes—
any writing on any material:
any information recorded or stored by means of any computer or other device, and any material subsequently derived from information so recorded or stored:
any label, marking, or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means:
any book, map, plan, graph, or drawing:
any photograph, film, negative, tape, or any device in which 1 or more visual images are embodied so as to be capable (with or without the aid of some other equipment) of being reproduced foreign person or entity means—
an individual who is neither— Version as at
Privacy Act 2020 Part 1 s 7
present in New Zealand; nor
ordinarily resident in New Zealand:
a body, incorporated or unincorporated, that—
is not established under the law of New Zealand; and
does not have its central control and management in New Zea‐ land:
the Government of an overseas country General Data Protection Regulation means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC Human Rights Review Tribunal or Tribunal means the Human Rights Review Tribunal continued by section 93 of the Human Rights Act 1993 individual means a natural person, other than a deceased natural person individual concerned, in relation to personal information, means the indi‐ vidual to whom the information relates information privacy principle or IPP means an information privacy principle set out in section 22 inquiry means an inquiry to which section 6 of the Inquiries Act 2013 applies intelligence and security agency means—
the New Zealand Security Intelligence Service; and
the Government Communications Security Bureau interdepartmental executive board has the meaning given in section 5 of the Public Service Act 2020 interdepartmental venture has the meaning given in section 5 of the Public Service Act 2020 international organisation means any organisation of States or Governments of States or any organ or agency of any such organisation, and includes the Commonwealth Secretariat local authority—
means a local authority or public body named or specified in Schedule 1 of the Local Government Official Information and Meetings Act 1987; and
includes—
any committee, subcommittee, standing committee, special com‐ mittee, joint standing committee, or joint special committee that the local authority is empowered to appoint under its standing orders or rules of procedure or under any enactment or Order in
Privacy Act 2020 Version as at 6 December 2023 Council constituting the local authority or regulating its proceed‐ ings; and
a committee of the whole local authority Minister means a Minister of the Crown in the Minister’s capacity as a Minis‐ ter New Zealand agency has the meaning given to it in section 8 New Zealand private sector agency means a private sector agency that is an incorporated or unincorporated body and that—
is established under New Zealand law; or
has its central management and control in New Zealand news activity means—
gathering, preparing, or compiling, for the purposes of publication, any—
news:
observations on news:
current affairs:
publishing any—
news:
observations on news:
current affairs news entity means an entity (including an individual)—
whose business, in whole or part, consists of a news activity; and
that is, or is employed by an employer that is, subject to the oversight of—
the Broadcasting Standards Authority; or
the New Zealand Media Council; or
an overseas regulator providing an independent procedure for the consideration and adjudication of privacy complaints that is acces‐ sible to complainants, including complainants residing in New Zealand; or
any other body prescribed as a regulatory body by regulations made under section 215(1)(b) for the purposes of this definition OECD Guidelines means the Organisation for Economic Co-operation and Development Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data Ombudsman means an Ombudsman appointed under the Ombudsmen Act 1975 Version as at
Privacy Act 2020 Part 1 s 7 organisation—
means—
an organisation named in Part 2 of Schedule 1 of the Ombudsmen Act 1975; and
an organisation named in Schedule 1 of the Official Information Act 1982; and
includes the Office of the Clerk of the House of Representatives overseas agency has the meaning given to it in section 9 overseas privacy enforcement authority means an overseas body that is responsible for enforcing legislation to protect personal information, and that has the power to conduct investigations and pursue enforcement proceedings Parliamentary Under-Secretary means a Parliamentary Under-Secretary in their capacity as a Parliamentary Under-Secretary personal information—
means information about an identifiable individual; and
includes information relating to a death that is maintained by the Registrar-General under the Births, Deaths, Marriages, and Relation‐ ships Registration Act 2021 or any former Act (as defined in Schedule 1 of that Act) private sector agency means an agency that is not a public sector agency public sector agency—
means an agency that is a Minister, a Parliamentary Under-Secretary, a department, an organisation, or a local authority; and
includes any agency that is an unincorporated body (being a board, council, committee, or other body)—
that is established for the purpose of assisting or advising, or per‐ forming functions connected with, any public sector agency within the meaning of paragraph (a); and
that is established in accordance with the provisions of any enact‐ ment or by any such public sector agency publication has a corresponding meaning to publish publicly available information means personal information that is contained in a publicly available publication publicly available publication means a publication (including a register, list, or roll of data) in printed or electronic form that is, or will be, generally avail‐ able to members of the public free of charge or on payment of a fee publish means to make publicly available in any manner, including by—
displaying on any medium:
Privacy Act 2020 Version as at 6 December 2023
printing in a newspaper or other periodical:
broadcasting by any means:
disseminating by means of the Internet or any other electronic medium:
storing electronically in a way that is accessible to the public responsible Minister means the Minister of Justice serious threat means a threat that an agency reasonably believes to be a ser‐ ious threat having regard to all of the following:
the likelihood of the threat being realised; and
the severity of the consequences if the threat is realised; and
the time at which the threat may be realised unique identifier, in relation to an individual, means an identifier other than the individual’s name that uniquely identifies the individual working day means any day of the week other than—
a Saturday, a Sunday, Waitangi Day, Good Friday, Easter Monday, Anzac Day, the Sovereign’s birthday, Te Rā Aro ki a Matariki/Matariki Observance Day, or Labour Day; or
if Waitangi Day or Anzac Day falls on a Saturday or a Sunday, the fol‐ lowing Monday; or
a day in the period commencing on 25 December in one year and ending with 15 January in the next year.
For the purposes of this Act, a person is to be treated as ordinarily resident in New Zealand if—
the person’s home is in New Zealand; or
the person is residing in New Zealand with the intention of residing in New Zealand indefinitely; or
having resided in New Zealand with the intention of establishing their home in New Zealand, or with the intention of residing in New Zealand indefinitely, the person is outside New Zealand but intends to return to establish their home in New Zealand or to reside in New Zealand indef‐ initely. Compare: 1993 No 28 s 2(1) Section 7(1) department: replaced, on 7 August 2020, by section 125(1) of the Public Service Act 2020 (2020 No 40). Section 7(1) departmental agency: inserted, on 7 August 2020, by section 125(2) of the Public Ser‐ vice Act 2020 (2020 No 40). Section 7(1) interdepartmental executive board: inserted, on 7 August 2020, by section 125(2) of the Public Service Act 2020 (2020 No 40). Section 7(1) interdepartmental venture: inserted, on 7 August 2020, by section 125(2) of the Public Service Act 2020 (2020 No 40). Version as at
Privacy Act 2020 Part 1 s 9 Section 7(1) personal information: amended, on 15 June 2023, by section 147 of the Births, Deaths, Marriages, and Relationships Registration Act 2021 (2021 No 57). Section 7(1) working day paragraph (a): amended, on 12 April 2022, by wehenga 7 o Te Ture mō te Hararei Tūmatanui o te Kāhui o Matariki 2022/section 7 of the Te Kāhui o Matariki Public Holiday Act 2022 (2022 No 14).
In this Act, New Zealand agency—
means—
an individual who is ordinarily resident in New Zealand; or
a public sector agency; or
a New Zealand private sector agency; or
a court or tribunal, except in relation to its judicial functions; but
does not include—
the Sovereign; or
the Governor-General or the Administrator of the Government; or
the House of Representatives; or
a member of Parliament in their official capacity; or
the Parliamentary Service Commission; or
the Parliamentary Service, except in relation to personal informa‐ tion about any employee or former employee of the Parliamentary Service in their capacity as an employee; or
an Ombudsman; or
an inquiry; or
a board of inquiry or court of inquiry appointed under any Act to inquire into a specified matter; or
a news entity, to the extent that it is carrying on news activities.
In this Act, overseas agency means an overseas person, body corporate, or unincorporated body that is not—
a New Zealand agency; or
the Government of an overseas country; or
an overseas government entity to the extent that the entity is performing any public function on behalf of the overseas Government; or
a news entity, to the extent that it is carrying on news activities.
Privacy Act 2020 Version as at 6 December 2023
For the purposes of this Act, personal information held by a person in the per‐ son’s capacity as an officer, an employee, or a member of an agency is to be treated as being held by the agency.
However, subsection (1) does not apply to—
personal information held by an officer, an employee, or a member of a public sector agency (A) if—
the information is held only because of the person’s connection with a private sector agency; and
that connection is not in the person’s capacity as an officer, an employee, or a member of A; or
personal information held by an officer, an employee, or a member of a private sector agency (B) if—
the information is held only because of the person’s connection with another agency (whether a public sector agency or private sector agency); and
that connection is not in the person’s capacity as an officer, an employee, or a member of B.
Despite subsection (1), information that is held by an employee of a depart‐ ment carrying out the functions of a departmental agency must be treated for the purposes of this Act as held by the departmental agency. Compare: 1993 No 28 s 3(1)–(3) Section 10(3): inserted, on 7 August 2020, by section 126 of the Public Service Act 2020 (2020 No 40).
This section applies if an agency (A) holds information for or on behalf of another agency (B) (for example, the information is held by A as a representa‐ tive or agent of B, or for safe custody or processing on behalf of B).
For the purposes of this Act, the personal information is to be treated as being held by B, and not A.
However, the personal information is to be treated as being held by A as well as B if A uses or discloses the information for its own purposes.
For the purposes of this section, it does not matter whether A—
is outside New Zealand; or
holds the information outside New Zealand.
To avoid doubt, if, under subsection (2), B is treated as holding personal infor‐ mation,— Version as at
Privacy Act 2020 Part 2 s 14
the transfer of the information to A by B is not a use or disclosure of the information by B; and
the transfer of the information, and any information derived from the processing of that information, to B by A is not a use or disclosure of the information by A. Compare: 1993 No 28 s 3(4) Section 11(1): replaced, on 30 November 2022, by section 94 of the Statutes Amendment Act 2022 (2022 No 75).
For the purposes of this Act, an action done by, or information disclosed to, a person employed by, or in the service of, an agency in the performance of the duties of the person’s employment is to be treated as having been done by, or disclosed to, the agency. Compare: 1993 No 28 s 4
Privacy Commissioner Subpart 1—Appointment of Privacy Commissioner
There continues to be a Commissioner called the Privacy Commissioner.
The Commissioner is—
a corporation sole; and
a Crown entity for the purposes of section 7 of the Crown Entities Act 2004; and
the board for the purposes of the Crown Entities Act 2004.
The Crown Entities Act 2004 applies to the Commissioner except to the extent that this Act expressly provides otherwise. Compare: 1993 No 28 s 12
The Governor-General may, on the recommendation of the responsible Minis‐ ter, appoint a Deputy Privacy Commissioner.
Part 2 of the Crown Entities Act 2004, except section 46, applies to the appointment and removal of a Deputy Commissioner in the same manner as it applies to the appointment and removal of the Commissioner.
Subject to the control of the Commissioner, the Deputy Commissioner may perform or exercise all the functions, duties, and powers of the Commissioner.
Privacy Act 2020 Version as at 6 December 2023
When there is a vacancy in the position of Commissioner or when the Commis‐ sioner is (for whatever reason) absent from duty, the Deputy Commissioner may perform or exercise all the functions, duties, and powers of the Commis‐ sioner.
The Deputy Commissioner is entitled to all the protections, privileges, and immunities of the Commissioner. Compare: 1993 No 28 s 15
In addition to the persons specified in section 30(2) of the Crown Entities Act 2004, a member of a local authority is disqualified from being appointed as the Commissioner or Deputy Commissioner.
If a Judge is appointed as the Commissioner or Deputy Commissioner,—
the appointment does not affect the Judge’s tenure of judicial office, rank, title, status, precedence, salary, annual or other allowances, or other rights or privileges as a Judge (including those in relation to super‐ annuation); and
for all purposes, the Judge’s service as Commissioner or Deputy Com‐ missioner must be taken to be service as a Judge. Compare: 1993 No 28 s 19
For the purpose of providing superannuation or retiring allowances for the Commissioner or Deputy Commissioner, the Commissioner may, out of the funds of the Commissioner, make payments to or subsidise any retirement scheme (within the meaning of section 6(1) of the Financial Markets Conduct Act 2013).
Subsections (3) to (5) apply to a person who, immediately before being appoin‐ ted as the Commissioner or the Deputy Commissioner or, as the case may be, becoming an employee of the Commissioner, is a contributor to the Govern‐ ment Superannuation Fund under Part 2 or 2A of the Government Superannu‐ ation Fund Act 1956 (the 1956 Act).
The person is, for the purposes of the 1956 Act, to be treated as if the person continues to be employed in the Government service while the person is the Commissioner or Deputy Commissioner or, as the case may be, an employee of the Commissioner.
However, if the person ceases to be a contributor to the Government Super‐ annuation Fund after their appointment or employment, the person may not resume making contributions to the Fund.
For the purposes of applying the 1956 Act to a person under this section, con‐ trolling authority, in relation to the person, means the Commissioner. Compare: 1993 No 28 Schedule 1 cl 4 Version as at
Privacy Act 2020 Part 2 s 17 Subpart 2—Functions of Privacy Commissioner
The functions of the Commissioner are—
to exercise the powers, and carry out the functions and duties, conferred on the Commissioner by or under this Act or any other enactment:
to provide advice (with or without a request) to a Minister, a Parliamen‐ tary Under-Secretary, or an agency on any matter relevant to the oper‐ ation of this Act:
to promote, by education and publicity, an understanding and acceptance of the information privacy principles and of the objectives of those prin‐ ciples:
to make public statements in relation to any matter affecting the privacy of individuals:
to receive and invite representations from members of the public on any matter affecting the privacy of individuals:
to consult and co-operate with other persons and bodies concerned with the privacy of individuals:
to examine any proposed legislation (including secondary legislation) or proposed government policy that the Commissioner considers may affect the privacy of individuals, including any proposed legislation that makes provision for either or both of the following:
the collection of personal information by a public sector agency:
the sharing of personal information between public sector agen‐ cies (including parts of public sector agencies):
to monitor the use of unique identifiers:
to inquire generally into any matter, including any other enactment or any law, or any practice or procedure, whether governmental or non- governmental, or any technical development, if it appears to the Com‐ missioner that the privacy of individuals is being, or may be, infringed (for powers of the Commissioner in relation to inquiries, see section 203):
to undertake research into, and to monitor developments in, data pro‐ cessing and technology to ensure that any adverse effects of the develop‐ ments on the privacy of individuals are minimised:
to give advice to any person in relation to any matter that concerns the need for, or desirability of, action by that person in the interests of the privacy of individuals:
when requested to do so by an agency, to conduct an audit of personal information maintained by that agency for the purpose of ascertaining
Privacy Act 2020 Version as at 6 December 2023 whether the information is maintained according to the information pri‐ vacy principles:
to monitor the operation of this Act and consider whether any amend‐ ments to this Act are necessary or desirable:
to report to the responsible Minister on the results of—
any examination conducted under paragraph (g):
the monitoring undertaken under paragraph (h):
the research and monitoring undertaken under paragraph (j):
the monitoring and consideration undertaken under paragraph (m):
to report to the Prime Minister on—
any matter affecting the privacy of individuals, including the need for, or desirability of, taking legislative, administrative, or other action to give protection or better protection to the privacy of indi‐ viduals:
the desirability of New Zealand accepting any international instru‐ ment relating to the privacy of individuals:
any other matter relating to the privacy of individuals that, in the Commissioner’s opinion, should be drawn to the Prime Minister’s attention:
to gather any information that will assist in carrying out the functions in paragraphs (a) to (o).
The Commissioner may at any time, if it is in the public interest or in the inter‐ ests of any person or body of persons to do so, publish—
reports relating generally to the performance of the Commissioner’s functions under this Act:
reports relating to any case or cases investigated by the Commissioner.
Subsection (2) applies regardless of whether the matters to be dealt with in a report under that subsection have been the subject of a report to the responsible Minister or the Prime Minister. Compare: 1993 No 28 ss 13(1), (2), 26(1) Section 17(1)(g): amended, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7).
The responsible Minister may, for any of the following purposes, request the Commissioner to provide advice on whether a binding scheme requires a for‐ eign person or entity to protect personal information in a way that, overall, pro‐ vides comparable safeguards to those in this Act: Version as at
Privacy Act 2020 Part 2 s 21
to assist the Minister in deciding whether to recommend the making of regulations under section 213 prescribing the binding scheme:
to assist the Minister in deciding whether any regulations made under section 213 prescribing the binding scheme should be—
continued without amendment; or
continued with amendment; or
revoked; or
replaced.
The responsible Minister may, for the following purposes, request the Commis‐ sioner to provide advice on whether the privacy laws of a country, overall, pro‐ vide comparable safeguards to those in this Act:
to assist the Minister in deciding whether to recommend the making of regulations under section 214 prescribing the country:
to assist the Minister in deciding whether any regulations made under section 214 prescribing the country should be—
continued without amendment; or
continued with amendment; or
revoked:
to assist the Minister in deciding whether, for the purposes in paragraph
or (b)(i) or (ii), the country should be subject to any limitation or qualification of the kind specified in section 214(3).
As soon as practicable after receiving a report under section 17(1)(n)(iv), the responsible Minister must present a copy of the report to the House of Repre‐ sentatives. Compare: 1993 No 28 s 26(2)
The Commissioner must act independently in performing statutory functions and duties, and exercising statutory powers, under—
this Act; and
any other Act that expressly provides for the functions, powers, or duties of the Commissioner (other than the Crown Entities Act 2004). Compare: 1993 No 28 s 13(1A)
The Commissioner must, in performing any statutory function or duty, and in exercising any statutory power,—
Privacy Act 2020 Version as at 6 December 2023
have regard to the privacy interests of individuals alongside other human rights and interests, including—
the desirability of facilitating the free flow of information in soci‐ ety; and
government and businesses being able to achieve their objectives efficiently; and
take account of international obligations accepted by New Zealand, including those concerning the international technology of communica‐ tions; and
take account of cultural perspectives on privacy; and
consider any developing general international guidelines relevant to the better protection of individual privacy; and
have regard to the IPPs. Compare: 1993 No 28 s 14
Information privacy principles and codes of practice Subpart 1—Information privacy principles
The information privacy principles are as follows: Information privacy principle 1
Personal information must not be collected by an agency unless—
the information is collected for a lawful purpose connected with a function or an activity of the agency; and
the collection of the information is necessary for that purpose.
If the lawful purpose for which personal information about an indi‐ vidual is collected does not require the collection of an individual’s identifying information, the agency may not require the individual’s identifying information. Information privacy principle 2
If an agency collects personal information, the information must be col‐ lected from the individual concerned.
It is not necessary for an agency to comply with subclause (1) if the agency believes, on reasonable grounds,— Version as at
Privacy Act 2020 Part 3 s 22
that non-compliance would not prejudice the interests of the individual concerned; or
that compliance would prejudice the purposes of the collection; or
that the individual concerned authorises collection of the infor‐ mation from someone else; or
that the information is publicly available information; or
that non-compliance is necessary—
to avoid prejudice to the maintenance of the law by any public sector agency, including prejudice to the prevention, detection, investigation, prosecution, and punishment of offences; or
for the enforcement of a law that imposes a pecuniary pen‐ alty; or
for the protection of public revenue; or
for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
to prevent or lessen a serious threat to the life or health of the individual concerned or any other individual; or
that compliance is not reasonably practicable in the circum‐ stances of the particular case; or
that the information—
will not be used in a form in which the individual con‐ cerned is identified; or
will be used for statistical or research purposes and will not be published in a form that could reasonably be expec‐ ted to identify the individual concerned. Information privacy principle 3
If an agency collects personal information from the individual con‐ cerned, the agency must take any steps that are, in the circumstances, reasonable to ensure that the individual concerned is aware of—
the fact that the information is being collected; and
the purpose for which the information is being collected; and
the intended recipients of the information; and
the name and address of—
the agency that is collecting the information; and
the agency that will hold the information; and
Privacy Act 2020 Version as at 6 December 2023
if the collection of the information is authorised or required by or under law,—
the particular law by or under which the collection of the information is authorised or required; and
whether the supply of the information by that individual is voluntary or mandatory; and
the consequences (if any) for that individual if all or any part of the requested information is not provided; and
the rights of access to, and correction of, information provided by the IPPs.
The steps referred to in subclause (1) must be taken before the informa‐ tion is collected or, if that is not practicable, as soon as practicable after the information is collected.
An agency is not required to take the steps referred to in subclause (1) in relation to the collection of information from an individual if the agency has taken those steps on a recent previous occasion in relation to the collection, from that individual, of the same information or informa‐ tion of the same kind.
It is not necessary for an agency to comply with subclause (1) if the agency believes, on reasonable grounds,—
that non-compliance would not prejudice the interests of the individual concerned; or
that non-compliance is necessary—
to avoid prejudice to the maintenance of the law by any public sector agency, including prejudice to the prevention, detection, investigation, prosecution, and punishment of offences; or
for the enforcement of a law that imposes a pecuniary pen‐ alty; or
for the protection of public revenue; or
for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
that compliance would prejudice the purposes of the collection; or
that compliance is not reasonably practicable in the circum‐ stances of the particular case; or
that the information—
will not be used in a form in which the individual con‐ cerned is identified; or Version as at
Privacy Act 2020 Part 3 s 22
will be used for statistical or research purposes and will not be published in a form that could reasonably be expec‐ ted to identify the individual concerned. Information privacy principle 4
An agency may collect personal information only—
by a lawful means; and
by a means that, in the circumstances of the case (particularly in circum‐ stances where personal information is being collected from children or young persons),—
is fair; and
does not intrude to an unreasonable extent upon the personal affairs of the individual concerned. Information privacy principle 5
An agency that holds personal information must ensure—
that the information is protected, by such security safeguards as are reasonable in the circumstances to take, against—
loss; and
access, use, modification, or disclosure that is not authorised by the agency; and
other misuse; and
that, if it is necessary for the information to be given to a person in con‐ nection with the provision of a service to the agency, everything reason‐ ably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information. Information privacy principle 6
An individual is entitled to receive from an agency upon request—
confirmation of whether the agency holds any personal informa‐ tion about them; and
access to their personal information.
If an individual concerned is given access to personal information, the individual must be advised that, under IPP 7, the individual may request the correction of that information.
This IPP is subject to the provisions of Part 4.
Privacy Act 2020 Version as at 6 December 2023 Information privacy principle 7
An individual whose personal information is held by an agency is entitled to request the agency to correct the information.
An agency that holds personal information must, on request or on its own initiative, take such steps (if any) that are reasonable in the circum‐ stances to ensure that, having regard to the purposes for which the infor‐ mation may lawfully be used, the information is accurate, up to date, complete, and not misleading.
When requesting the correction of personal information, or at any later time, an individual is entitled to—
provide the agency with a statement of the correction sought to the information (a statement of correction); and
request the agency to attach the statement of correction to the information if the agency does not make the correction sought.
If an agency that holds personal information is not willing to correct the information as requested and has been provided with a statement of cor‐ rection, the agency must take such steps (if any) that are reasonable in the circumstances to ensure that the statement of correction is attached to the information in a manner that ensures that it will always be read with the information.
If an agency corrects personal information or attaches a statement of correction to personal information, that agency must, so far as is reason‐ ably practicable, inform every other person to whom the agency has dis‐ closed the information.
Subclauses (1) to (4) are subject to the provisions of Part 4. Information privacy principle 8
An agency that holds personal information must not use or disclose that infor‐ mation without taking any steps that are, in the circumstances, reasonable to ensure that the information is accurate, up to date, complete, relevant, and not misleading. Information privacy principle 9
An agency that holds personal information must not keep that information for longer than is required for the purposes for which the information may lawfully be used. Version as at
Privacy Act 2020 Part 3 s 22 Information privacy principle 10
An agency that holds personal information that was obtained in connection with one purpose may not use the information for any other purpose unless the agency believes, on reasonable grounds,—
that the purpose for which the information is to be used is directly related to the purpose in connection with which the information was obtained; or
that the information—
is to be used in a form in which the individual concerned is not identified; or
is to be used for statistical or research purposes and will not be published in a form that could reasonably be expec‐ ted to identify the individual concerned; or
that the use of the information for that other purpose is author‐ ised by the individual concerned; or
that the source of the information is a publicly available publica‐ tion and that, in the circumstances of the case, it would not be unfair or unreasonable to use the information; or
that the use of the information for that other purpose is neces‐ sary—
to avoid prejudice to the maintenance of the law by any public sector agency, including prejudice to the prevention, detection, investigation, prosecution, and punishment of offences; or
for the enforcement of a law that imposes a pecuniary pen‐ alty; or
for the protection of public revenue; or
for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
that the use of the information for that other purpose is neces‐ sary to prevent or lessen a serious threat to—
public health or public safety; or
the life or health of the individual concerned or another individual.
In addition to the uses authorised by subclause (1), an intelligence and security agency that holds personal information that was obtained in connection with one purpose may use the information for any other pur‐ pose (a secondary purpose) if the agency believes on reasonable
Privacy Act 2020 Version as at 6 December 2023 grounds that the use of the information for the secondary purpose is necessary to enable the agency to perform any of its functions. Information privacy principle 11
An agency that holds personal information must not disclose the infor‐ mation to any other agency or to any person unless the agency believes, on reasonable grounds,—
that the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained; or
that the disclosure is to the individual concerned; or
that the disclosure is authorised by the individual concerned; or
that the source of the information is a publicly available publica‐ tion and that, in the circumstances of the case, it would not be unfair or unreasonable to disclose the information; or
that the disclosure of the information is necessary—
to avoid prejudice to the maintenance of the law by any public sector agency, including prejudice to the prevention, detection, investigation, prosecution, and punishment of offences; or
for the enforcement of a law that imposes a pecuniary pen‐ alty; or
for the protection of public revenue; or
for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
that the disclosure of the information is necessary to prevent or lessen a serious threat to—
public health or public safety; or
the life or health of the individual concerned or another individual; or
that the disclosure of the information is necessary to enable an intelligence and security agency to perform any of its functions; or
that the information—
is to be used in a form in which the individual concerned is not identified; or Version as at
Privacy Act 2020 Part 3 s 22
is to be used for statistical or research purposes and will not be published in a form that could reasonably be expec‐ ted to identify the individual concerned; or
that the disclosure of the information is necessary to facilitate the sale or other disposition of a business as a going concern.
This IPP is subject to IPP 12. Information privacy principle 12
An agency (A) may disclose personal information to a foreign person or entity (B) in reliance on IPP 11(1)(a), (c), (e), (f), (h), or (i) only if—
the individual concerned authorises the disclosure to B after being expressly informed by A that B may not be required to protect the information in a way that, overall, provides compar‐ able safeguards to those in this Act; or
B is carrying on business in New Zealand and, in relation to the information, A believes on reasonable grounds that B is subject to this Act; or
A believes on reasonable grounds that B is subject to privacy laws that, overall, provide comparable safeguards to those in this Act; or
A believes on reasonable grounds that B is a participant in a pre‐ scribed binding scheme; or
A believes on reasonable grounds that B is subject to privacy laws of a prescribed country; or
A otherwise believes on reasonable grounds that B is required to protect the information in a way that, overall, provides compar‐ able safeguards to those in this Act (for example, pursuant to an agreement entered into between A and B).
However, subclause (1) does not apply if the personal information is to be disclosed to B in reliance on IPP 11(1)(e) or (f) and it is not reason‐ ably practicable in the circumstances for A to comply with the require‐ ments of subclause (1).
In this IPP,— prescribed binding scheme means a binding scheme specified in regu‐ lations made under section 213 prescribed country means a country specified in regulations made under section 214.
Privacy Act 2020 Version as at 6 December 2023 Information privacy principle 13
An agency (A) may assign a unique identifier to an individual for use in its operations only if that identifier is necessary to enable A to carry out 1 or more of its functions efficiently.
A may not assign to an individual a unique identifier that, to A’s know‐ ledge, is the same unique identifier as has been assigned to that indi‐ vidual by another agency (B), unless—
A and B are associated persons within the meaning of subpart YB of the Income Tax Act 2007; or
the unique identifier is to be used by A for statistical or research purposes and no other purpose.
To avoid doubt, A does not assign a unique identifier to an individual under subclause (1) by simply recording a unique identifier assigned to the individual by B for the sole purpose of communicating with B about the individual.
A must take any steps that are, in the circumstances, reasonable to ensure that—
a unique identifier is assigned only to an individual whose iden‐ tity is clearly established; and
the risk of misuse of a unique identifier by any person is mini‐ mised (for example, by showing truncated account numbers on receipts or in correspondence).
An agency may not require an individual to disclose any unique identi‐ fier assigned to that individual unless the disclosure is for one of the purposes in connection with which that unique identifier was assigned or is for a purpose that is directly related to one of those purposes. Compare: 1993 No 28 s 6
An action taken by an agency in relation to information held overseas does not breach any of the IPPs if the action is required by or under the law of any coun‐ try other than New Zealand. Compare: 1993 No 28 s 10(3)
Nothing in IPP 6, 11, or 12 limits or affects—
a provision contained in any New Zealand enactment that authorises or requires personal information to be made available; or
a provision contained in any other New Zealand Act that—
imposes a prohibition or restriction in relation to the availability of personal information; or Version as at
Privacy Act 2020 Part 3 s 28
regulates the manner in which personal information may be obtained or made available.
An action taken by an agency does not breach IPPs 1 to 5, 7 to 10, or 13 if the action is authorised or required by or under New Zealand law. Compare: 1993 No 28 s 7(1), (2), (4)
IPPs 1 to 4 do not apply to personal information collected before 1 July 1993. Compare: 1993 No 28 s 8(1)
IPP 13(1) to (4)(a) does not apply to unique identifiers assigned before 1 July 1993.
However, IPP 13(2) applies to the assignment of a unique identifier on or after 1 July 1993 even if the unique identifier assigned is the same as that assigned by another agency before that date. Compare: 1993 No 28 s 8(5), (6)
IPPs 1 to 3 and 4(b) do not apply to an agency if that agency—
is an individual; and
is collecting personal information solely for the purposes of, or in con‐ nection with, the individual’s personal or domestic affairs.
IPPs 5 to 12 do not apply to an agency if that agency—
is an individual; and
is holding personal information that was collected by a lawful means solely for the purposes of, or in connection with, the individual’s per‐ sonal or domestic affairs.
However, the exemptions in subsections (1) and (2) do not apply if the collec‐ tion, use, or disclosure of the personal information would be highly offensive to a reasonable person. Compare: 1993 No 28 s 56
IPPs 2, 3, and 4(b) do not apply to personal information collected by an intelli‐ gence and security agency. Compare: 1993 No 28 s 57
Privacy Act 2020 Version as at 6 December 2023
IPPs 6 and 7 do not apply in respect of—
personal information during transmission by post, personal delivery, or electronic means; or
personal information that is contained in any correspondence or commu‐ nication between an agency and any of the following persons and that relates to an investigation conducted by that person under any Act, not being information that was in existence before the commencement of the investigation:
an Ombudsman:
any officer or employee appointed by the Chief Ombudsman under section 11(1) of the Ombudsmen Act 1975:
the Commissioner:
any employee or delegate of the Commissioner; or
personal information held by the Auditor-General, the Deputy Auditor- General, or any employee of the Auditor-General in connection with the performance or exercise of the Auditor-General’s functions, duties, or powers that is not personal information about any employee or former employee of the Auditor-General in their capacity as an employee; or
personal information contained in evidence given or submissions made to—
a government inquiry, until the final report of that inquiry is pre‐ sented to the appointing Minister:
a public inquiry (including a Royal commission), until the final report of that inquiry is presented to the House of Representatives:
a person or body appointed under any Act to inquire into a speci‐ fied matter; or
personal information contained in a video record made under the Evi‐ dence Regulations 2007 or any copy or transcript of the video record.
IPP 7 does not apply to personal information collected by the Government Sta‐ tistician under the Data and Statistics Act 2022. Compare: 1993 No 28 ss 7(5), 55 Section 29(2): amended, on 1 September 2022, by section 107(1) of the Data and Statistics Act 2022 (2022 No 39).
An agency may apply to the Commissioner for authorisation to do any of the following in the circumstances of a particular case: Version as at
Privacy Act 2020 Part 3 s 30
collect personal information even if the collection of that information would otherwise be in breach of IPP 2:
keep personal information even if the keeping of that information would otherwise be in breach of IPP 9:
use personal information even if the use of that information would other‐ wise be in breach of IPP 10:
disclose personal information even if the disclosure of that information would otherwise be in breach of IPP 11 or 12.
An application under subsection (1) must be made in the manner required by the Commissioner.
If, on receiving an application, the Commissioner is not satisfied that the appli‐ cant has taken sufficient steps to give notice of the application to all individuals concerned, the Commissioner may require the applicant to give public notice of the application in a manner that the Commissioner specifies.
If, on receiving an application, the Commissioner is not satisfied that the appli‐ cant has given sufficient opportunity to individuals concerned to object to the application, the Commissioner may require the applicant to give any further opportunity that the Commissioner specifies.
In considering whether to grant an authorisation, the Commissioner must take into account any objections to the application received from individuals con‐ cerned.
The Commissioner may grant an authorisation sought by an applicant only if the Commissioner is satisfied that, in the special circumstances of the case,—
the public interest in granting the authorisation outweighs, to a substan‐ tial degree, the possibility of—
any loss, detriment, damage, or injury to the individuals con‐ cerned; or
any adverse effect on the rights, benefits, privileges, obligations, or interests of the individuals concerned; or
any significant humiliation, significant loss of dignity, or signifi‐ cant injury to the feelings of the individuals concerned; or
granting the authorisation would result in a clear benefit to the individu‐ als concerned that outweighs the possibility of—
any loss, detriment, damage, or injury to the individuals con‐ cerned; or
any adverse effect on the rights, benefits, privileges, obligations, or interests of the individuals concerned; or
any significant humiliation, significant loss of dignity, or signifi‐ cant injury to the feelings of the individuals concerned.
Privacy Act 2020 Version as at 6 December 2023
The Commissioner may not grant an authorisation under subsection (6) in respect of any specified personal information if the individual concerned objec‐ ted.
An authorisation granted under subsection (6) may be subject to any conditions that the Commissioner considers appropriate.
The Commissioner must maintain on the Commissioner’s Internet site a list of current authorisations granted under this section. Compare: 1993 No 28 s 54
Except as provided in subsection (2), the IPPs do not confer on any person any right that is enforceable in a court of law.
The entitlements conferred on an individual by IPP 6(1), to the extent that those entitlements relate to personal information held by a public sector agency, are legal rights and are enforceable in a court of law. Compare: 1993 No 28 s 11 Subpart 2—Codes of practice
The Commissioner may at any time issue a code of practice in relation to the IPPs.
A code of practice may—
modify the application of 1 or more of the IPPs by—
prescribing more stringent or less stringent standards:
exempting any action from an IPP, either unconditionally or con‐ ditionally:
apply 1 or more of the IPPs without modification:
prescribe how 1 or more of the IPPs are to be applied or complied with.
A code of practice may apply in relation to 1 or more of the following:
any specified information or class or classes of information:
any specified agency or class or classes of agency:
any specified activity or class or classes of activity:
any specified industry, profession, or calling or class or classes of indus‐ try, profession, or calling.
A code of practice may also—
impose, in relation to any private sector agency, controls in relation to the comparison (whether done manually or by means of any electronic or other device) of personal information with other personal information Version as at
Privacy Act 2020 Part 3 s 33 for the purpose of producing or verifying information about an identifia‐ ble individual:
in relation to charging under section 66,—
set guidelines to be followed by agencies in determining charges:
prescribe circumstances in which no charge may be imposed:
prescribe procedures for dealing with complaints alleging a breach of the code, without limiting or restricting any provision of Part 5:
provide for the review of the code by the Commissioner:
provide for the expiry of the code.
A code of practice may not limit or restrict the entitlements under IPP 6 or 7.
Despite the definition of the term individual in section 7(1),—
a sector-specific code of practice may be issued that applies 1 or more of the IPPs to information about deceased persons (whether or not the code also applies 1 or more of the IPPs to other information); and
the code of practice has effect under section 38 as if those IPPs so applied, and the provisions of this Act apply accordingly.
See section 36 for the status under the Legislation Act 2019 of codes of prac‐ tice under this section. Compare: 1993 No 28 s 46 Section 32(7): inserted, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7).
The Commissioner may issue a code of practice on—
the Commissioner’s own initiative; or
the application of any person.
An application may be made under subsection (1)(b) only—
by a body that represents the interests of any class or classes of agency, industry, profession, or calling (a group); and
if the code of practice sought by the applicant is intended to apply to that group, or any activity of the group.
Before issuing a code of practice, the Commissioner must—
give public notice of the Commissioner’s intention to issue the code and include a statement that—
the details of the proposed code, including a draft of the proposed code, may be obtained from the Commissioner; and
submissions on the proposed code may be made in writing to the Commissioner within the period specified in the notice; and
Privacy Act 2020 Version as at 6 December 2023
do everything reasonably possible to advise all persons affected by the proposed code, or the representatives of those persons, of—
the details of the proposed code; and
the reasons for the proposed code; and
give the persons affected by the code, or the representatives of those per‐ sons, the opportunity to make submissions on the proposed code; and
consider any submissions made on the proposed code.
Publication in the Gazette of a notice under subsection (3)(a) is conclusive proof that the requirements of that provision have been complied with in respect of the code of practice to which the notice relates. Compare: 1993 No 28 ss 47(1), (3), (4), 48(1), (2)
If the Commissioner considers that it is necessary to issue a code of practice, or to amend or revoke any code of practice, and that following the procedure set out in section 33(3) would be impracticable because it is necessary to issue the code or, as the case may be, the amendment or revocation urgently, the Com‐ missioner may issue the code or, as the case may be, the amendment or revoca‐ tion without complying with that procedure.
Every code of practice, and every amendment to or revocation of a code of practice, issued in accordance with this section,—
must be identified as a temporary code or amendment or revocation; and
remains in force for the period (not exceeding 1 year after the date of its issue) specified for that purpose in the code or, as the case may be, the amendment or the revocation.
Section 35 does not apply to a code of practice, or any amendment to or revo‐ cation of a code of practice, issued in accordance with this section. Compare: 1993 No 28 s 52 Section 34(3): amended, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7).
A code of practice comes into force on the 28th day after the date of its publi‐ cation under the Legislation Act 2019, or any later date specified in the code. Section 35: replaced, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7).
A code of practice is secondary legislation (see Part 3 of the Legislation Act 2019 for publication requirements).
That Act applies as if— Version as at
Privacy Act 2020 Part 3 s 38
the Commissioner were the maker of the code; and
the code were made by the Commissioner issuing it. Legislation Act 2019 requirements for secondary legislation referred to in subsection (1) Publication The maker must: LA19 ss 73, 74(1)(a), • notify it in the Gazette stating that it has been issued and specifying a place at which copies of it are available for inspection free of charge and for purchase • ensure that, so long as it remains in force, it is publicly available on an Internet site maintained by, or on behalf of, the maker • make it available for inspection by members of the public free of charge • make it available for purchase by members of the public at a reasonable price The Ministry of Foreign Affairs and Trade considers that the secondary legislation may have international transparency obligations under the CPTPP. As a result the maker may also have to comply with s 75 of the Legislation Act 2019 Presentation The Minister must present it to the House of Representatives Sch 1 cl 14 LA19 ss 74(2), 75 LA19 s 114, Sch 1 cl 32(1)(a) Disallowance It may be disallowed by the House of Representatives LA19 ss 115, 116
Section 36: replaced, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7).
The Commissioner may at any time issue an amendment or a revocation of a code of practice.
The provisions of sections 33, 35, and 36 apply in respect of any amendment or revocation of a code of practice. Compare: 1993 No 28 s 51
If a code of practice is in force,—
any action that would otherwise be a breach of an IPP is, for the pur‐ poses of Part 5, treated as not breaching that IPP if the action complies with the code; and
failure to comply with the code, even if the failure would not otherwise be a breach of any IPP, is, for the purposes of Part 5, treated as a breach of an IPP. Compare: 1993 No 28 ss 53, 64
Privacy Act 2020 Version as at 6 December 2023
Access to and correction of personal information Subpart 1—Access to personal information
In this subpart and subpart 3, IPP 6 request means a request made under IPP 6.
In this subpart, requestor, in relation to an IPP 6 request, means the person who made the request. Compare: 1993 No 28 s 33
An IPP 6 request may be made only by the individual concerned or that indi‐ vidual’s representative. Compare: 1993 No 28 s 34
A requestor may ask that an IPP 6 request be treated as urgent (an urgent IPP 6 request).
A requestor making an urgent IPP 6 request must state the reason why the request should be treated as urgent.
On receiving an urgent IPP 6 request, an agency must consider the request and the reason stated for its urgency when determining the priority to be given to responding to it. Compare: 1993 No 28 s 37
An agency must give reasonable assistance to a person who—
wishes to make an IPP 6 request; or
is making an IPP 6 request. Compare: 1993 No 28 s 38
This section applies if an agency that receives an IPP 6 request—
does not hold the information to which the request relates, but believes that the information is held by another agency; or
believes that the information to which the request relates is more closely connected with the functions or activities of another agency.
The agency must promptly, and in any case not later than 10 working days after the day on which the IPP 6 request is received, transfer the request to the other agency and inform the requestor accordingly. Version as at
Privacy Act 2020 Part 4 s 45
However, subsection (2) does not apply if the agency has good cause to believe that the requestor does not want the request transferred to another agency.
If, in reliance on subsection (3), the agency does not transfer the request, the agency must promptly, and in any case not later than 10 working days after the day on which the IPP 6 request was received, inform the requestor that—
this section applies in respect of the request; and
in reliance on subsection (3), the request has not been transferred; and
the name of the agency to which the request could be transferred. Compare: 1993 No 28 s 39
If an agency does not transfer an IPP 6 request under section 43, the agency must, as soon as is reasonably practicable, and in any case not later than 20 working days after the day on which the request is received, respond to the request.
A response must notify the requestor that—
the agency does not hold personal information in a way that enables the information to be readily retrieved; or
the agency does not hold any personal information about the individual to whom the request relates; or
the agency does hold personal information about the individual to whom the request relates and, if access to the information has been requested, that—
access to that information, or some of that information, is granted; or
access to that information, or some of that information, is refused; or
the agency neither confirms nor denies that it holds any personal infor‐ mation about the individual to whom the request relates.
If an agency grants access to personal information, the notice under section 44(2)(c)(i) must state—
the way the information is to be made available; and
the charge (if any) payable under section 66 in respect of the request, and whether all or part of that charge is required to be paid in advance; and
the requestor’s right to make a complaint to the Commissioner about the charge that is payable (if any).
Privacy Act 2020 Version as at 6 December 2023
After giving notice under section 44(2)(c)(i) and receiving any charge required to be paid in advance, the agency must make the information available to the requestor. Compare: 1993 No 28 s 40(1), (2)
An agency may refuse access to the personal information requested, or some of the personal information requested, only if the agency is able to rely on any of sections 49 to 53 (see also section 24).
The notice given under section 44(2)(c)(ii) must state—
the reason for the refusal; and
the requestor’s right to make a complaint to the Commissioner in respect of the refusal.
The notice must also state the grounds in support of the reason for the refusal if—
the reason is that set out in section 50; or
the reason is not that set out in section 50, but the requestor has reques‐ ted disclosure of the grounds.
However,—
subsection (3)(a) does not apply if disclosing the grounds would preju‐ dice the interests protected by section 50:
subsection (3)(b) does not apply if disclosing the grounds would preju‐ dice the interests protected by any of sections 49, 51, and 53:
subsection (3)(b) does not apply if disclosing the grounds would preju‐ dice the interests protected by section 52 and the reason for not disclos‐ ing those grounds is not outweighed by other considerations that make it desirable, in the public interest, to disclose them. Compare: 1993 No 28 ss 30, 44
An agency may neither confirm nor deny that it holds the personal information, or some of the personal information, requested if the agency—
is able to rely on section 49(1)(a)(i) or (d), 51, 52, or 53(c) to refuse to disclose the information or refuse to disclose the information if it exis‐ ted; and
is satisfied that the interest protected by any of those provisions would be likely to be prejudiced by the agency confirming whether or not it holds information about the requestor. Version as at
Privacy Act 2020 Part 4 s 49
The notice given under section 44(2)(d) must inform the requestor of the requestor’s right to make a complaint to the Commissioner in respect of the agency’s response. Compare: 1993 No 28 s 32
On receiving an IPP 6 request, an agency may extend the time limit set out in section 43 or 44 in respect of the request if—
the request is for a large quantity of information, or necessitates a search through a large quantity of information, and meeting the original time limit would unreasonably interfere with the operations of the agency; or
consultations necessary to make a decision on the request are such that a response to the request cannot reasonably be given within the original time limit; or
the processing of the request raises issues of such complexity that a response to the request cannot reasonably be given within the original time limit.
Any extension under subsection (1) must be for a reasonable period of time having regard to the circumstances.
The extension is effected by giving notice of the extension to the requestor within 20 working days after the day on which the request is received.
The notice effecting the extension must—
specify the period of the extension; and
give the reasons for the extension; and
state that the requestor has the right to make a complaint to the Commis‐ sioner about the extension; and
contain any other information that may be necessary. Compare: 1993 No 28 s 41
An agency may refuse access to any personal information requested if—
the disclosure of the information would—
be likely to pose a serious threat to the life, health, or safety of any individual, or to public health or public safety; or
create a significant likelihood of serious harassment of an indi‐ vidual; or
include disclosure of information about another person who— (A) is the victim of an offence or alleged offence; and
Privacy Act 2020 Version as at 6 December 2023 (B) would be caused significant distress, loss of dignity, or injury to feelings by the disclosure of the information; or
after consultation is undertaken (where practicable) by or on behalf of the agency with the health practitioner of the individual concerned, the agency is satisfied that—
the information relates to the individual concerned; and
the disclosure of the information (being information that relates to the physical or mental health of the requestor) would be likely to prejudice the health of the individual concerned; or
the individual concerned is under the age of 16 and the disclosure of the information would be contrary to the interests of the individual con‐ cerned; or
the disclosure of the information (being information in respect of the individual concerned who has been convicted of an offence or is or has been detained in custody) would be likely to prejudice the safe custody or the rehabilitation of the individual concerned.
In this section,— health practitioner means—
a medical practitioner; or
a person who is, or is deemed to be, registered with an authority appoin‐ ted by or under the Health Practitioners Competence Assurance Act 2003 as a practitioner of a particular health profession and whose scope of practice includes the assessment of a person’s mental capacity medical practitioner means a person who—
is, or is deemed to be, registered with the Medical Council of New Zea‐ land as a practitioner of the profession of medicine; and
holds a current practising certificate victim has the meaning given to it in section 8 of the Prisoners’ and Victims’ Claims Act 2005. Compare: 1993 No 28 ss 27(1)(d), 29(1)(c), (d), (e), (4)
An agency may refuse access to any personal information requested if—
the information is evaluative material and the disclosure of that informa‐ tion or of the information identifying the person who supplied it would breach an express or implied promise—
that was made to the person who supplied the information; and
that was to the effect that the information or the identity of the person who supplied it, or both, would be held in confidence; or Version as at
Privacy Act 2020 Part 4 s 51
the information is evaluative material that was made available by the agency to another agency, and that other agency may refuse to disclose the information under paragraph (a).
In this section, evaluative material—
means evaluative or opinion material compiled solely—
for the purpose of determining the suitability, eligibility, or quali‐ fications of the individual to whom the material relates— (A) for employment or for appointment to office; or (B) for promotion in employment or office or for continuance in employment or office; or (C) for removal from employment or office; or (D) for the awarding of contracts, awards, scholarships, hon‐ ours, or other benefits; or
for the purpose of determining whether any contract, award, scholarship, honour, or benefit should be continued, modified, or cancelled; or
for the purpose of deciding whether to insure any individual or property or to continue or renew the insurance of any individual or property; but
does not include any evaluative or opinion material described in para‐ graph (a) that is compiled by a person employed or engaged by an agency in the ordinary course of that person’s employment or duties. Compare: 1993 No 28 s 29(1)(b), (3)
An agency may refuse access to any personal information requested if the dis‐ closure of the information would be likely—
to prejudice the security or defence of New Zealand or the international relations of the Government of New Zealand; or
to prejudice the entrusting of information to the Government of New Zealand on a basis of confidence by—
the Government of any other country or any agency of the Gov‐ ernment of any other country; or
any international organisation; or
to prejudice the security or defence of—
the Cook Islands; or
Niue; or
Tokelau; or
Privacy Act 2020 Version as at 6 December 2023
the Ross Dependency; or
to prejudice relations between any of the Governments of—
New Zealand:
the Cook Islands:
Niue; or
to prejudice the international relations of the Government of—
the Cook Islands; or
Niue. Compare: 1993 No 28 s 27
An agency may refuse access to any personal information requested if the information needs protecting because making the information available would—
disclose a trade secret; or
be likely to unreasonably prejudice the commercial position of the per‐ son who supplied the information or who is the subject of the informa‐ tion.
Subsection (1) does not apply if, in the circumstances of the particular case, the withholding of that information is outweighed by other considerations that make it desirable, in the public interest, to make the information available. Compare: 1993 No 28 s 28
An agency may refuse access to any personal information requested if—
the information requested does not exist or, despite reasonable efforts to locate it, cannot be found; or
the disclosure of the information would involve the unwarranted disclos‐ ure of the affairs of—
another individual; or
a deceased person; or
the disclosure of the information would be likely to prejudice the main‐ tenance of the law by any public sector agency, including—
the prevention, investigation, and detection of offences; and
the right to a fair trial; or
the disclosure of the information would breach legal professional privil‐ ege; or Version as at
Privacy Act 2020 Part 4 s 55
the disclosure of the information, being information contained in mater‐ ial placed in any library or museum or archive, would breach a condition subject to which that material was placed; or
the disclosure of the information would constitute contempt of court or of the House of Representatives; or
the request is made by a defendant or a defendant’s agent and is—
for information that could be sought by the defendant under the Criminal Disclosure Act 2008; or
for information that could be sought by the defendant under that Act and that has been disclosed to, or withheld from, the defend‐ ant under that Act; or
the request is frivolous or vexatious, or the information requested is triv‐ ial. Compare: 1993 No 28 ss 27(1)(c), 29(1)(a), (f), (h)–(j), (2)
This section applies if an agency has good reason under any of sections 49 to 53 to refuse access to any personal information requested.
Instead of refusing access to the personal information requested, the agency may grant access to the information, but may impose conditions relating to either or both of the following:
the requestor’s use of the information:
the requestor’s disclosure of the information to any other person.
If the personal information requested is contained in a document and there is good reason under any of sections 49 to 53 for withholding some of that infor‐ mation, the agency may decide to grant the requestor access to a copy of that document under section 44(2)(c)(i) with any deletions or alterations in respect of the information that could be withheld that it considers necessary.
If information is withheld under subsection (1), the agency must inform the requestor of—
the reason for the decision to withhold the information; and
the requestor’s right to make a complaint to the Commissioner in respect of that decision.
The agency must also disclose to the requestor the grounds in support of the reason for the decision to withhold the information if—
the reason is that set out in section 50(1); or
Privacy Act 2020 Version as at 6 December 2023
the reason is not that set out in section 50(1), but the requestor has requested disclosure of the grounds.
However,—
subsection (3)(a) does not apply if disclosing the grounds would preju‐ dice the interests protected by section 50(1):
subsection (3)(b) does not apply if disclosing the grounds would preju‐ dice the interests protected by any of sections 49, 51, and 53:
subsection (3)(b) does not apply if disclosing the grounds would preju‐ dice the interests protected by section 52 and the withholding of those grounds is not outweighed by other considerations that make it desirable, in the public interest, to disclose them. Compare: 1993 No 28 s 43
If the personal information requested by an individual is in a document, that information may be made available in 1 or more of the following ways:
by giving the requestor a reasonable opportunity to inspect the docu‐ ment; or
by providing the requestor with a hard copy or an electronic copy of the document; or
in the case of a document that is an article or a thing from which sounds or visual images are capable of being reproduced, by making arrange‐ ments for the requestor to hear or view the sounds or visual images; or
in the case of a document by which words are recorded in a manner in which they are capable of being reproduced in the form of sound or in which words are contained in the form of shorthand writing or in codi‐ fied form, by providing the requestor with a written transcript of the words recorded or contained in the document; or
by giving, in any manner, an excerpt or a summary of the document’s contents; or
by giving oral information about the document’s contents.
Subject to section 55, the agency must make the information available in the way preferred by the requestor unless to do so would—
impair the efficient administration of the agency; or
be contrary to any legal duty of the agency in respect of the document; or
prejudice an interest protected by any of sections 49 to 53.
If the information is not provided in the way preferred by the requestor, the agency must give to the requestor—
the reason for not providing the information in that way; and Version as at
Privacy Act 2020 Part 4 s 60
if the requestor so requests, the grounds in support of that reason.
However, subsection (3)(b) does not apply if disclosing the grounds would prejudice an interest protected by any of sections 49 to 53. Compare: 1993 No 28 s 42
If an agency receives a request to access personal information, the agency—
may give access to the information only if the agency is satisfied of the identity of the requestor; and
must not give access to the information if the agency has reasonable grounds to believe that the request is made under the threat of physical or mental harm; and
must ensure, by the adoption of appropriate procedures, that any infor‐ mation intended for a requestor is received—
only by that requestor; or
if the request is made by a requestor as the representative of an individual, only by the requestor or the individual; and
must ensure that, if the request is made by a requestor as agent for an individual, the requestor has the written authority of the individual to obtain the information, or is otherwise properly authorised by the indi‐ vidual to obtain the information. Compare: 1993 No 28 s 45 Subpart 2—Correction of personal information
In this subpart and subpart 3, correction request means—
a request made under IPP 7(1) to correct personal information; or
a request made under IPP 7(3)(b) to attach a statement of correction to personal information.
In this subpart, requestor, in relation to a correction request, means the person who made the request.
A correction request may be made only by the individual concerned or the indi‐ vidual’s representative. Compare: 1993 No 28 s 34
A requestor may ask that a correction request be treated as urgent (an urgent correction request).
Privacy Act 2020 Version as at 6 December 2023
A requestor making an urgent correction request must state the reason why the request should be treated as urgent.
On receiving an urgent correction request, an agency must consider the request and the reason stated for its urgency when determining the priority to be given to responding to it. Compare: 1993 No 28 s 37
An agency must give reasonable assistance to a person who—
wishes to make a correction request; or
is making a correction request. Compare: 1993 No 28 s 38
This section applies if an agency that receives a correction request—
does not hold the information to which the request relates, but believes that the information is held by another agency; or
believes that the information to which the request relates is more closely connected with the functions or activities of another agency.
The agency must promptly, and in any case not later than 10 working days after the day on which the correction request is received, transfer the request to the other agency and inform the requestor accordingly.
However, subsection (2) does not apply if the agency has good cause to believe that the requestor does not want the request transferred to another agency.
If, in reliance on subsection (3), the agency does not transfer the request, the agency must promptly, and in any case not later than 10 working days after the day on which the correction request was received, inform the requestor—
that this section applies in respect of the request; and
that, in reliance on subsection (3), the request has not been transferred; and
which agency the request could be transferred to. Compare: 1993 No 28 s 39
As soon as is reasonably practicable after receiving a request under IPP 7(1), and in any case not later than 20 working days after receiving the request, an agency must—
decide whether to grant the request; and
notify the requestor that— Version as at
Privacy Act 2020 Part 4 s 65
the agency has corrected, or will correct, the personal information; or
the agency will not correct the personal information.
A notice under subsection (1)(b)(i) must inform the requestor of the action the agency has taken, or will take, to correct the information.
A notice under subsection (1)(b)(ii) must inform the requestor of—
the reason for the agency’s refusal to correct the information; and
the requestor’s entitlement to provide a statement of the correction sought and to request that it be attached to the information (if the reques‐ tor has not done so already); and
the requestor’s right to make a complaint to the Commissioner in respect of the agency’s refusal to correct the information. Compare: 1993 No 28 ss 6 (IPP 7(2)), 40(1)
As soon as is reasonably practicable after receiving a request under IPP 7(3)(b), an agency must—
decide whether to grant the request; and
notify the requestor that—
the agency has attached the statement of correction to the informa‐ tion; or
the agency has not attached the statement of correction to the information.
A notice under subsection (1)(b)(i) must inform the requestor of the action the agency has taken to attach the statement of correction to the information.
A notice under subsection (1)(b)(ii) must inform the requestor of the reques‐ tor’s right to make a complaint to the Commissioner in respect of the agency’s refusal to attach a statement of correction to the information. Compare: 1993 No 28 ss 6 (IPP 7(3)), 40
On receiving a correction request, an agency may extend the time limit set out in section 62 or 63 in respect of the request if—
the request necessitates a search through a large quantity of information, and meeting the original time limit would unreasonably interfere with the operations of the agency; or
consultations necessary to make a decision on the request are such that a response to the request cannot reasonably be given within the original time limit; or
Privacy Act 2020 Version as at 6 December 2023
the processing of the request raises issues of such complexity that a response to the request cannot reasonably be given within the original time limit.
Any extension under subsection (1) must be for a reasonable period of time, having regard to the circumstances.
The extension is effected by giving notice of the extension to the requestor within 20 working days after the day on which the request is received.
The notice effecting the extension must—
specify the period of the extension; and
give the reasons for the extension; and
state that the requestor has the right to make a complaint to the Commis‐ sioner about the extension; and
contain any other information that may be necessary. Compare: 1993 No 28 s 41 Subpart 3—Charges
In relation to an IPP 6 request,—
a public sector agency may, if authorised under section 67, impose a charge for making information available in compliance, in whole or in part, with the request:
a private sector agency may, subject to the provisions of any applicable code of practice, impose a charge for—
providing assistance under section 42, but only if the agency makes information available in compliance, in whole or in part, with the request:
making information available in compliance, in whole or in part, with the request.
In relation to a correction request,—
a public sector agency may, if authorised under section 67, impose a charge for attaching a statement of correction to personal information:
a private sector agency may, subject to the provisions of any applicable code of practice, impose a charge for—
providing assistance under section 61:
attaching a statement of correction to personal information.
Except as provided in subsections (1) and (2), no public sector agency or pri‐ vate sector agency may impose any charge in relation to an IPP 6 request or a correction request. Version as at
Privacy Act 2020 Part 5 s 68
A charge imposed under subsection (1) or (2) must be reasonable and, in the case of a charge imposed under subsection (1)(a) or (b)(ii), regard may be had to—
the cost of the labour and materials involved in making the information available; and
any costs involved in making the information available urgently (in the case of an urgent IPP 6 request received under section 41).
An agency may require all or part of a charge to be paid in advance. Compare: 1993 No 28 ss 35, 40(2)
The Commissioner may authorise a public sector agency to impose a charge under section 66(1)(a) or (2)(a) if the Commissioner is satisfied that the public sector agency will be commercially disadvantaged in comparison with any competitor in the private sector if it were not able to impose a charge.
The Commissioner may impose any conditions on an authorisation that the Commissioner considers appropriate.
The Commissioner may, at any time, revoke an authorisation, but only after giving the agency an opportunity to be heard. Compare: 1993 No 28 s 36
Complaints, investigations, and proceedings
In this Part, unless the context otherwise requires,— access direction means an access direction made by the Commissioner under section 92 action has the meaning given to it in section 7(1), and includes a decision aggrieved individual means an individual whose privacy is the subject of—
a complaint under subpart 1; or
an investigation under subpart 2; or
a proceeding under subpart 3 approved information sharing agreement has the meaning given to it in sec‐ tion 138 complainant, in relation to a complaint, means the person who made the com‐ plaint information matching agreement means an agreement entered into under sec‐ tion 178
Privacy Act 2020 Version as at 6 December 2023 parties,—
in relation to an investigation conducted by the Commissioner on receiv‐ ing a complaint under section 72(1), means—
the complainant whose complaint is the subject of the investiga‐ tion; and
the aggrieved individual, if the complaint is made on behalf of that aggrieved individual (and no other aggrieved individual); and
the respondent:
in relation to an investigation conducted by the Commissioner on the Commissioner’s own initiative, means—
the aggrieved individual or aggrieved individuals (if known); and
the respondent respondent means an agency whose action is the subject of an investigation under subpart 2.
In this Act, an action of an agency is an interference with the privacy of an individual in any of the circumstances set out in subsection (2) or (3).
An action of an agency is an interference with the privacy of an individual if the action breaches,—
in relation to the individual,—
1 or more of the IPPs; or
the provisions of an approved information sharing agreement; or
the provisions of an information matching agreement or section 179 or 181; or
section 115 (which requires an agency to give notice to affected individuals or the public of a notifiable privacy breach); and
the action—
has caused, or may cause, loss, detriment, damage, or injury to the individual; or
has adversely affected, or may adversely affect, the rights, bene‐ fits, privileges, obligations, or interests of the individual; or
has resulted in, or may result in, significant humiliation, signifi‐ cant loss of dignity, or significant injury to the feelings of the indi‐ vidual.
An action of an agency is an interference with the privacy of an individual if, in relation to a request made by a person under IPP 6 or 7, the agency has, with‐ out proper basis, made—
a decision to refuse a request under IPP 6; or Version as at
Privacy Act 2020 Part 5 s 73
a decision to refuse a request under IPP 7; or
any other decision under Part 4 in relation to the request.
For the purpose of subsection (3)(a), the following must be treated as a deci‐ sion by an agency to refuse a request under IPP 6:
a failure to comply with the time limits in Part 4 for responding to the request:
undue delay in making information available after granting the request.
For the purpose of subsection (3)(b), the following must be treated as a deci‐ sion by an agency to refuse a request under IPP 7:
a failure to comply with the time limits in Part 4 for responding to the request:
undue delay in correcting information after granting the request:
undue delay in attaching a statement of correction after granting the request. Compare: 1993 No 28 s 66 Subpart 1—Complaints
A complaint may be made under this Part alleging that an action of an agency is, or appears to be, an interference with the privacy of an individual.
A complaint may be made together with 1 or more other complaints.
Any person may make a complaint.
A complaint may be made on behalf of 1 or more aggrieved individuals. Compare: 1993 No 28 s 67(1)
A complaint must be made to the Commissioner and may be made orally or in writing.
A complaint made orally must be put in writing as soon as practicable.
If a person wishing to make a complaint to the Commissioner requires assist‐ ance to put the complaint in writing, the Commissioner must give that person any assistance that is reasonably necessary in the circumstances. Compare: 1993 No 28 ss 67(2), 68
As soon as practicable after receiving a complaint, the Commissioner must consider the complaint and—
Privacy Act 2020 Version as at 6 December 2023
decide, in accordance with section 74, not to investigate the complaint; or
decide, in accordance with section 75, to refer the complaint to another person; or
decide, in accordance with section 76, to refer the complaint, or part of the complaint, to an overseas privacy enforcement authority; or
decide, in accordance with section 77, to explore the possibility of secur‐ ing a settlement between the complainant and the agency whose action is the subject of the complaint; or
decide to investigate the complaint in accordance with subpart 2.
As soon as practicable after making a decision under subsection (1), the Com‐ missioner must—
advise the complainant of that decision; and
advise the complainant of the reasons for the decision, if the decision is made under subsection (1)(a). Compare: 1993 No 28 ss 70, 71(3), 72(3), 72A(3), 72B(3), 72C(3)
The Commissioner may decide not to investigate a complaint if, in the Com‐ missioner’s opinion,—
the complainant has not made reasonable efforts to resolve the complaint directly with the agency concerned; or
there is an alternative dispute resolution process available to resolve the complaint because of the agency’s membership of a particular profession or industry; or
there is an adequate remedy or right of appeal, other than the right to petition the House of Representatives or to make a complaint to an Ombudsman, that it would be reasonable for the complainant to pursue; or
the complaint relates to a matter in respect of which a code of practice has been issued that includes a complaints procedure, and the complain‐ ant has not taken reasonable steps to pursue, or fully pursue, the redress available under that procedure; or
the aggrieved individual or aggrieved individuals knew about the action that is the subject of the complaint for 12 months or more before the complaint was made; or
the time that has elapsed between the date on which the subject of the complaint arose and the date on which the complaint was made is such that an investigation of the complaint is no longer practicable or desira‐ ble; or Version as at
Privacy Act 2020 Part 5 s 76
the aggrieved individual or aggrieved individuals do not want the com‐ plaint pursued; or
the complainant does not have a sufficient personal interest in the subject of the complaint; or
the subject of the complaint is trivial; or
the complaint is frivolous, vexatious, or not made in good faith.
Despite anything in subsection (1), the Commissioner may, in the Commission‐ er’s discretion, decide not to investigate a complaint if it appears to the Com‐ missioner that, having regard to all the circumstances of the case, an investiga‐ tion is unnecessary. Compare: 1975 No 9 s 17(1)(f)(i); 1993 No 28 s 71(1)
This section applies if, after receiving a complaint, the Commissioner considers that the complaint relates, in whole or in part, to a matter that is more properly within the jurisdiction of any of the following persons:
an Ombudsman:
the Health and Disability Commissioner:
the Inspector-General of Intelligence and Security:
the Independent Police Conduct Authority.
The Commissioner must—
consult the person specified in subsection (1) who the Commissioner considers has jurisdiction to deal with the complaint; and
decide the appropriate means of dealing with the complaint.
If the Commissioner decides that the complaint should be dealt with, in whole or in part, by a person specified in subsection (1), the Commissioner must, as soon as practicable, refer the complaint, or the appropriate part of the com‐ plaint, to that person. Compare: 1993 No 28 ss 72, 72A, 72B
This section applies if, on receiving a complaint, the Commissioner considers that the complaint relates, in whole or in part, to a matter that is more properly within the jurisdiction of an overseas privacy enforcement authority.
As soon as practicable, the Commissioner may—
consult the overseas privacy enforcement authority and the complainant; and
decide the appropriate means of dealing with the complaint.
If the Commissioner decides that the complaint should be dealt with, in whole or in part, by the overseas privacy enforcement authority and both the authority
Privacy Act 2020 Version as at 6 December 2023 and the complainant agree, the Commissioner may refer the complaint, or the appropriate part of the complaint, to the authority. Compare: 1993 No 28 s 72C
At any time after receiving a complaint and without commencing an investiga‐ tion, the Commissioner may decide to use best endeavours to—
secure a settlement of the complaint; and
if appropriate, secure a satisfactory assurance from the agency whose action is the subject of the complaint that there will not be a repetition of the action that gave rise to the complaint, or of any similar kind of action.
If the Commissioner is unable to secure a settlement or a satisfactory assur‐ ance, the Commissioner may—
decide not to investigate the complaint if the Commissioner—
is satisfied of any of the matters set out in section 74; or
considers that any further action is unnecessary or inappropriate; or
decide to investigate the complaint under subpart 2.
As soon as practicable after making a decision under subsection (2), the Com‐ missioner must notify the complainant of the decision. Compare: 1993 No 28 s 74
The Commissioner may refer a complaint to the Director without conducting an investigation if—
the Commissioner is unable to secure a settlement or a satisfactory assurance under section 77; or
it appears that a term of settlement previously secured between the agency and the aggrieved individual or aggrieved individuals has not been complied with; or
it appears that the action that is the subject of the complaint was done in contravention of any term of settlement or an assurance previously secured under this Act or the Privacy Act 1993. Compare: 1993 No 28 s 77(2)(a), (c) Subpart 2—Investigations by Commissioner
This subpart applies to investigations conducted by the Commissioner— Version as at
Privacy Act 2020 Part 5 s 82
into complaints received under section 72(1); or
on the Commissioner’s own initiative, into any matter in respect of which a complaint may be made under this Act.
As the first step of an investigation, the Commissioner must notify the respond‐ ent that the Commissioner is commencing an investigation.
A notice given under subsection (1) must set out—
the details of—
the complaint; or
the subject of the investigation; and
the right to provide, within a reasonable time, a written response to the Commissioner. Compare: 1993 No 28 s 73
The Commissioner must conduct an investigation in a timely manner.
During an investigation, the Commissioner may—
hear and obtain information from any person; and
make any inquiries.
At any time during an investigation, the Commissioner may decide to take no further action on a complaint or matter if the Commissioner—
is satisfied of any of the matters set out in section 74; or
considers that any further action is unnecessary or inappropriate.
As soon as practicable after making a decision under subsection (3), the Com‐ missioner must notify the parties of—
that decision; and
the reason for that decision.
It is not necessary for the Commissioner to hold a hearing, and no person is entitled as of right to be heard by the Commissioner.
Any investigation held by the Commissioner must be conducted in private. Compare: 1993 No 28 ss 71(2), 75, 90(1), (2)
When conducting an investigation, the Commissioner may adopt any procedure the Commissioner considers appropriate that is not inconsistent with this Act or any regulations made under section 215(1)(a). Compare: 1993 No 28 s 90(3)
Privacy Act 2020 Version as at 6 December 2023
At any time during an investigation of a complaint, the Commissioner may decide to use best endeavours to—
secure a settlement of the complaint; and
if appropriate, secure a satisfactory assurance from the agency whose action is the subject of the complaint that there will not be a repetition of the action that gave rise to the complaint, or of any similar kind of action.
At any time during an investigation being conducted on the Commissioner’s own initiative, the Commissioner may decide to use best endeavours to secure a satisfactory assurance from the respondent that there will not be a repetition of the action that gave rise to the investigation, or of a similar kind of action. Compare: 1993 No 28 s 74
The Commissioner may refer the complaint or the matter that is the subject of the investigation to the Director without conducting any further investigation if—
the Commissioner is unable to secure a settlement or a satisfactory assurance under section 83; or
it appears that a term of settlement previously secured between the agency and the aggrieved individual or aggrieved individuals has not been complied with; or
it appears that the action that is the subject of the complaint or that gave rise to the investigation was done in contravention of any term of settle‐ ment or an assurance previously secured under this Act or the Privacy Act 1993. Compare: 1993 No 28 s 77(2)
At any time during an investigation of a complaint, the Commissioner may call a conference of the parties—
by sending each of them a notice requesting their attendance at a speci‐ fied time and place; or
by any other means agreed by the parties.
The objectives of a conference are—
to identify the matters in issue; and
to try to obtain agreement between the parties on the resolution of those matters in order to settle the complaint. Version as at
Privacy Act 2020 Part 5 s 87
If a person fails to comply with a request under subsection (1) to attend a con‐ ference, the Commissioner may issue a summons requiring the person to attend a conference at a time and place specified in the summons.
Section 159 of the Criminal Procedure Act 2011 applies to a summons under this section as if it were a witness summons issued under that section. Compare: 1993 No 28 s 76
The Commissioner may summon and examine on oath any person who the Commissioner considers is able to give information relevant to an investiga‐ tion, and may for that purpose administer an oath to the person.
Every examination by the Commissioner under subsection (1) is to be treated as a judicial proceeding within the meaning of section 108 of the Crimes Act 1961 (which relates to perjury).
A person who is summoned by the Commissioner under this section is entitled to the same fees, allowances, and expenses as if the person were a witness in a court, and—
the provisions of any regulations prescribing the fees, allowances, and expenses payable to persons giving evidence under the Criminal Proced‐ ure Act 2011 apply; and
the Commissioner has the powers of a court under those regulations to fix or disallow, in whole or in part, or to increase, any amounts payable under the regulations. Compare: 1993 No 28 s 91(1)–(3), (5)
At any time during an investigation, the Commissioner may, by notice, require any person to provide—
any information in the person’s possession, or under the person’s control, that the Commissioner considers may be relevant to the investigation:
any documents or things in the person’s possession, or under the per‐ son’s control, that the Commissioner considers may be relevant to the investigation.
A person who receives a notice under subsection (1) must comply with that notice as soon as practicable, but in no case later than—
the date specified in the notice; or
if no date is specified in the notice, the 20th working day after the date of receipt of the notice.
However, a person may request an extension of the time limit for complying with a notice received under subsection (1) if—
Privacy Act 2020 Version as at 6 December 2023
the requirement in the notice relates to, or necessitates a search through, a large quantity of information, documents, or things, and meeting the original time limit would unreasonably interfere with the operations of the agency; or
the consultations necessary before the requirement in the notice can be complied with are such that meeting the original time limit is unreasona‐ ble; or
the complexity of the issues raised by the requirement in the notice is such that meeting the original time limit is unreasonable.
A request under subsection (3) must be made to the Commissioner before the expiry of the date in subsection (2)(b) and specify—
the period of the extension sought; and
the reasons for the extension; and
any other relevant information.
The Commissioner must grant a request made under subsection (3) if satisfied that any of the grounds specified in that subsection are established. Compare: 1993 No 28 ss 91(4), 92(1), (2), 93
A person who is bound by the provisions of an enactment to maintain secrecy in relation to, or not to disclose, any matter may be required to do the following even though compliance with that requirement would be in breach of the obli‐ gation of secrecy or non-disclosure:
give evidence to, or answer questions put by, the Commissioner:
provide information, documents, or things to the Commissioner.
Compliance with a requirement of this kind is not a breach of the relevant obli‐ gation of secrecy or non-disclosure or of the enactment by which that obliga‐ tion is imposed.
However, the Commissioner may not require information, documents, or things to be provided if—
the Prime Minister certifies that the giving of any information, docu‐ ment, or thing might prejudice—
the security or defence of New Zealand, or the international rela‐ tions of the Government of New Zealand; or
any interest protected by section 7 of the Official Information Act 1982 (which relates to the Cook Islands, Niue, Tokelau, and the Ross Dependency); or
the Attorney-General certifies that the giving of any information, docu‐ ment, or thing— Version as at
Privacy Act 2020 Part 5 s 89
might prejudice the prevention, investigation, or detection of offences; or
might involve the disclosure of proceedings of Cabinet, or any committee of Cabinet, relating to matters of a secret or confiden‐ tial nature, and the disclosure would be injurious to the public interest.
This section is subject to section 89. Compare: 1993 No 28 s 95
Every person has the same privileges as witnesses have in a court of law in relation to—
giving evidence to, or answering questions put by, the Commissioner:
providing information, documents, or things to the Commissioner.
However, if the Commissioner issues a notice under section 87 in relation to a particular complaint under IPP 6 and the person who receives the notice claims privilege over any information, document, or thing, that person must neverthe‐ less provide the information, document, or thing that is the subject of the com‐ plaint to the Commissioner for the purpose of the Commissioner determining whether it is properly withheld from the aggrieved individual.
When any information, document, or thing is provided under subsection (2), the Commissioner must not—
use the information, document, or thing other than for the purpose speci‐ fied in subsection (2); or
take into account the information or any information in the document or thing in forming an opinion about the release of any other information; or
give an opinion as to whether the claim of privilege is valid to any per‐ son other than—
the complainant (if any):
an aggrieved individual:
the respondent:
the Director:
the Tribunal; or
release the information, document, or thing, or any information derived from the document or thing, to any person other than—
any lawyer engaged by the Commissioner for the purpose of pro‐ viding legal advice as to whether the information, document, or thing would be properly withheld under subsection (1); or
Privacy Act 2020 Version as at 6 December 2023
the Director, if the Commissioner has given an opinion to the Director under paragraph (c)(iv); or
the Tribunal, if the Commissioner is required to provide a report or information under section 108(1).
Subsection (3)(c) does not prevent the Commissioner from giving, either gen‐ erally or to a particular person, an opinion in a form that does not identify—
the person who provided the information, document, or thing; or
a person who is the subject of the information, document, or thing.
Subsection (3)(d) does not prevent the Commissioner from giving the informa‐ tion, document, or thing, or any information derived from the document or thing, to a person if—
the person who provided the information, document, or thing consents; and
the person who is the subject of the information, document, or thing con‐ sents.
The privileges protected by this section do not include public interest immunity (see section 209).
A person who complies with any requirement of the Commissioner under sec‐ tion 87 or 88 is not liable to prosecution for an offence against any enactment (other than section 212) in respect of that compliance. Compare: 1993 No 28 s 94
Any information, document, or thing provided by a person in the course of an investigation by the Commissioner, or during any hearing before the Commis‐ sioner, is privileged in the same manner as if the investigation or hearing were proceedings in a court.
The following persons may not be required to give evidence in any court, or in any proceedings of a judicial nature, in respect of anything coming to their knowledge in performing or exercising their functions, duties, or powers under this Act:
the Commissioner, or any person who has held the appointment of Com‐ missioner:
a person who is employed or engaged, or who has been employed or engaged, by the Commissioner:
the Director.
Subsection (2) does not apply in respect of proceedings for—
an offence against section 78, 78AA(1), 78A(1), 105, 105A, or 105B of the Crimes Act 1961; or Version as at
Privacy Act 2020 Part 5 s 91
the offence of conspiring to commit an offence against any of the provi‐ sions listed in paragraph (a); or
the offence of attempting to commit an offence against any of the provi‐ sions listed in paragraph (a).
For the purposes of clause 3 of Part 2 of Schedule 1 of the Defamation Act 1992, any report of the Commissioner under this Act is taken to be an official report. Compare: 1993 No 28 s 96
This section applies after the Commissioner has completed an investigation of an action of an agency under subpart 1 of Part 4 that appears to be an interfer‐ ence with the privacy of an individual.
The Commissioner may,—
in the case of an investigation conducted on a complaint, make a deter‐ mination that the complaint—
has substance; or
does not have substance; or
in the case of an investigation conducted on the Commissioner’s own initiative, make a determination that the matter that is the subject of the investigation—
should be proceeded with; or
should not be proceeded with.
If the Commissioner determines that a complaint has substance, the Commis‐ sioner must use best endeavours to secure a settlement of the complaint and an assurance of the kind specified in section 83(1).
If the Commissioner determines that the matter that is the subject of an investi‐ gation should be proceeded with, the Commissioner must use best endeavours to secure an assurance of the kind specified in section 83(2).
If the complaint or matter has not been resolved despite the Commissioner using best endeavours under subsection (3) or (4), the Commissioner may do 1 or more of the following:
make any access direction under section 92 that the Commissioner con‐ siders appropriate:
refer the complaint or matter, as the case may be, to the Director:
take any other action that the Commissioner considers appropriate.
Without limiting subsection (5)(b), the Commissioner may refer the complaint or matter, as the case may be, to the Director if the action that is the subject of
Privacy Act 2020 Version as at 6 December 2023 the complaint or investigation was done in contravention of any term of settle‐ ment or assurance previously secured under this Act or the Privacy Act 1993.
As soon as practicable, the Commissioner must give notice to the parties of—
any determination made, or not made, under subsection (2) and the rea‐ sons for making or not making that determination; and
any access direction that is made referred to in subsection (5)(a); and
any referral made under subsection (5)(b) or (6); and
any other action taken under subsection (5)(c).
The Commissioner may direct an agency to provide an individual access to the individual’s personal information in any manner that the Commissioner con‐ siders appropriate.
Without limiting subsection (1), the Commissioner may direct an agency to do any of the following before a specified date:
confirm whether the agency holds any specified personal information:
permit the individual access to any specified personal information:
make any specified information available to the individual in a particular way.
The Commissioner may, at any time, on the request of the individual or on the Commissioner’s own initiative,—
amend an access direction; or
cancel an access direction.
This section applies after the Commissioner has completed an investigation of an action of an agency under subpart 3 of Part 4 that appears to be an interfer‐ ence with the privacy of an individual because, in relation to a request made by the individual under subpart 1 or 2 of Part 4, the agency has imposed a charge that is—
contrary to section 66; or
unreasonable.
If it has not been possible to secure a settlement, the Commissioner may make a determination that the charge imposed by the agency is—
properly imposed:
improperly imposed:
reasonable:
unreasonable. Version as at
Privacy Act 2020 Part 5 s 94
If the Commissioner makes a determination under subsection (2)(d), the Com‐ missioner may also determine the appropriate charge for the agency to impose.
As soon as practicable, the Commissioner must notify the parties to any deter‐ mination made, or not made, under subsection (2) or (3).
A determination made by the Commissioner under subsection (2) is final and binding and no proceedings may be commenced in the Tribunal by the parties in respect of that determination.
If the Commissioner makes a determination under subsection (3) and the agency does not agree to reduce the charge it has imposed to the amount deter‐ mined by the Commissioner to be appropriate (or less),—
the imposition of the charge is treated as an interference with the privacy of an individual for the purposes of section 69(3); and
the Commissioner may take 1 or more of the actions specified in section 91(5). Compare: 1993 No 28 ss 75, 78
After the Commissioner has completed an investigation under this subpart, other than an investigation to which section 91 or 93 applies, the Commis‐ sioner may,—
in the case of an investigation conducted in respect of a complaint, make a determination that the complaint—
has substance; or
does not have substance; or
in the case of an investigation conducted on the Commissioner’s own initiative, make a determination that the subject of the investigation—
should be proceeded with; or
should not be proceeded with.
If the Commissioner determines that a complaint has substance, the Commis‐ sioner must use best endeavours to secure a settlement of the complaint and an assurance of the kind specified in section 83(1).
If the Commissioner determines that a matter that is the subject of an investiga‐ tion should be proceeded with, the Commissioner must use best endeavours to secure an assurance of the kind specified in section 83(2).
If the complaint or matter has not been resolved despite the Commissioner using best endeavours, the Commissioner may do either or both of the follow‐ ing:
refer the complaint or the matter, as the case may be, to the Director:
take any other action the Commissioner considers appropriate.
Privacy Act 2020 Version as at 6 December 2023
Without limiting subsection (4)(a), the Commissioner may refer the complaint or matter, as the case may be, to the Director if the action that is the subject of the complaint or investigation was done in contravention of any term of settle‐ ment or assurance previously secured under this Act or the Privacy Act 1993.
As soon as practicable, the Commissioner must notify the parties to the investi‐ gation of—
any determination made, or not made, under subsection (1); and
any referral made under subsection (4)(a); and
any other action taken under subsection (4)(b). Compare: 1993 No 28 ss 75, 77(1), (2)
Nothing in section 85, 91, 93, 94, or subpart 3 applies to—
any complaint made under this Part in relation to an action of an intelli‐ gence and security agency; or
any investigation conducted under this Part in relation to an action of an intelligence and security agency.
If, after completing an investigation, the Commissioner is of the opinion that an action of an intelligence and security agency is an interference with the privacy of an individual, the Commissioner must provide to the intelligence and secur‐ ity agency a report setting out—
that opinion; and
the reasons for that opinion.
A report provided under subsection (2) may include any recommendations that the Commissioner considers appropriate.
When making a report under subsection (2), the Commissioner may request the intelligence and security agency to notify the Commissioner within a specified time of any steps the agency proposes to take in response to the report and to any recommendations included in the report.
If, within a reasonable time after any report is made, the intelligence and secur‐ ity agency has taken no steps in response to the report that the Commissioner considers to be adequate and appropriate, the Commissioner may send a copy of the report to the Prime Minister.
As soon as practicable after receiving a report under subsection (5), the Prime Minister may present the report, or any part of the report, to the House of Rep‐ resentatives. Compare: 1993 No 28 s 81
If, during or after an investigation, the Commissioner is of the opinion that there is evidence of any significant breach of duty or misconduct on the part of Version as at
Privacy Act 2020 Part 5 s 98 an agency, or an officer, an employee, or a member of an agency, the Commis‐ sioner must refer the matter to the appropriate authority. Compare: 1993 No 28 s 80 Subpart 3—Proceedings before Human Rights Review Tribunal
This section applies if a complaint or matter is referred by the Commissioner to the Director under section 78, 84, 91(5)(b) or (6), or 94(4)(a) or (5).
The Director must—
decide whether to commence proceedings in the Tribunal in respect of the complaint or matter; and
give written notice to the following persons of that decision:
the complainant; and
the agency whose action was the subject of the complaint or matter.
Before commencing any proceedings in the Tribunal, the Director must give the agency an opportunity to be heard.
The parties to proceedings commenced under this section are—
the Director, as the plaintiff; and
the agency, as the defendant.
An aggrieved individual may join, or be joined in, the proceedings only if the Tribunal so orders.
The Director may bring proceedings on behalf of a class of aggrieved individu‐ als, and may seek on behalf of the individuals who belong to the class any of the remedies described in section 102, if the Director considers that a respond‐ ent is acting or has acted in a way that affects or has affected that class and that is an interference with the privacy of an individual. Compare: 1993 No 28 s 82
An aggrieved individual, a representative on behalf of an aggrieved individual, or a representative lawfully acting on behalf of a class of aggrieved individuals may commence proceedings in the Tribunal in respect of a complaint received by the Commissioner, or a matter investigated under subpart 2, in any case where—
the Commissioner decides, under section 77(2)(a), not to investigate the complaint; or
Privacy Act 2020 Version as at 6 December 2023
the Commissioner, having commenced an investigation, decides not to further investigate the complaint or matter; or
the Commissioner does not make a determination under section 91(2), 93(2), or 94(1) in respect of the complaint or matter; or
the Commissioner determines that the complaint does not have sub‐ stance, or that the matter should not be proceeded with; or
the Commissioner determines that the complaint has substance, or the matter should be proceeded with, but does not refer the complaint or matter to the Director; or
the Commissioner makes an access direction under section 92, but an aggrieved individual is not satisfied with the terms of the access direc‐ tion; or
the Commissioner makes an access direction under section 92, but the aggrieved individual or aggrieved individuals seek 1 or more remedies under section 102 (whether or not the individual or individuals are satis‐ fied with the terms of the access direction); or
the Director decides not to commence proceedings in respect of the com‐ plaint or matter referred to the Director by the Commissioner; or
the Director notifies the aggrieved individual or individuals that the Director agrees to the aggrieved individual or individuals commencing proceedings in respect of the complaint or matter referred to the Director by the Commissioner.
A person commencing proceedings under subsection (1)(a) must do so within 6 months after the Commissioner has given notice to the complainant under sec‐ tion 77(3).
A person commencing proceedings under subsection (1)(b) must do so within 6 months after the Commissioner has given notice to the parties under section 81(4).
A person commencing proceedings under subsection (1)(c), (d), (e), or (f) must do so within 6 months after the Commissioner has given notice to the parties under section 91(7), 93(4), or 94(6).
A person commencing proceedings under subsection (1)(g) must do so within 6 months after the expiry of the period specified in section 106 for lodging an appeal against the access direction.
A person commencing proceedings under subsection (1)(h) must do so within 6 months after the Director has given notice of the Director’s decision under sec‐ tion 97(2)(b).
A person commencing proceedings under subsection (1)(i) must do so within 6 months after the Director has given notice to the aggrieved individual or indi‐ viduals under subsection (1)(i). Version as at
Privacy Act 2020 Part 5 s 100
The Chairperson may agree to extend any period specified in subsections (2) to
person proposing to commence proceedings, the Chairperson is satisfied that exceptional circumstances prevented proceedings from being commenced within the specified period. Compare: 1993 No 28 s 83
The Director may appear and be heard in person or by a lawyer—
in any proceedings commenced in the Tribunal under section 98; and
in proceedings commenced in any court relating to the proceedings com‐ menced in the Tribunal under this Part.
If the Director appears in any proceedings,—
the Director has the same rights as the parties to the proceedings to—
call evidence on any matter; and
examine, cross-examine, and re-examine witnesses; and
the Tribunal or court may order—
any party to pay the costs incurred by the Director by reason of the Director’s appearance; or
the Director to pay the costs incurred by any or all of the parties by reason of the Director’s appearance.
If the Director declines to appear and be heard in any proceedings,—
the Commissioner may instead appear and be heard in the proceedings; and
subsection (2) applies to the Commissioner in the same way as it applies to the Director.
Nothing in this section limits or affects—
section 110(1); or
any power of a court to award costs in any proceedings to which the Director is a party. Compare: 1993 No 28 s 86(1)–(3), (5), (6)
If an apology is given by an agency in connection with an action alleged to be an interference with the privacy of an individual, it is not admissible as evi‐ dence in any civil proceedings against the agency under this Part except as pro‐ vided in subsection (2).
An agency may bring evidence of the apology for the purpose of the Tribunal’s assessing of remedies to be awarded against the agency.
Privacy Act 2020 Version as at 6 December 2023
If any provision of this Act, or any code of practice, excepts or exempts any action from being an interference with the privacy of an individual, the defend‐ ant has the onus of proving that exception or exemption in any proceedings under this Part. Compare: 1993 No 28 s 87
This section applies if proceedings are commenced in the Tribunal in respect of an action that is alleged to be an interference with the privacy of an individual.
If, in the proceedings, the Tribunal is satisfied on the balance of probabilities that any action of the defendant is an interference with the privacy of 1 or more individuals, the Tribunal may grant 1 or more of the following remedies:
a declaration that the action of the defendant is an interference with the privacy of 1 or more individuals:
an order restraining the defendant from continuing or repeating the inter‐ ference, or from engaging in, or causing or permitting others to engage in, conduct of the same kind as that constituting the interference, or con‐ duct of any similar kind specified in the order:
damages in accordance with section 103:
an order that the defendant perform any acts specified in the order with a view to remedying the interference, or redressing any loss or damage suffered by the aggrieved individual or aggrieved individuals as a result of the interference, or both:
any other relief that the Tribunal considers appropriate.
It is not a defence to proceedings that the interference was unintentional or without negligence on the part of the defendant, but the Tribunal must take the conduct of the defendant into account in deciding what, if any, remedy to grant. Compare: 1993 No 28 s 85(1), (4)
In any proceedings, the Tribunal may award damages against the defendant for an interference with the privacy of an individual in respect of 1 or more of the following:
pecuniary loss suffered as a result of the transaction or activity out of which the interference arose:
expenses reasonably incurred by the aggrieved individual for the pur‐ pose of the transaction or activity out of which the interference arose:
loss of any benefit, whether or not of a monetary kind, that the aggrieved individual might reasonably have been expected to obtain but for the interference: Version as at
Privacy Act 2020 Part 5 s 103
humiliation, loss of dignity, and injury to the feelings of the aggrieved individual.
If the proceedings are brought on behalf of more than 1 aggrieved individual, the Tribunal may award damages under subsection (1) to each aggrieved indi‐ vidual.
Subsection (1) is subject to subpart 1 of Part 2 of the Prisoners’ and Victims’ Claims Act 2005.
The Director must pay damages recovered under this section to the aggrieved individual on whose behalf the proceedings were brought.
Subsection (4) is subject to subsections (6) to (8).
If the aggrieved individual is a minor who is not married or not in a civil union, the Director may decide to pay the damages to Public Trust or to any person or trustee corporation acting as the manager of any property of the aggrieved indi‐ vidual.
If the aggrieved individual is a mentally disordered person within the meaning of section 2 of the Mental Health (Compulsory Assessment and Treatment) Act 1992 whose property is not being managed under the Protection of Personal and Property Rights Act 1988, the Director may decide to pay the damages to Public Trust.
If the aggrieved individual is a person whose property is being managed under the Protection of Personal and Property Rights Act 1988, the Director must ascertain whether the terms of the property order cover management of money received as damages and,—
if damages fall within the terms of the property order, the Director must pay the damages to the person or trustee corporation acting as the prop‐ erty manager; or
if damages do not fall within the terms of the property order, the Director may decide to pay the damages to Public Trust.
If money is paid to Public Trust under subsection (6), (7), or (8),—
sections 103 to 110 of the Contract and Commercial Law Act 2017 apply in the case of a minor who is not married or not in a civil union; and
sections 108D, 108F, and 108G of the Protection of Personal and Prop‐ erty Rights Act 1988 apply, with any necessary modifications, in the case of a person referred to in subsection (7) or (8)(b); and
section 108E of the Protection of Personal and Property Rights Act 1988 applies, with any necessary modifications, in the case of an individual referred to in subsection (8)(a). Compare: 1993 No 28 s 88; 1994 No 88 s 57
Privacy Act 2020 Version as at 6 December 2023
If an agency has not complied with an access direction, or lodged an appeal under section 105, an aggrieved individual may apply to the Tribunal for an access order requiring the agency to comply with the access direction.
If the Tribunal grants an application, the Tribunal must specify in the access order the date by which the agency must comply with the access direction.
An application under this section may be heard by the Chairperson sitting alone unless the Chairperson considers that, because of the issues involved, it would be more appropriate for the application to be heard by the Tribunal.
An agency that, without reasonable excuse, fails to comply with an access order commits an offence and is liable on conviction to a fine not exceeding $10,000.
An agency against which an access direction has been made may appeal to the Tribunal against the direction.
The parties to the appeal are the parties to the investigation.
An appeal under section 105 must be lodged with the Tribunal within 20 work‐ ing days from the date of the notice given to the parties under section 91(7) (the appeal period).
The Chairperson may accept an appeal lodged not later than 3 months after the appeal period if, on an application made for that purpose by the party lodging the appeal, the Chairperson is satisfied that exceptional circumstances preven‐ ted the appeal from being lodged within the appeal period.
The Chairperson of the Tribunal may make an interim order suspending an access direction until an appeal is determined if the Chairperson is satisfied that it is necessary and in the interests of justice to make the order.
If an interim order is made under subsection (1), a party may apply to the High Court to vary or rescind the order, unless the order was made with that party’s consent.
An application under subsection (2) may be—
made only with the leave of the Chairperson:
made instead of, but not as well as, an appeal against the interim order under section 123(1) of the Human Rights Act 1993. Version as at
Privacy Act 2020 Part 5 s 109
An interim order may be made under subsection (1) (and varied or rescinded by the High Court under subsection (2)) whether or not the Chairperson or a Deputy Chairperson of the Tribunal makes an interim order under section 95 of the Human Rights Act 1993 (that may be varied or rescinded by the High Court under section 96 of that Act). Section 107(2): amended, on 30 November 2022, by section 95(1) of the Statutes Amendment Act 2022 (2022 No 75). Section 107(4): inserted, on 30 November 2022, by section 95(2) of the Statutes Amendment Act 2022 (2022 No 75).
The Tribunal may require the Commissioner to provide either or both of the following:
a written report setting out the considerations to which the Commis‐ sioner had regard in making the access direction:
any information held by the Commissioner relating to the making of the access direction that is required to determine the appeal.
At the hearing of an appeal (other than an appeal determined on the papers), the Commissioner is entitled to appear in person, or by a representative, and be heard.
The Tribunal may determine an appeal by—
confirming the direction appealed against:
modifying the direction appealed against:
reversing the direction appealed against.
The Tribunal may award damages in accordance with section 103.
This section applies if—
proceedings are commenced in the Tribunal under section 97 or 98 in respect of a complaint about a decision made by an agency under subpart 1 of Part 4 to refuse access to personal information; or
an appeal is lodged in the Tribunal under section 105 against an access direction directing an agency to provide access to personal information.
During the proceedings the Tribunal may, for the purpose of determining whether the agency may properly refuse access to personal information, do either or both of the following:
require the agency to produce the personal information to the members of the Tribunal, but to no other person:
Privacy Act 2020 Version as at 6 December 2023
allow the agency to give evidence and make submissions in the absence of—
other parties; and
all lawyers (if any) representing those other parties; and
all members of the public.
However, the Tribunal may only exercise the powers in subsection (2) if it is necessary to do so to avoid compromising the matters that the agency considers justify refusing access to the personal information.
In any proceedings under section 97, 98, 104, or 105, the Tribunal may award costs against either party whether or not it makes any other order.
If, in any proceedings before the Tribunal or a court, costs are ordered to be paid by the Director, those costs must be paid by the Commissioner.
The Commissioner is not entitled to be indemnified by an aggrieved individual in respect of any costs the Commissioner is required to pay under subsection (2). Compare: 1993 No 28 ss 85(2), (3), 86(4)
Except to the extent modified by this subpart, the provisions of the Human Rights Act 1993 specified in subsection (2) apply to proceedings under section 97, 98, 104, or 105 of this Act as if they were proceedings under the Human Rights Act 1993.
The provisions of the Human Rights Act 1993 referred to in subsection (1) are—
sections 92Q to 92W; and
Part 4, except—
sections 97, 108A, and 108B, in relation to proceedings com‐ menced under section 97, 98, or 104 of this Act; and
sections 97, 108A, and 108B in relation to proceedings com‐ menced under section 105 of this Act. Compare: 1993 No 28 s 89 Section 111(2)(b)(ii): amended, on 30 November 2022, by section 96 of the Statutes Amendment Act 2022 (2022 No 75). Version as at
Privacy Act 2020 Part 6 s 112
Notifiable privacy breaches and compliance notices Subpart 1—Notifiable privacy breaches
In this subpart,— affected individual, in relation to personal information that is the subject of a privacy breach,—
means the individual to whom the information relates; and
includes an individual inside or outside New Zealand; and
despite the definition of individual in section 7(1), includes a deceased person—
if a sector-specific code of practice issued under section 32 speci‐ fies that the code applies to information about deceased persons; and
to the extent that the code of practice applies 1 or more IPPs to that information notifiable privacy breach—
means a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so (see section 113 for factors that must be considered by an agency when assessing whether a privacy breach is likely to cause serious harm); but
does not include a privacy breach if the personal information that is the subject of the breach is held by an agency who is an individual and the information is held solely for the purposes of, or in connection with, the individual’s personal or domestic affairs privacy breach, in relation to personal information held by an agency,—
means—
unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
an action that prevents the agency from accessing the information on either a temporary or permanent basis; and
includes any of the things listed in paragraph (a)(i) or an action under paragraph (a)(ii), whether or not it—
was caused by a person inside or outside the agency; or
is attributable in whole or in part to any action by the agency; or
is ongoing.
Privacy Act 2020 Version as at 6 December 2023
For the purposes of this subpart, the meanings of access, disclosure, and loss are not limited by the use of those words or the meanings ascribed to them elsewhere in this Act.
When an agency is assessing whether a privacy breach is likely to cause ser‐ ious harm in order to decide whether the breach is a notifiable privacy breach, the agency must consider the following:
any action taken by the agency to reduce the risk of harm following the breach:
whether the personal information is sensitive in nature:
the nature of the harm that may be caused to affected individuals:
the person or body that has obtained or may obtain personal information as a result of the breach (if known):
whether the personal information is protected by a security measure:
any other relevant matters.
An agency must notify the Commissioner as soon as practicable after becom‐ ing aware that a notifiable privacy breach has occurred.
An agency must notify an affected individual as soon as practicable after becoming aware that a notifiable privacy breach has occurred, unless subsec‐ tion (2) or an exception in section 116 applies or a delay is permitted under section 116(4).
If it is not reasonably practicable to notify an affected individual or each mem‐ ber of a group of affected individuals, the agency must instead give public notice of the privacy breach, unless an exception in section 116 applies or a delay is permitted under section 116(4).
Public notice must be given—
in a form in which no affected individual is identified; and
in accordance with any regulations made under section 215(1)(a).
If subsection (2) or an exception in section 116 is relied on, the agency must notify the affected individual or individuals at a later time if—
circumstances change so that subsection (2) or the exception no longer applies; and
at that later time, there is or remains a risk that the privacy breach will cause serious harm to the affected individual or individuals. Version as at
Privacy Act 2020 Part 6 s 116
A failure to notify an affected individual or give public notice under this sec‐ tion may be an interference with privacy under this Act (see section 69(2)(a)(iv)).
An agency is not required to notify an affected individual or give public notice of a notifiable privacy breach if the agency believes that the notification or notice would be likely to—
prejudice the security or defence of New Zealand or the international relations of the Government of New Zealand; or
prejudice the maintenance of the law by any public sector agency, including the prevention, investigation, and detection of offences, and the right to a fair trial; or
endanger the safety of any person; or
reveal a trade secret.
An agency is not required to notify an affected individual or give public notice (relating to a particular individual) of a notifiable privacy breach—
if the individual is under the age of 16 and the agency believes that the notification or notice would be contrary to that individual’s interests; or
if, after consultation is undertaken by the agency with the individual’s health practitioner (where practicable), the agency believes that the noti‐ fication or notice would be likely to prejudice the health of the indi‐ vidual.
If subsection (2) applies, the agency must—
consider whether it would be appropriate to notify a representative instead of the individual (if a representative is known or can be readily identified); and
before deciding whether to notify a representative, take into account the circumstances of both the individual and the privacy breach; and
if the agency decides it is appropriate to notify a representative and has identified a representative, notify that person.
An agency may delay notifying an affected individual (or a representative) or giving public notice of a notifiable privacy breach (but not delay notifying the Commissioner) only—
if the agency believes that a delay is necessary because notification or public notice may have risks for the security of personal information held by the agency and those risks outweigh the benefits of informing affected individuals; and
Privacy Act 2020 Version as at 6 December 2023
for a period during which those risks continue to outweigh those bene‐ fits.
An agency may rely on an exception, or delay in notifying affected individuals or giving public notice, under this section and, in relation to a delay, do so for the period referred to in subsection (4)(b), only if the agency believes on reasonable grounds that the exception applies, the ground for delay exists, or the circumstances referred to in subsection (4)(b) (relating to the period of delay) continue to exist.
In this section,— health practitioner has the meaning given to it in section 49(2) representative,—
of an affected individual under the age of 16, means that individual’s parent or guardian:
of an affected individual aged 16 or over, means an individual appearing to be lawfully acting on that individual’s behalf or in that individual’s interests. Compare: 1956 No 65 s 22B; 1982 No 156 s 6
A notification to the Commissioner under section 114 must—
describe the notifiable privacy breach, including—
the number of affected individuals (if known); and
the identity of any person or body that the agency suspects may be in possession of personal information as a result of the privacy breach (if known); and
explain the steps that the agency has taken or intends to take in response to the privacy breach, including whether any affected individual has been or will be contacted; and
if the agency is relying on section 115(2) to give public notice of the breach, set out the reasons for relying on that section; and
if the agency is relying on an exception, or is delaying notifying an affected individual or giving public notice, under section 116, state the exception relied on and set out the reasons for relying on it or state the reasons why a delay is needed and the expected period of delay; and
state the names or give a general description of any other agencies that the agency has contacted about the privacy breach and the reasons for having done so; and
give details of a contact person within the agency for inquiries.
A notification to an affected individual under section 115 or a representative under section 116(3) must— Version as at
Privacy Act 2020 Part 6 s 119
describe the notifiable privacy breach and state whether the agency has or has not identified any person or body that the agency suspects may be in possession of the affected individual’s personal information (but, except as provided in subsection (3), must not include any particulars that could identify that person or body); and
explain the steps taken or intended to be taken by the agency in response to the privacy breach; and
where practicable, set out the steps the affected individual may wish to take to mitigate or avoid potential loss or harm (if any); and
confirm that the Commissioner has been notified under section 114; and
state that the individual has the right to make a complaint to the Com‐ missioner; and
give details of a contact person within the agency for inquiries.
A notification to an affected individual or their representative may identify a person or body that has obtained or may obtain that affected individual’s per‐ sonal information (where the identity is known) if the agency believes on reasonable grounds that identification is necessary to prevent or lessen a ser‐ ious threat to the life or health of the affected individual or another individual.
A notification to an affected individual must not include any particulars about any other affected individuals.
In order to comply with the requirement under sections 114 and 115 that notifi‐ cation must be made as soon as practicable, an agency may provide the infor‐ mation required by this section incrementally. However, any information that is available at any point in time must be provided as soon as practicable after that point in time.
An agency that, without reasonable excuse, fails to notify the Commissioner of a notifiable privacy breach under section 114 commits an offence and is liable on conviction to a fine not exceeding $10,000.
It is not a defence to a charge under this section that the agency has taken steps to address the privacy breach.
It is a defence to a charge under this section that the agency did not consider the privacy breach to be a notifiable privacy breach, but only if it was reason‐ able to do so in the circumstances.
Section 211 (which refers to the liability of employers, principals, and agen‐ cies) does not apply to processes or proceedings under this Act relating to the obligations under section 114 or 115.
Privacy Act 2020 Version as at 6 December 2023
This section applies to processes and proceedings under this Act relating to the obligations under section 114 or 115.
An officer, an employee, or a member of an agency is not liable in those pro‐ cesses or proceedings if anything done or omitted by them results in the employer or agency failing to notify the Commissioner or an affected person (or their representative) or give public notice of a notifiable privacy breach.
For the purpose of those processes and proceedings, anything done or omitted by an officer, an employee, or a member of an agency is to be treated as being done or omitted by the employer or agency.
For the purpose of those processes and proceedings, anything done or omitted by an agent of another agency is to be treated as being done or omitted by both the agent and the principal agency.
However, the extent of liability of an agent is affected by whether they hold personal information that is the subject of a notifiable privacy breach. See the definition of privacy breach in section 112 and see section 11, which applies and which provides that information held by an agent is to be treated as being held by the principal agency unless section 11(3) applies. Section 120 heading: amended, on 30 November 2022, by section 97(1) of the Statutes Amendment Act 2022 (2022 No 75). Section 120(2): amended, on 30 November 2022, by section 97(2) of the Statutes Amendment Act 2022 (2022 No 75). Section 120(3): amended, on 30 November 2022, by section 97(3) of the Statutes Amendment Act 2022 (2022 No 75).
Subsection (2) applies to processes and proceedings under this Act relating to the obligations under section 114 or 115.
Anything relating to a notifiable privacy breach that is known by an officer, an employee, or a member of an agency is to be treated as being known by the employer or agency.
Subsection (4) applies to processes and proceedings under this Act relating to the obligations under section 114 or 115 except a proceeding under section 118.
Anything relating to a notifiable privacy breach that is known by an agent is to be treated as being known by the principal agency. Section 121 heading: amended, on 30 November 2022, by section 98(1) of the Statutes Amendment Act 2022 (2022 No 75). Section 121(2): amended, on 30 November 2022, by section 98(2) of the Statutes Amendment Act 2022 (2022 No 75). Version as at
Privacy Act 2020 Part 6 s 124
The Commissioner may publish the identity of an agency that has notified the Commissioner of a notifiable privacy breach if—
the agency consents to publication; or
the Commissioner is satisfied that it is in the public interest to do so.
This section does not prevent the publication of details of any notifiable pri‐ vacy breach in a form in which the agency or any affected individual is not identified and for the purpose of informing the public about the extent and nature of privacy breaches. Subpart 2—Compliance notices
The Commissioner may issue a compliance notice to an agency if the Commis‐ sioner considers that 1 or more of the following may have occurred:
a breach of this Act, including an action listed in section 69(2)(a):
an action that is to be treated as a breach of an IPP or an interference with the privacy of an individual under another Act:
a breach of a code of practice issued under this Act or a code of conduct (or similar) issued under another Act (if a complaint about a breach of the code can be the subject of a complaint under Part 5 of this Act).
Before issuing a compliance notice, the Commissioner may, but is not required to,—
assess whether any person has suffered harm (for example, the types of harm listed in section 69(2)(b)):
use other means under this Act or another Act for dealing with the breach.
A compliance notice may be issued at any time, including concurrently with the use of any other means for dealing with the breach. Example The Commissioner issues a compliance notice while dealing with the same breach as a complaint under Part 5.
The Commissioner must consider the following factors before issuing a com‐ pliance notice:
whether there is another means under this Act or another Act for dealing with the breach:
the seriousness of the breach:
the likelihood of a repeat of the breach:
Privacy Act 2020 Version as at 6 December 2023
the number of people who may be or are affected by the breach:
whether the agency has been co-operative in all dealings with the Com‐ missioner:
the likely costs to the agency of complying with the notice.
However, each of those factors need be considered only to the extent that—
it is relevant in the Commissioner’s view:
information about the factor is readily available to the Commissioner.
Before issuing a compliance notice, the Commissioner must provide the agency concerned with a reasonable opportunity to comment on a written notice that—
describes the breach, citing the relevant statutory provision or provi‐ sions; and
summarises the conclusions reached about the factors in subsection (1) that have been considered by the Commissioner; and
describes particular steps that the Commissioner considers need to be taken to remedy the breach (if any) and any conditions the Commis‐ sioner considers appropriate (if any); and
states the date or dates by which the Commissioner proposes that the agency must remedy the breach and report to the Commissioner (if any).
In each case, the Commissioner must determine the period of time that will give the agency a reasonable opportunity to comment, taking into account the circumstances of the case.
For the purpose of this subpart,— breach means any of the things described in section 123(1)(a) to (c) remedy the breach means to comply with the relevant statutory provision or provisions.
A compliance notice issued to an agency must—
state the name of the agency; and
describe the breach, citing the relevant statutory provision or provisions; and
require the agency to remedy the breach; and
inform the agency of the right of appeal under section 131; and
contain any other information required by any regulations made under section 215(1)(c).
A compliance notice issued to an agency may— Version as at
Privacy Act 2020 Part 6 s 128
identify particular steps that the Commissioner considers need to be taken by the agency to remedy the breach:
include conditions that the Commissioner considers are appropriate:
state the date or dates by which the agency must—
remedy the breach; and
report to the Commissioner on the steps taken to do so:
include other information that the Commissioner considers would be useful. Compare: 1993 No 28 s 114D
An agency that is issued with a compliance notice must take steps to comply with the notice, including taking any particular steps specified in the notice.
The agency must—
comply with the notice as soon as practicable after receiving it unless it is cancelled or suspended; and
if applicable, remedy the breach by the date stated in the notice unless that date is varied or modified.
The Commissioner may vary or cancel a compliance notice at any time if the Commissioner considers that—
any of the information listed in section 125 needs to be added to or amended in the notice; or
all or part of the notice has been complied with; or
all or part of the notice is no longer needed.
The Commissioner must give written notice to the agency concerned of a deci‐ sion under this section.
The notice must inform the agency of the right to appeal under section 131.
A variation or cancellation of a compliance notice takes effect on the first working day after the day on which the notice of the decision is given to the agency. Compare: 1993 No 28 s 114E
Before deciding whether to issue a compliance notice or to vary or cancel a compliance notice, the Commissioner may hear or obtain information from any person who the Commissioner considers may have relevant information.
Sections 86 to 90 apply as if the Commissioner were carrying out an investiga‐ tion under Part 5.
Privacy Act 2020 Version as at 6 December 2023
Except as provided for in sections 86 to 90, the Commissioner may regulate the Commissioner’s procedure as the Commissioner considers appropriate. Compare: 1993 No 28 ss 90, 114C
The Commissioner may publish or delay publication of any of the following information if the Commissioner believes it is desirable to do so in the public interest:
the identity of an agency to whom or which a compliance notice has been issued:
other details about the compliance notice or the breach that is the subject of the notice, that the Commissioner considers should be published:
a statement or comment about the breach, that the Commissioner con‐ siders is appropriate in the circumstances.
The Commissioner may take enforcement proceedings in the Tribunal—
if the time for an appeal under section 131 has passed and no appeal has been lodged against a compliance notice; and
if—
the Commissioner has reason to believe that the agency has not remedied or will not remedy the breach (if applicable, by the date stated in the notice); or
the agency has failed to report to the Commissioner on the steps taken to remedy the breach by the date stated in the notice.
An agency may object to enforcement of a compliance notice only on the ground that the agency believes that the notice has been fully complied with.
In proceedings under this section, the Tribunal—
must not examine or make any determination about the issuing or merits of a compliance notice:
may examine and make a determination about whether a compliance notice has been fully complied with:
may order a remedy under section 133(1)(a).
Proceedings under this section may be heard by the Chairperson sitting alone unless the Chairperson considers that, because of the issues involved, it would be more appropriate for the proceedings to be heard by the Tribunal. Compare: 1988 No 110 s 45 Version as at
Privacy Act 2020 Part 6 s 132
An agency that has been issued with a compliance notice may appeal to the Tri‐ bunal—
against all or part of the notice; or
against a decision by the Commissioner to vary or cancel the notice.
An appeal must be lodged within 15 working days from the day on which the compliance notice is issued or the notice of the decision is given to the agency.
The Tribunal may allow an appeal and order a remedy under section 133(1)(b) if it considers that—
the compliance notice or decision against which the appeal is brought is not in accordance with the law; or
to the extent that the compliance notice or decision involved an exercise of discretion by the Commissioner, the Commissioner ought to have exercised that discretion differently; or
the agency has fully complied with the compliance notice.
The Tribunal may review any determination of fact on which the compliance notice or decision was based.
The Tribunal must not cancel or modify a compliance notice for the reason that—
the breach was unintentional or without negligence on the part of the agency; or
the agency has taken steps to remedy the breach, unless there is no fur‐ ther reasonable step that the agency can take to do so. Compare: 1993 No 28 s 114G
The Chairperson may make an interim order suspending all or part of a compli‐ ance notice until an appeal is determined if satisfied that it is necessary and in the interests of justice to make the order.
If an interim order is made, a party may apply to the High Court to vary or rescind the order, unless the order was made under subsection (1) with that par‐ ty’s consent.
An application under subsection (2) may be—
made only with the leave of the Tribunal:
made instead of, but not as well as, an appeal against the interim order under section 123(1) of the Human Rights Act 1993.
An interim order may be made under subsection (1) (and varied or rescinded by the High Court under subsection (2)) whether or not the Chairperson or a
Privacy Act 2020 Version as at 6 December 2023 Deputy Chairperson of the Tribunal makes an interim order under section 95 of the Human Rights Act 1993 (that may be varied or rescinded by the High Court under section 96 of that Act). Compare: 1993 No 82 ss 95, 96 Section 132(2): amended, on 30 November 2022, by section 99(1) of the Statutes Amendment Act 2022 (2022 No 75). Section 132(4): inserted, on 30 November 2022, by section 99(2) of the Statutes Amendment Act 2022 (2022 No 75).
The Tribunal may,—
in enforcement proceedings under section 130, grant 1 or both of the fol‐ lowing remedies:
an order that the agency comply with a compliance notice by a date specified in the order (which may vary from the date origin‐ ally stated in the notice):
an order that the agency perform any act specified in the order by a date specified in the order (for example, reporting to the Com‐ missioner on progress in complying with the compliance notice):
in an appeal under section 131, grant 1 or both of the following remed‐ ies:
an order that confirms, cancels, or modifies the compliance notice; or
an order that confirms, overturns, or modifies the decision:
in either type of proceeding, award costs as the Tribunal considers appropriate.
An award of costs may, on registration of a certified copy of the Tribunal’s decision, be enforced in the District Court as if it were an order of that court.
An agency that, without reasonable excuse, fails to comply with an order under subsection (1)(a) or with a compliance notice that is confirmed or modified under subsection (1)(b)(i) commits an offence and is liable on conviction to a fine not exceeding $10,000. Compare: 1993 No 28 s 85; 1993 No 82 s 121
Except to the extent modified by this subpart, Part 4 of the Human Rights Act 1993 (except sections 97, 108A, and 108B) applies to proceedings under this subpart with any necessary modifications. Compare: 1993 No 28 s 114H Section 134: amended, on 30 November 2022, by section 100 of the Statutes Amendment Act 2022 (2022 No 75). Version as at
Privacy Act 2020 Part 7 s 137
In proceedings under this subpart, the Commissioner is entitled to appear in person or to be represented by a lawyer or an agent.
Sharing, accessing, and matching personal information Subpart 1—Information sharing
The purpose of this subpart is to authorise agencies to share personal informa‐ tion in accordance with an approved information sharing agreement to facilitate the provision of public services. Compare: 1993 No 28 s 96A
To avoid doubt, nothing in this subpart—
limits the collection, use, or disclosure of personal information that is authorised or required by or under any enactment; or
compels agencies to enter into an information sharing agreement if those agencies are already allowed to share personal information—
by or under any other enactment; or
because an exemption from or a modification to 1 or more of the IPPs or any code of practice is not required to make the sharing of the information lawful.
This subpart and subparts 2 to 4 do not limit one another.
An information sharing agreement may—
duplicate an information sharing provision by providing for an agency to share the same personal information specified in the information sharing provision—
with the same agencies specified in the information sharing provi‐ sion; and
for the same purposes specified in the information sharing provi‐ sion; or
extend an information sharing provision that is not a restricted informa‐ tion sharing provision by providing for an agency to share the same per‐ sonal information specified in the information sharing provision—
Privacy Act 2020 Version as at 6 December 2023
with the same agencies specified in the information sharing provi‐ sion for a purpose not specified in the information sharing provi‐ sion; or
with an agency not specified in the information sharing provision for a purpose specified in the information sharing provision; or
with an agency not specified in the information sharing provision and for a purpose not specified in the information sharing provi‐ sion; or
duplicate a restricted information sharing provision by providing for an agency to share the same personal information as specified in the restric‐ ted information sharing provision—
with the same agencies specified in the restricted information sharing provision; and
for the same purposes specified in the restricted information shar‐ ing provision; or
extend in any manner specified in paragraph (b) a restricted information sharing provision, but only if—
the restricted information sharing provision is an information matching provision (as defined in section 177); or
there is express statutory authorisation to do so.
In subsection (3),— information sharing provision means a provision in any enactment other than this Act that authorises or requires the sharing of personal information by an agency with 1 or more other agencies for 1 or more specified purposes restricted information sharing provision means an information sharing pro‐ vision that expressly restricts the purposes for which the personal information may be shared to those purposes specified. Compare: 1993 No 28 s 96B
In this subpart, unless the context otherwise requires,— adverse action has the meaning given to it in section 177 agency means a New Zealand agency that is—
a public sector agency; or
a New Zealand private sector agency approved information sharing agreement means an information sharing agreement approved by an Order in Council that is for the time being in force department—
means— Version as at
Privacy Act 2020 Part 7 s 138
a government department named in Part 1 of Schedule 1 of the Ombudsmen Act 1975:
an interdepartmental venture:
a departmental agency hosted by a government department named in Part 1 of Schedule 1 of the Ombudsmen Act 1975; and
includes—
the New Zealand Police:
the New Zealand Transport Agency information sharing agreement or agreement means an agreement between or within agencies that enables the sharing of personal information (whether or not the sharing also includes information that is not personal information) to facilitate the provision of a public service lead agency means a department, part of a public sector agency that is a department, or specified organisation that enters into an information sharing agreement and is designated as the lead agency in—
the agreement; and
the Order in Council approving the agreement local authority means a local authority or public body named or specified in Schedule 1 of the Local Government Official Information and Meetings Act 1987 New Zealand private sector agency has the meaning given to it in section 7(1) Order in Council, except in section 161, means an Order in Council made under section 145(1) organisation means—
an organisation named in Part 2 of Schedule 1 of the Ombudsmen Act 1975; and
an organisation named in Schedule 1 of the Official Information Act 1982 overseas agency means an agency that is not a New Zealand agency public sector agency means a department, an organisation, or a local authority public service means a public function or duty that is conferred or imposed on a public sector agency—
by or under law; or
by a policy of the Government relevant Minister means the Minister who, under the authority of any warrant or with the authority of the Prime Minister, is for the time being responsible for a lead agency
Privacy Act 2020 Version as at 6 December 2023 sharing, in relation to any information referred to in an approved information sharing agreement, means all or any of the following activities if authorised by an approved information sharing agreement:
collecting the information:
storing the information:
checking the information:
using the information:
disclosing the information:
exchanging the information:
if necessary, assigning a unique identifier to an individual specified organisation means any of the following organisations:
the Accident Compensation Corporation:
the Civil Aviation Authority of New Zealand:
Health New Zealand:
the Earthquake Commission:
Education New Zealand:
Fire and Emergency New Zealand:
Housing New Zealand Corporation:
the New Zealand Qualifications Authority:
the Tertiary Education Commission:
WorkSafe New Zealand:
Māori Health Authority. Compare: 1993 No 28 s 96C Section 138 department: replaced, on 7 August 2020, by section 127 of the Public Service Act 2020 (2020 No 40). Section 138 specified organisation paragraph (c): replaced, on 1 July 2022, by section 104 of the Pae Ora (Healthy Futures) Act 2022 (2022 No 30). Section 138 specified organisation paragraph (k): inserted, on 1 July 2022, by section 104 of the Pae Ora (Healthy Futures) Act 2022 (2022 No 30).
An approved information sharing agreement may authorise an agency to share any personal information with 1 or more other agencies in accordance with the terms of the agreement. Compare: 1993 No 28 s 96D Version as at
Privacy Act 2020 Part 7 s 142
An approved information sharing agreement may authorise a part of an agency to share any personal information with 1 or more parts of the same agency in accordance with the terms of the agreement. Compare: 1993 No 28 s 96E
Two or more of the following agencies may enter into an information sharing agreement:
a public sector agency:
a New Zealand private sector agency:
a part of a public sector agency:
a part of a New Zealand private sector agency.
An agency of the kind specified in subsection (1) that enters into an informa‐ tion sharing agreement must be named as a party to the agreement.
Subsection (1) is subject to subsections (4) and (5).
An overseas agency may not enter into an information sharing agreement.
At least 1 of the agencies that enters into an information sharing agreement must be—
a public sector agency that is a department; or
part of a public sector agency that is a department; or
a specified organisation; or
part of a specified organisation. Compare: 1993 No 28 s 96F
For the purposes of this section,— class of agencies excludes—
a class of departments:
a class of specified organisations member of a class of agencies excludes—
a department:
a specified organisation:
a part of a department:
a part of a specified organisation.
An information sharing agreement may specify 1 or more classes of agencies to which the agreement may apply.
At any time after an agreement has been entered into, the lead agency may—
Privacy Act 2020 Version as at 6 December 2023
agree to an agency that is a member of a class of agencies specified in the agreement becoming a party to the agreement; and
name that agency as a party in a schedule to the agreement (the Sched‐ ule of Parties).
If at any time an agency named in the Schedule of Parties no longer wishes to be a party to the agreement, the lead agency must, on the request of that agency, remove the agency’s name from the Schedule of Parties.
A lead agency need not obtain the consent of any other party to the agreement before—
naming an agency in the Schedule of Parties; or
removing the name of an agency from the Schedule of Parties.
A lead agency must, after doing either of the things referred to in subsection (5), provide the other parties to the information sharing agreement (including the agency whose name has been added to, or removed from, the Schedule of Parties) with a copy of the Schedule of Parties or amended Schedule of Parties, as the case may be.
An agency that becomes a party to the agreement under subsection (3) may, but need not, share or participate in the sharing of any personal information with 1 or more other agencies in accordance with the terms of the agreement.
Unless the context otherwise requires, every reference in this Part to a party to an information sharing agreement includes an agency named as a party in a Schedule of Parties. Compare: 1993 No 28 s 96G
In this section, specified agency means—
a public sector agency that is a department; or
part of a public sector agency that is a department; or
a specified organisation.
If only 1 specified agency is a party to an information sharing agreement, that agency must be designated as the lead agency for the agreement.
If 2 or more specified agencies are parties to an information sharing agreement, the parties to the agreement may agree between themselves which of the speci‐ fied agencies is to be designated as the lead agency. Compare: 1993 No 28 s 96H
An information sharing agreement must be in writing.
An information sharing agreement must— Version as at
Privacy Act 2020 Part 7 s 145
specify with due particularity the purpose of the information sharing agreement:
set out the information referred to in section 146:
contain an overview of the operational details about the sharing of infor‐ mation under the agreement:
specify the safeguards that will apply to protect the privacy of individu‐ als and ensure that any interference with their privacy is minimised:
if a party to the agreement is a New Zealand private sector agency, state which public sector agency will be responsible for dealing with com‐ plaints about an alleged interference with privacy if the New Zealand private sector agency is unable to be held accountable for those com‐ plaints:
state that every party to the agreement must give any reasonable assist‐ ance that is necessary in the circumstances to allow the Commissioner or an individual who wishes to make a complaint about an interference with privacy to determine the agency against which the complaint should be made:
if entered into under section 142,—
designate an agency as the lead agency; and
specify with due particularity the class of agencies to which the agreement may apply; and
include a schedule that sufficiently identifies the agencies within that class that are parties to the agreement.
An information sharing agreement may specify any other terms or conditions that the parties may agree to, including—
the fees and charges that are payable under the agreement; and
any other business processes relating to the sharing of information under the agreement. Compare: 1993 No 28 s 96I
The Governor-General may, by Order in Council made on the recommendation of the relevant Minister, approve an information sharing agreement.
An Order in Council may grant an exemption from or modify the application of—
1 or more of the IPPs (except IPPs 6 and 7):
any code of practice (except a code of practice that modifies IPPs 6 and 7).
Privacy Act 2020 Version as at 6 December 2023
An Order in Council that, under subsection (2), grants an exemption from 1 or more of the IPPs or a code of practice may provide that the exemption is unconditional or is subject to any conditions that are prescribed in the Order in Council.
An Order in Council that, under subsection (2), modifies the application of 1 or more of the IPPs or any code of practice may do so by prescribing standards that are more stringent or less stringent than the standards that are prescribed by the IPP or, as the case may be, the code of practice.
An order under this section is secondary legislation (see Part 3 of the Legis‐ lation Act 2019 for publication requirements). Compare: 1993 No 28 s 96J Legislation Act 2019 requirements for secondary legislation made under this section Publication PCO must publish it on the legislation website and notify it in the Gazette Presentation The Minister must present it to the House of Representatives LA19 s 69(1)(c) LA19 s 114, Sch 1 cl 32(1)(a) Disallowance It may be disallowed by the House of Representatives LA19 ss 115, 116
Section 145(5): inserted, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7).
An Order in Council made under section 145(1) must—
state, if applicable,—
the nature of the exemption granted under section 145(2) and the conditions of the exemption (if any):
how any IPPs or codes of practice will be modified under section 145(2):
state the public service or public services the provision of which the information sharing agreement is intended to facilitate:
specify with due particularity the personal information or the type of personal information to be shared under the agreement:
set out the parties, or classes of parties, to the agreement and designate one of the parties as the lead agency:
for every party to the agreement,—
describe the personal information or type of personal information that the party may share with each of the other parties; and
state how the party may use the personal information; and
state the adverse actions that the party can reasonably be expected to take as a result of the sharing of personal information under the agreement; and Version as at
Privacy Act 2020 Part 7 s 147
specify the procedure that the party must follow before taking adverse action against an individual as a result of the sharing of personal information received under the agreement if the require‐ ment in section 152(1) does not apply because of section 153(a)(ii):
for every class of agency to which the agreement may apply (if any),—
describe the personal information or type of personal information that a member of that class of agency that becomes a party to the agreement (a prospective party) may share with each of the other parties; and
state how a prospective party may use the personal information; and
state the adverse actions that a prospective party can reasonably be expected to take as a result of sharing personal information under the agreement; and
specify the procedure that a prospective party must follow before taking adverse action against an individual as a result of sharing personal information under the agreement if the requirement in section 152(1) does not apply because of section 153(a)(ii):
state the Internet site address where a copy of the agreement can be accessed. Compare: 1993 No 28 s 96K
An Order in Council made under section 145(1) must provide that it comes into force on a date specified in the Order in Council.
An Order in Council made under section 145(1) must insert into Schedule 2—
a description of each of the following:
the public service or the public services the provision of which the agreement is intended to facilitate:
the personal information or type of personal information that may be shared between or within the agencies that are party to the agreement; and
the name of the agreement; and
the name of the lead agency for the agreement; and
the Internet site address where a copy of the agreement can be accessed. Compare: 1993 No 28 s 96L Section 147(1): amended, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7).
Privacy Act 2020 Version as at 6 December 2023
Section 148: repealed, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7).
Before recommending the making of an Order in Council under section 145(1), the relevant Minister must—
be satisfied of the matters set out in subsection (2); and
have regard to any submissions made under section 150(1)(a) in relation to the information sharing agreement that is proposed for approval by the Order in Council.
The matters referred to in subsection (1)(a) are as follows:
that the information sharing agreement will facilitate the provision of a particular public service or particular public services:
that the type and quantity of personal information to be shared under the agreement are no more than is necessary to facilitate the provision of that public service or those public services:
that the agreement does not unreasonably impinge on the privacy of individuals and contains adequate safeguards to protect their privacy:
that the benefits of sharing personal information under the agreement are likely to outweigh the financial and other costs of sharing it:
that any potential conflicts or inconsistencies between the sharing of per‐ sonal information under the agreement and any other enactment have been identified and appropriately addressed. Compare: 1993 No 28 s 96N
The parties proposing to enter into an information sharing agreement must, before the proposed agreement is concluded,—
consult and invite submissions on the proposed agreement from—
the Commissioner; and
any person or organisation that the agencies consider represents the interests of the classes of individuals whose personal informa‐ tion will be shared under the proposed agreement; and
any person or organisation that the parties consider represents the interests of any specified class of agency to which the agreement may apply; and Version as at
Privacy Act 2020 Part 7 s 152
any other person or organisation that the agencies consider should be consulted; and
have regard to any submissions made under paragraph (a).
The Commissioner—
must consider the privacy implications of the proposed agreement; and
may make any submissions under subsection (1)(a)(i) that the Commis‐ sioner considers appropriate.
The agencies must give the relevant Minister a copy of the submissions made under subsection (1)(a) (if any). Compare: 1993 No 28 s 96O
If an information sharing agreement is approved by Order in Council, the Com‐ missioner may prepare a report for the relevant Minister on any matter relating to privacy that arises or is likely to arise in respect of the agreement.
Without limiting subsection (1), the Commissioner may include in the report—
any comment that the Commissioner wishes to make about the consult‐ ation that the agencies carried out under section 150(1)(a); and
any submissions that the Commissioner made to the agencies under sec‐ tion 150(1)(a)(i).
The Commissioner—
may publish a report under subsection (1); but
must consult the relevant Minister before doing so. Compare: 1993 No 28 s 96P
A party to an approved information sharing agreement must give written notice to an individual before it takes any adverse action against the individual on the basis (whether in whole or in part) of personal information about the individual that was shared under the agreement.
The notice must—
give details of the adverse action that the party proposes to take and the personal information about the individual on which the action is based; and
state that the individual has 10 working days from the receipt of the notice within which to dispute the correctness of that personal informa‐ tion.
To avoid doubt, the individual who is given the notice may take any steps that are available under any enactment to dispute any proposed adverse action
Privacy Act 2020 Version as at 6 December 2023 against them, but the only basis on which the individual may show cause under this section as to why the proposed adverse action should not be taken is that it is based on incorrect personal information. Compare: 1993 No 28 s 96Q
The requirement to give notice under section 152 applies unless—
an approved information sharing agreement provides that a party to the agreement may—
give a shorter period of notice than the 10-working-day period referred to in section 152(2)(b); or
dispense with the giving of the notice; or
if an approved information sharing agreement does not include a provi‐ sion of the kind specified in paragraph (a), the Commissioner, on the application of a party to an approved information sharing agreement, allows the party in the circumstances of a particular case to—
give a shorter period of notice than the 10-working-day period referred to in section 152(2)(b); or
dispense with the giving of the notice. Compare: 1993 No 28 s 96R
A lead agency for an information sharing agreement must, if the agreement is approved by Order in Council under section 145(1),—
make a copy of the agreement—
available for inspection, free of charge, at the lead agency’s head office on any working day; and
accessible, free of charge, on an Internet site maintained by or on behalf of the lead agency; and
prepare a report on the operation of the agreement at the intervals required by the Commissioner under section 156; and
carry out any other responsibilities imposed by this Part.
A lead agency does not need to comply with subsection (1)(a)(ii) if the relevant Minister designates an Internet site maintained by or on behalf of another pub‐ lic sector agency as the Internet site where a copy of the agreement is to be made accessible free of charge.
To avoid doubt, nothing in this section applies to a party to an information sharing agreement that is not the lead agency except as provided in subsection (2). Compare: 1993 No 28 s 96S Version as at
Privacy Act 2020 Part 7 s 157
A report prepared by a lead agency under section 154(1)(b) must include the matters prescribed in regulations made under section 215(1)(d) that the Com‐ missioner specifies after having regard to—
the costs of reporting:
the degree of public interest in information about the matters prescribed in those regulations:
the significance of the privacy implications of the approved information sharing agreement.
A report must be included—
in the lead agency’s annual report under the Public Finance Act 1989, if it is required annually; or
in the lead agency’s annual report under the Public Finance Act 1989 that immediately follows the end of each interval specified under section 156(1)(b). Compare: 1993 No 28 s 96T
The Commissioner may require a lead agency to prepare a report under section 154(1)(b)—
annually; or
at less frequent intervals that the Commissioner may specify.
In determining the appropriate frequency in subsection (1) of a report under section 154(1)(b), the Commissioner must have regard to—
the costs of reporting:
the degree of public interest in the matters to be included in the report:
the significance of the privacy implications of the approved information sharing agreement. Compare: 1993 No 28 s 96U
This section applies if an approved information sharing agreement is amended (whether in accordance with the Commissioner’s recommendation in a report under section 159 or otherwise).
As soon as practicable after the amendment is made, the lead agency must—
give written notice of the amendment to—
the Commissioner; and
the relevant Minister; and
make a copy of the amendment—
Privacy Act 2020 Version as at 6 December 2023
available for inspection, free of charge, at the lead agency’s head office on any working day; and
accessible, free of charge, on the Internet site where a copy of the agreement is accessible.
The information sharing agreement approved by Order in Council continues to have effect as if the amendment notified under subsection (2) had not been made, unless the Governor-General, by a further Order in Council made on the recommendation of the relevant Minister, approves the agreement as amended by the parties.
Sections 145 to 151 apply, with any necessary modifications, to the approval of the agreement as amended.
Subsection (2)(a), (3), or (4) does not apply if the amendment to an approved information sharing agreement relates only to—
the fees and charges payable under the agreement; or
a name or description of a party to the agreement; or
naming an agency as a party to the agreement under section 142(3); or
removing an agency as a party to the agreement under section 142(4); or
any terms or conditions of the agreement that the lead agency, after con‐ sulting the Commissioner, considers do not, or are unlikely to, have any effect on the privacy implications of the agreement.
An order under subsection (3) is secondary legislation (see Part 3 of the Legis‐ lation Act 2019 for publication requirements). Compare: 1993 No 28 s 96V Legislation Act 2019 requirements for secondary legislation made under this section Publication PCO must publish it on the legislation website and notify it in the Gazette Presentation The Minister must present it to the House of Representatives LA19 s 69(1)(c) LA19 s 114, Sch 1 cl 32(1)(a) Disallowance It may be disallowed by the House of Representatives LA19 ss 115, 116
Section 157(6): inserted, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7).
The Commissioner may at any time, on the Commissioner’s own initiative, conduct a review of the operation of an approved information sharing agree‐ ment.
However, except with the consent of the relevant Minister, no review may be conducted under subsection (1) before the end of the period of 12 months after the Order in Council approving the agreement is made.
In conducting a review, the Commissioner must— Version as at
Privacy Act 2020 Part 7 s 160
consult the following persons and organisations about the review:
the parties to the agreement:
any person or organisation that the Commissioner considers repre‐ sents the interests of the classes of individuals whose personal information is being shared under the agreement; and
consider any submissions made on the review.
The parties to the agreement must take all reasonable steps to co-operate with the review. Compare: 1993 No 28 s 96W
After completing a review under section 158, the Commissioner may provide a report to the relevant Minister if the Commissioner has reasonable grounds to suspect that an approved information sharing agreement is—
operating in an unusual or unexpected way (that is, in a way that was not foreseen by the Commissioner or the parties to the agreement at the time the agreement was entered into):
failing to facilitate the provision of the public service or public services to which it relates:
unreasonably impinging on the privacy of individuals:
operating in such a way that the financial and other costs of sharing per‐ sonal information under the agreement outweigh the benefits of sharing it.
The Commissioner may recommend in the report that—
the agreement should be amended in 1 or more material respects; or
the Order in Council by which the agreement was approved should be revoked. Compare: 1993 No 28 s 96X
The relevant Minister must—
present a copy of a report under section 159(1) to the House of Repre‐ sentatives within 5 working days after receiving it from the Commis‐ sioner or, if Parliament is not in session, as soon as practicable after the commencement of the next session of Parliament; and
as soon as practicable after complying with paragraph (a), present a report to the House of Representatives setting out the Government’s response to the report under section 159(1). Compare: 1993 No 28 s 96Y
Privacy Act 2020 Version as at 6 December 2023
Without limiting the matters that an Order in Council made under section 145 must insert into Schedule 2 in accordance with section 147(2), the Governor- General may, by Order in Council,—
make any amendments to Schedule 2 that are required—
to recognise the abolition or dissolution of any agency that is party to an approved information sharing agreement or any change in the name of such an agency; or
to reflect any change in the Internet site address where a copy of an approved information sharing agreement can be accessed; or
to reflect any amendments to an approved information sharing agreement that are approved under section 157; or
to correct any error or omission in any description in that sched‐ ule:
repeal any description or matter in Schedule 2, including all of the descriptions or matters relating to an approved information sharing agreement if the Order in Council by which it was approved has expired or has been revoked:
otherwise amend or replace Schedule 2.
To avoid doubt, any of the matters set out in this section may be included in an Order in Council made under section 145 or in a separate Order in Council made under this section.
An order under this section is secondary legislation (see Part 3 of the Legis‐ lation Act 2019 for publication requirements). Compare: 1993 No 28 s 96Z Legislation Act 2019 requirements for secondary legislation made under this section Publication PCO must publish it on the legislation website and notify it in the Gazette Presentation The Minister must present it to the House of Representatives LA19 s 69(1)(c) LA19 s 114, Sch 1 cl 32(1)(a) Disallowance It may be disallowed by the House of Representatives LA19 ss 115, 116
Section 161(3): inserted, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7). Subpart 2—Identity information
The purpose of this subpart is to authorise accessing agencies, when carrying out specified functions, to verify the identity of an individual by accessing identity information held about that individual by a holder agency. Compare: 1993 No 28 s 109A Version as at
Privacy Act 2020 Part 7 s 164
This subpart does not—
limit the collection, use, or disclosure of personal information that—
is authorised or required by or under any enactment; or
is permitted by the information privacy principles; or
limit subpart 1, 3, or 4. Compare: 1993 No 28 s 109B
In this subpart,— access, in relation to a database, includes remote access to that database accessing agency means an agency specified in the first column of Schedule 3 biometric information, in relation to a person, means information that com‐ prises—
1 or more of the following kinds of personal information:
a photograph of all or any part of the person’s head and shoulders:
impressions of the person’s fingerprints:
a scan of the person’s irises; and
an electronic record of the personal information that is capable of being used for biometric matching database means any information recording system or facility used by an agency to store information holder agency means an agency specified in the third column of Schedule 3 identity information, in relation to an individual, means any information that identifies, or relates to the identity of, the individual, and includes (without limitation) the following information:
the individual’s biographical details (for example, the individual’s name, address, date of birth, place of birth, and gender):
the individual’s biometric information:
a photograph or visual image of the individual:
details of the individual’s—
New Zealand travel document; or
certificate of identity:
details of any distinguishing features (including tattoos and birthmarks). Compare: 1993 No 28 s 109C
Privacy Act 2020 Version as at 6 December 2023
An accessing agency may, for the purpose specified in the second column of Schedule 3 opposite the name of the accessing agency, have access to an indi‐ vidual’s identity information held by a holder agency specified in the third col‐ umn of that schedule opposite the name of the accessing agency. Compare: 1993 No 28 s 109D
Access to identity information permitted under section 165 may be facilitated between a holder agency and an accessing agency in the manner agreed by the agencies (for example, by direct access to information stored in a holder agen‐ cy’s database, or by exchange of information between the agencies).
Identity information that is held by a holder agency and accessed by an access‐ ing agency under section 165 may be made available to the accessing agency in the form agreed by the agencies. Compare: 1993 No 28 s 109E
The chief executive of an accessing agency must include in every annual report prepared by the chief executive for the purposes of section 43 of the Public Finance Act 1989, or any other applicable enactment requiring an annual report to Parliament, details of the operation of this Part and Schedule 3. Compare: 1993 No 28 s 109F
The Governor-General may, by Order in Council made on the recommendation of the responsible Minister given after consultation with the Privacy Commis‐ sioner, amend Schedule 3 by—
inserting, repealing, amending, or replacing any item in Schedule 3; or
repealing Schedule 3 and substituting a new schedule.
Before recommending the making of an Order in Council facilitating access by an accessing agency to identity information held by a holder agency, the responsible Minister must be satisfied that—
the purpose for which the identity information is to be accessed relates to a specified function of the accessing agency; and
the identity information to be accessed is no more than is reasonably necessary to enable the accessing agency to achieve that purpose; and
any potential conflicts or inconsistencies between the sharing of personal information under Schedule 3 and any other enactment have been identi‐ fied and appropriately addressed. Version as at
Privacy Act 2020 Part 7 s 171
An order under this section is secondary legislation (see Part 3 of the Legis‐ lation Act 2019 for publication requirements). Compare: 1993 No 28 s 109G Legislation Act 2019 requirements for secondary legislation made under this section Publication PCO must publish it on the legislation website and notify it in the Gazette Presentation The Minister must present it to the House of Representatives LA19 s 69(1)(c) LA19 s 114, Sch 1 cl 32(1)(a) Disallowance It may be disallowed by the House of Representatives LA19 ss 115, 116
Section 168(3): inserted, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7). Subpart 3—Law enforcement information
The purpose of this subpart is to authorise specified public sector agencies to have access to law enforcement information held by other specified agencies about identifiable individuals.
This subpart does not—
limit the collection, use, or disclosure of personal information that—
is authorised or required by or under any enactment; or
is permitted by the information privacy principles; or
limit subpart 1, 2, or 4.
In this subpart, unless the context otherwise requires,— accessing agency means any public sector agency for the time being specified in Schedule 4 as an agency to which law enforcement information held by a holder agency is available agency includes a court in relation to its judicial functions holder agency means—
a court holding law enforcement information described in Schedule 4 as court records; and
a public sector agency specified in Schedule 4 holding law enforcement information otherwise described in that schedule law enforcement information means any information that—
is about an identifiable individual; and
Privacy Act 2020 Version as at 6 December 2023
is specified in Schedule 4. Compare: 1993 No 28 s 110
An accessing agency may have access to law enforcement information held by a holder agency if such access is authorised by the provisions of Schedule 4.
Subsection (1) overrides—
section 237 and Schedule 1 of the District Court Act 2016; and
section 174 and Schedule 2 of the Senior Courts Act 2016. Compare: 1993 No 28 s 111
The Governor-General may, by Order in Council made on the recommendation of the responsible Minister given after consultation with the Privacy Commis‐ sioner, amend Schedule 4 by—
inserting, repealing, amending, or replacing any item in Schedule 4; or
repealing Schedule 4 and substituting a new schedule.
However, no Order in Council may be made under subsection (1) that amends law enforcement information in Schedule 4 that is described in that schedule as court records.
An order under this section is secondary legislation (see Part 3 of the Legis‐ lation Act 2019 for publication requirements). Legislation Act 2019 requirements for secondary legislation made under this section Publication PCO must publish it on the legislation website and notify it in the Gazette Presentation The Minister must present it to the House of Representatives LA19 s 69(1)(c) LA19 s 114, Sch 1 cl 32(1)(a) Disallowance It may be disallowed by the House of Representatives LA19 ss 115, 116
Section 173(3): inserted, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7). Subpart 4—Authorised information matching programmes
The purpose of this subpart is to authorise agencies to compare personal infor‐ mation in accordance with an authorised information matching programme.
This subpart applies to the disclosure of personal information under an infor‐ mation matching programme authorised by an information matching provision. Version as at
Privacy Act 2020 Part 7 s 177
This subpart does not—
limit the collection, use, or disclosure of personal information that—
is authorised or required by or under any enactment; or
is permitted by the information privacy principles; or
limit subparts 1 to 3.
In this subpart and Schedule 6, unless the context otherwise requires,— adverse action means any lawful action of an agency that may adversely affect the rights, benefits, privileges, obligations, or interests of any specific indi‐ vidual, including any decision—
to cancel or suspend any monetary payment:
to refuse an application for a monetary payment:
to alter the rate or amount of a monetary payment:
to recover an overpayment of a monetary payment:
to impose a penalty:
to recover a penalty or fine:
to make an assessment of the amount of any tax, levy, or other charge, or of any contribution, that is payable by an individual, or to alter an assessment of that kind:
to investigate the possible commission of an offence:
to make a deportation order in relation to the individual, to serve the individual with a deportation liability notice, or to deport the individual from New Zealand authorised information matching programme means an information match‐ ing programme that is authorised by an information matching provision discrepancy, in relation to an authorised information matching programme, means a result of that programme that warrants the taking of further action by an agency for the purpose of giving effect to the objective of the programme information matching programme means the comparison (whether manually or by means of any electronic or other device) of any document that contains personal information about 10 or more individuals with 1 or more other docu‐ ments that contain personal information about 10 or more individuals, for the purpose of producing or verifying information that may be used for the purpose of taking adverse action against an identifiable individual
Privacy Act 2020 Version as at 6 December 2023 information matching provision means any provision specified in the second column of Schedule 5 as an information matching provision of an enactment specified in the first column of that schedule information matching rules means the rules for the time being set out in Schedule 6 monetary payment includes—
a benefit as defined in Schedule 2 of the Social Security Act 2018:
a lump sum payable under section 90 of that Act:
any special assistance granted out of a Crown Bank Account from money appropriated by Parliament under section 101 of that Act:
any monetary entitlement payable under Part 4, 10, or 11 of the Accident Compensation Act 2001. Compare: 1993 No 28 s 97
Personal information held by an agency may be disclosed to another agency under an authorised information matching programme only in accordance with a written agreement that—
is entered into between the agencies; and
includes provisions that reflect the information matching rules, or provi‐ sions that are no less onerous than those rules.
An agreement may provide that the agencies involved in the authorised infor‐ mation matching programme may charge each other fees for the services provi‐ ded for the purposes of the programme.
The parties to an agreement entered into under this section must ensure that a copy of the agreement, and of any amendments subsequently made to the agreement, are immediately forwarded to the Commissioner. Compare: 1993 No 28 s 99
Subject to any other enactment or rule of law that limits or restricts the infor‐ mation that may be taken into account in taking adverse action against an indi‐ vidual, an agency that is involved in an authorised information matching pro‐ gramme may take adverse action against an individual on the basis of any dis‐ crepancy produced by that programme.
If an agency decides to take adverse action against an individual on the basis of a discrepancy produced by an authorised information matching programme, the adverse action must be commenced not later than 12 months after the date on which the agency received or derived information from the programme that gave rise to the discrepancy (or any extended time limit granted by the Com‐ missioner under section 180). Version as at
Privacy Act 2020 Part 7 s 181
Subsection (1) does not limit or restrict the use that may lawfully be made, by an agency, of any information produced by an authorised information matching programme. Compare: 1993 No 28 s 100
If an agency derives or receives information produced by an authorised infor‐ mation matching programme, the Commissioner may, either generally or in respect of any case or class of cases, grant an extension of the time limit set out in section 179(2) in respect of that information if the Commissioner is satisfied that the agency cannot reasonably be required to meet that time limit because of—
the large quantity of information derived or received by the agency; or
the complexity of the issues involved; or
any other reason. Compare: 1993 No 28 s 102
A specified agency must not take adverse action against an individual on the basis (whether in whole or in part) of a discrepancy produced by an authorised information matching programme—
unless that agency has given that individual written notice that—
specifies the particulars of the discrepancy and of the adverse action that it proposes to take; and
states that the individual has 5 working days from the receipt of the notice in which to show cause why the action should not be taken; and
until the expiration of those 5 working days.
Subsection (1) does not prevent the department for the time being responsible for the administration of the Social Security Act 2018 from immediately sus‐ pending sole parent support, the supported living payment, an emergency bene‐ fit, jobseeker support, a young parent payment, or a youth payment paid to an individual if—
the discrepancy arises in respect of departure information supplied to that department under section 308 of the Customs and Excise Act 2018; and
before or immediately after the decision to suspend the benefit, the department gives the individual written notice that—
specifies the particulars of the discrepancy and the suspension of benefit, and any other adverse action that the department proposes to take; and
Privacy Act 2020 Version as at 6 December 2023
states that the individual has 5 working days from the receipt of the notice to show cause why the benefit ought not to have been suspended or why the adverse action should not be taken, or both.
An adverse action must not be taken under subsection (2) until the expiry of the 5 working days referred to in subsection (2)(b)(ii).
Subsection (1) does not prevent the Commissioner of Inland Revenue from immediately taking action to recover amounts relating to—
unpaid amounts owed to the Commissioner by an individual who is in serious default and who is identified in information supplied to the Com‐ missioner under section 306 of the Customs and Excise Act 2018; or
financial support under the Child Support Act 1991 owed to the Com‐ missioner by an individual who is identified in information supplied to the Commissioner under section 307 or 313 of the Customs and Excise Act 2018.
Subsections (1) and (2) do not prevent an agency from taking adverse action against an individual if compliance with the requirements of those subsections would prejudice any investigation into the commission of an offence or the possible commission of an offence.
Subsection (1) does not prevent any constable or any bailiff from immediately executing a warrant to arrest an individual in respect of the non-payment of all or any part of a fine if—
the discrepancy arises in respect of arrival and departure information supplied under section 310 of the Customs and Excise Act 2018; and
before the warrant is executed, the individual concerned is—
informed of the intention to execute the warrant; and
given an opportunity to confirm that they are the individual named in the warrant; and
given the opportunity to confirm that neither of the following cir‐ cumstances applies: (A) the fine has been paid: (B) an arrangement to pay the fine over time has been entered into.
In this section,— amount of reparation has the meaning given to it in section 79(1) of the Sum‐ mary Proceedings Act 1957 bailiff means a bailiff of the District Court or of the High Court fine means—
a fine within the meaning of section 79(1) of the Summary Proceedings Act 1957: Version as at
Privacy Act 2020 Part 7 s 182
a fine to which section 19 of the Crimes Act 1961 applies:
a fine to which section 43 or 45 of the Misuse of Drugs Amendment Act 1978 applies:
any amount payable under section 138A(1) of the Sentencing Act 2002.
This section is subject to section 180C(1) of the Corrections Act 2004. Compare: 1993 No 28 s 103(1)–(2), (5)
If the Commissioner so requires, an agency that is involved in an authorised information matching programme must report to the Commissioner in respect of the programme.
Without limiting subsection (1), the matters on which the Commissioner may require an agency to submit a report include the following:
the actual costs and benefits of an authorised information matching pro‐ gramme:
any difficulties experienced in the operation of an authorised information matching programme and how those difficulties are being, or have been, overcome:
whether internal audits or other forms of assessment are undertaken by an agency in relation to an authorised information matching programme, and, if so, the results of those audits or assessments:
if an agency dispenses with the giving of notice under section 181, the reasons why that dispensation is made and the grounds in support of those reasons:
the details of the operation of an authorised information matching pro‐ gramme, including—
the number of matches undertaken:
the proportion of matches that revealed discrepancies in informa‐ tion involved in the matching:
the number of discrepancies revealed:
the proportion of cases in which action was taken as a result of the discrepancies:
the number of cases in which action was taken:
the number of cases in which action was taken even though the accuracy of the discrepancy was challenged:
the proportion of cases in which action did not proceed after the individual concerned was notified of the discrepancy:
the number of cases in which action taken as a result of a discrep‐ ancy was successful:
Privacy Act 2020 Version as at 6 December 2023
any other matters that the Commissioner considers relevant. Compare: 1993 No 28 s 104
The Commissioner must, before the end of each calendar year, report to the responsible Minister on each authorised information matching programme that is carried out (in whole or in part) during the financial year ending on 30 June in that year.
A report must set out, in relation to each programme,—
an outline of the programme; and
an assessment of the extent of the programme’s compliance, during that year, with—
sections 178 to 181; and
the information matching rules; and
the details of each extension granted under section 180, the reasons why the extension was granted, and the grounds in support of those reasons.
This section does not require the Commissioner to disclose in any report any information relating to an information matching programme that would be likely to frustrate the objective of the programme.
Sections 85 to 89 apply in relation to an assessment carried out by the Commis‐ sioner for the purposes of subsection (2)(b), and all references in those sections to an investigation must be read as a reference to an assessment.
As soon as practicable after receiving a report, the responsible Minister must present a copy of the report to the House of Representatives. Compare: 1993 No 28 s 105
The Commissioner must, at 5-yearly intervals,—
review the operation of every information matching provision and con‐ sider, in particular, whether—
the authority conferred by the information matching provision should be continued; and
any amendments to the provision are necessary or desirable; and
report the result of the review to the responsible Minister.
The first report of an information matching provision under this section is due not later than—
5 years after the date of the last report prepared in respect of that infor‐ mation matching provision by the Commissioner under section 106 of the Privacy Act 1993; or Version as at
Privacy Act 2020 Part 7 s 188
5 years after the commencement of this section, if no previous report has been prepared in respect of that information matching provision by the Commissioner. Compare: 1993 No 28 s 106(1)
The responsible Minister must—
present a copy of a report under section 184 to the House of Representa‐ tives within 5 working days after receiving it from the Commissioner or, if Parliament is not in session, as soon as practicable after the com‐ mencement of the next session of Parliament; and
within 6 months after complying with paragraph (a), present a report to the House of Representatives setting out the Government’s response to the report under section 184. Compare: 1993 No 28 s 106(2)
Despite section 176, if the collection or disclosure of information is authorised by an information matching provision, nothing in IPP 2(2)(e)(i) or IPP 11(1)(e)(i) authorises or permits the collection or disclosure of that information for the purposes of—
any authorised information matching programme; or
any information matching programme whose objective is similar in nature to any authorised information matching programme. Compare: 1993 No 28 s 108
Despite anything in the Official Information Act 1982 or the Local Govern‐ ment Official Information and Meetings Act 1987, a public sector agency must not disclose to any other public sector agency under those Acts any personal information if the information is sought solely or principally for use in an information matching programme. Compare: 1993 No 28 s 109
The Governor-General may, by Order in Council made on the recommendation of the responsible Minister,—
amend Schedule 5 by—
Privacy Act 2020 Version as at 6 December 2023
replacing a reference to an information matching provision that has been renumbered with a reference to the corresponding renumbered information matching provision:
repealing an information matching provision; or
repeal Schedule 5.
An order under this section is secondary legislation (see Part 3 of the Legis‐ lation Act 2019 for publication requirements). Legislation Act 2019 requirements for secondary legislation made under this section Publication PCO must publish it on the legislation website and notify it in the Gazette Presentation The Minister must present it to the House of Representatives LA19 s 69(1)(c) LA19 s 114, Sch 1 cl 32(1)(a) Disallowance It may be disallowed by the House of Representatives LA19 ss 115, 116
Section 188(2): inserted, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7).
The Governor-General may, by Order in Council made on the recommendation of the Privacy Commissioner, amend the information matching rules in Sched‐ ule 6.
The power conferred by subsection (1) includes the power to—
replace Schedule 6:
repeal Schedule 6.
An order under this section is secondary legislation (see Part 3 of the Legis‐ lation Act 2019 for publication requirements). Compare: 1993 No 28 s 107 Legislation Act 2019 requirements for secondary legislation made under this section Publication PCO must publish it on the legislation website and notify it in the Gazette Presentation The Minister must present it to the House of Representatives LA19 s 69(1)(c) LA19 s 114, Sch 1 cl 32(1)(a) Disallowance It may be disallowed by the House of Representatives LA19 ss 115, 116
Section 189(3): inserted, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7).
Section 190: repealed, on the close of 8 December 2020, by section 191 of the Privacy Act 2020 (2020 No 31). Version as at
Privacy Act 2020 Part 8 s 193
Section 190 and Schedule 7 are repealed on the close of 8 December 2020.
Prohibiting onward transfer of personal information received in New Zealand from overseas
In this Part, unless the context otherwise requires, transfer prohibition notice means a notice given under section 193 prohibiting the transfer of personal information from New Zealand to another country. Compare: 1993 No 28 s 114A
The Commissioner may prohibit a transfer of personal information from New Zealand to another country if the Commissioner is satisfied, on reasonable grounds, that—
the information has been, or will be, received in New Zealand from another country and is likely to be transferred to a third country where it will not be subject to a law providing comparable safeguards to those in this Act; and
the transfer would be likely to lead to a contravention of the basic prin‐ ciples of national application set out in Part Two of the OECD Guide‐ lines and in Schedule 8 of this Act.
In determining whether to prohibit a transfer of personal information, the Com‐ missioner must also consider, in addition to the matters set out in subsection (1) and section 21, the following:
whether the transfer affects, or is likely to affect, any individual; and
the general desirability of facilitating the free flow of information between New Zealand and other countries; and
any existing or developing international guidelines relevant to transbor‐ der data flows, including (but not limited to)—
the OECD Guidelines:
the General Data Protection Regulation.
Subsection (1) does not apply if the transfer of the information, or the informa‐ tion itself, is—
required or authorised by or under any enactment; or
required by any convention or other instrument that imposes inter‐ national obligations on New Zealand. Compare: 1993 No 28 s 114B
Privacy Act 2020 Version as at 6 December 2023
To enable the Commissioner to determine whether to prohibit a transfer of per‐ sonal information, the Commissioner may hear or obtain information from any person as the Commissioner considers necessary, and for that purpose subpart 2 of Part 5 applies as if the Commissioner were carrying out an investigation under that subpart.
In exercising any power under subsection (1), the Commissioner may adopt any procedure the Commissioner considers appropriate. Compare: 1993 No 28 s 114C
A prohibition under section 193(1) is effected by the service of a transfer pro‐ hibition notice on the agency that proposes to transfer the personal information concerned.
A transfer prohibition notice must—
state the name of the agency to whom it relates; and
describe the personal information concerned; and
state that the transfer of the personal information concerned from New Zealand to a specified country is prohibited—
absolutely; or
until the agency has taken the steps stated in the notice to protect the interests of any individual or individuals affected by the trans‐ fer; and
state the time at which the notice takes effect; and
state the ground for the prohibition; and
state that the agency on whom the notice is served may lodge an appeal against the notice to the Tribunal, and state the time within which the appeal must be lodged.
The time at which the notice takes effect under subsection (2)(d) must not be before the end of the period within which an appeal against the notice can be lodged.
If an appeal is brought, the notice does not take effect until the determination or withdrawal of the appeal.
If the Commissioner, by reason of special circumstances, considers that the prohibition should take effect as a matter of urgency in relation to all or any part of the notice,—
subsections (3) and (4) do not apply; and
the notice takes effect on the sixth working day after the date on which the notice is served; and Version as at
Privacy Act 2020 Part 8 s 198
the notice must include—
a statement that the Commissioner considers that the prohibition must take effect as a matter of urgency; and
a statement of the reasons why the Commissioner has reached that conclusion. Compare: 1993 No 28 s 114D
If, at any time, the Commissioner considers that all or any of the provisions of a transfer prohibition notice served on an agency need not be complied with in order to avoid a contravention of basic principles of privacy or data protection, the Commissioner may vary or cancel the transfer prohibition notice by serving notice to that effect on the agency concerned.
An agency on whom a transfer prohibition notice has been served may, at any time after the end of the period during which an appeal under section 198(1)(a) can be lodged, apply in writing to the Commissioner for the notice to be varied or cancelled under subsection (1).
The Commissioner must, within 20 working days after the date on which an application under subsection (2) is received, notify the agency that the applica‐ tion—
has been granted and that the transfer prohibition notice has been—
varied; or
cancelled; or
has been refused and give the reason for the refusal.
If the Commissioner cancels or varies a transfer prohibition notice under sub‐ section (1), the variation or cancellation of the notice takes effect on the day after the date on which notice of the Commissioner’s decision to vary or cancel the transfer prohibition notice is served. Compare: 1993 No 28 s 114E
Every person who, without reasonable excuse, fails or refuses to comply with a transfer prohibition notice commits an offence and is liable on conviction to a fine not exceeding $10,000. Compare: 1993 No 28 s 114F
An agency on whom a transfer prohibition notice is served may appeal to the Tribunal—
against all or any part of the notice; or
Privacy Act 2020 Version as at 6 December 2023
if the notice contains a statement by the Commissioner in accordance with section 195(5)(c), against the decision to include that statement in respect of all or any part of the notice; or
against the decision of the Commissioner to vary the notice in accord‐ ance with section 196(1); or
against the refusal of an application under section 196(2) to vary or can‐ cel the notice.
An appeal under subsection (1) must be lodged,—
in the case of an appeal under subsection (1)(a) or (b), within 15 working days from the date on which the transfer prohibition notice was served on the agency concerned:
in the case of an appeal under subsection (1)(c) or (d), within 15 working days from the date on which notice of the decision or refusal was served on the agency concerned.
The Tribunal must allow an appeal or substitute any other decision or notice that could have been made or served by the Commissioner if it considers that—
the decision or notice against which the appeal is brought is not in accordance with the law; or
to the extent that the decision or notice involved an exercise of discretion by the Commissioner, the Commissioner ought to have exercised the dis‐ cretion differently.
The Tribunal may review any determination of fact on which the decision or notice in question was based.
On any appeal under subsection (1)(b), the Tribunal may—
direct—
that the notice in question must have effect as if it did not contain the statement that is mentioned in the notice; or
that the inclusion of the statement must not have effect in relation to any part of the notice; and
make any modifications required to give effect to that direction. Compare: 1993 No 28 s 114G
4 of the Human Rights Act 1993 (except sections 97, 108A, and 108B) applies in relation to proceedings under section 198 as if they were proceedings under that Act. Compare: 1993 No 28 s 114H
The Governor-General may, by Order in Council,— Version as at
Privacy Act 2020 Part 9 s 201A
amend the principles in Schedule 8 to the extent required to bring them up to date:
replace Schedule 8 to update the principles.
An order under this section is secondary legislation (see Part 3 of the Legis‐ lation Act 2019 for publication requirements). Compare: 1993 No 28 s 128A Legislation Act 2019 requirements for secondary legislation made under this section Publication PCO must publish it on the legislation website and notify it in the Gazette Presentation The Minister must present it to the House of Representatives LA19 s 69(1)(c) LA19 s 114, Sch 1 cl 32(1)(a) Disallowance It may be disallowed by the House of Representatives LA19 ss 115, 116
Section 200(2): inserted, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7).
An agency must appoint as privacy officers for the agency 1 or more individu‐ als (within or outside the agency) whose responsibilities include—
encouraging the agency to comply with the IPPs:
dealing with requests made to the agency under this Act:
working with the Commissioner in relation to investigations conducted under Part 5 in relation to the agency:
ensuring that the agency complies with the provisions of this Act.
Subsection (1) does not apply to an agency that is an individual who is collect‐ ing and holding personal information solely for the purposes of, or in connec‐ tion with, the individual’s personal or domestic affairs.
In relation to the functions of a departmental agency, the responsibility under this section lies with the departmental agency. Compare: 1993 No 28 s 23 Section 201(3): inserted, on 7 August 2020, by section 128 of the Public Service Act 2020 (2020 No 40). 201A Responsibility under Parts 4 to 6 for interdepartmental executive board
The department that is the servicing department for an interdepartmental executive board is responsible for dealing with all matters arising under Parts 4 to 6 in relation to personal information held by that board.
Privacy Act 2020 Version as at 6 December 2023
This section applies despite the definition of department in section 7(1). Section 201A: inserted, on 7 August 2020, by section 129 of the Public Service Act 2020 (2020 No 40).
For the purpose of enabling the Commissioner to respond to inquiries from the public about personal information held by an agency, the Commissioner may require an agency to supply—
the name and contact details of the agency’s privacy officer appointed under section 201; and
any other information that the Commissioner reasonably requires in rela‐ tion to the personal information held by the agency. Compare: 1993 No 28 s 22
Sections 86 to 90 apply in relation to an inquiry conducted by the Commis‐ sioner under section 17(1)(i), and for this purpose all references in those sec‐ tions to an investigation must be read as a reference to an inquiry.
If, at any time, it appears to the Commissioner that it may be desirable to obtain a declaratory judgment or an order of the High Court in accordance with the Declaratory Judgments Act 1908, the Commissioner may refer the matter to the Director for the purpose of deciding whether proceedings under that Act should be instituted.
If a matter is referred to the Director under subsection (1), the Director has suf‐ ficient standing to institute proceedings under the Declaratory Judgments Act 1908.
Subsection (2) applies—
despite anything to the contrary in the Declaratory Judgments Act 1908, or any other enactment or rule of law; and
whether or not the matter is within the Director’s functions and powers under this Act or the Human Rights Act 1993. Compare: 1993 No 28 s 20
If any personal information is made available in good faith under IPP 6,—
no proceedings, civil or criminal, may be brought against the Crown or any other person in respect of the making available of that information, or in respect of any consequences that follow from the making available of that information; and Version as at
Privacy Act 2020 Part 9 s 206
no proceedings, civil or criminal, in respect of any publication involved in, or resulting from, the making available of that information may be brought against the author of the information or any other person by rea‐ son of that author or other person having supplied the information to an agency.
The making available of, or the giving of access to, any personal information in consequence of a request made under IPP 6 is not to be taken, for the purposes of the law relating to defamation or breach of confidence or infringement of copyright, to constitute an authorisation or approval of the publication of the information or of its contents by the individual to whom the information is made available or the access is given. Compare: 1993 No 28 s 115
The following persons must maintain secrecy in respect of all matters that come to their knowledge in the exercise of their functions under this Act:
the Commissioner, or any person who has held the appointment of Com‐ missioner:
a person who is employed or engaged, or who has been employed or engaged, by the Commissioner.
Despite subsection (1), the Commissioner may disclose any matters that in the Commissioner’s opinion ought to be disclosed for the purposes of giving effect to this Act.
Except where necessary for the purposes of referring a complaint or matter to the Director, the power conferred by subsection (2) does not extend to—
any matter that might prejudice—
the security, defence, or international relations of New Zealand (including New Zealand’s relations with the Government of any other country or with any international organisation); or
any interest protected by section 7 of the Official Information Act 1982; or
the prevention, investigation, or detection of offences; or
any matter that might involve the disclosure of the deliberations of Cab‐ inet; or
any information, answer, document, or thing obtained by the Commis‐ sioner by reason only of compliance with a requirement made under sec‐ tion 88(1). Compare: 1993 No 28 s 116
Privacy Act 2020 Version as at 6 December 2023
The Commissioner may provide to an overseas privacy enforcement authority any information, or a copy of any document, that the Commissioner—
holds in relation to the performance or exercise of the Commissioner’s functions, duties, or powers under this Act (including under section 86 or 87) or any other enactment; and
considers may—
assist the authority in the performance or exercise of the authori‐ ty’s functions, duties, or powers under or in relation to any enact‐ ment; or
enable the authority to reciprocate with the provision of other rela‐ ted information that will assist the Commissioner in the perform‐ ance or exercise of the Commissioner’s functions, duties, or powers under this Act or any other enactment.
The Commissioner may impose any conditions that the Commissioner con‐ siders appropriate in relation to the provision of any information or copy of any document under subsection (1), including conditions related to—
the storage and use of, or access to, anything provided:
the copying, return, or disposal of copies of any documents provided.
This section overrides section 206(1).
The Commissioner may at any time consult any of the following persons about any matter relating to the functions of the Commissioner under this Act:
an Ombudsman:
the Health and Disability Commissioner:
the Inspector-General of Intelligence and Security.
the Independent Police Conduct Authority.
For the purpose of consulting a person specified in subsection (1), the Commis‐ sioner may disclose to that person any information that the Commissioner con‐ siders necessary.
This section overrides section 206(1). Compare: 1993 No 28 ss 117, 117A, 117B Section 208(1)(d): inserted, on 30 November 2022, by section 101 of the Statutes Amendment Act 2022 (2022 No 75).
The rule of law that authorises or requires the withholding of any document, or the refusal to answer any question, on the ground that the disclosure of the Version as at
Privacy Act 2020 Part 9 s 211 document or the answering of the question would be injurious to the public interest does not apply in respect of—
any investigation by or proceedings before the Commissioner or the Tri‐ bunal under this Act; or
any application under the Judicial Review Procedure Act 2016 for the review of any decision under this Act.
Subsection (1) does not entitle any person to any information that the person would not be entitled to otherwise than under this section.
Subsection (1) does not limit sections 44(2)(d) and 47. Compare: 1993 No 28 s 119
The Commissioner must not, in any report or statement made pursuant to this Act or the Crown Entities Act 2004, make any comment that is adverse to any person unless that person has been given an opportunity to be heard. Compare: 1993 No 28 s 120
For the purpose of this Act,—
anything done or omitted to be done by a person (A) as an employee of another person (B) is to be treated as being done or omitted by both A and B, whether or not it was done or omitted with B’s knowledge or approval:
anything done or omitted to be done by a person (A) as an agent of another person (B) is to be treated as being done or omitted by both A and B, unless it was done or omitted without B’s express or implied authority:
anything done or omitted to be done by a person as a member of an agency is to be treated as being done or omitted by both the person and the agency, unless it is done or omitted without the agency’s express or implied authority.
In proceedings under this Act against any person (C) in respect of an act alleged to have been done by an employee of that person (D), it is a defence to prove that C took such steps as were reasonably practicable to prevent D from doing that or any similar act.
Subsection (2) overrides subsection (1)(a).
This section is subject to sections 119 and 120. Compare: 1993 No 28 s 126
Privacy Act 2020 Version as at 6 December 2023
A person commits an offence against this Act and is liable on conviction to a fine not exceeding $10,000 if the person,—
without reasonable excuse, obstructs, hinders, or resists the Commis‐ sioner or any other person in the exercise of their powers under this Act:
without reasonable excuse, refuses or fails to comply with any lawful requirement of the Commissioner or any other person under this Act.
A person commits an offence against this Act and is liable on conviction to a fine not exceeding $10,000 if the person—
makes any statement or gives any information to the Commissioner or any other person exercising powers under this Act, knowing that the statement or information is false or misleading:
represents directly or indirectly that they hold any authority under this Act when they do not hold that authority:
misleads an agency by impersonating an individual, or falsely pretending to be an individual or to be acting under the authority of an individual, for the purpose of—
obtaining access to that individual’s personal information:
having that individual’s personal information used, altered, or destroyed:
destroys any document containing personal information, knowing that a request has been made in respect of that information under subpart 1 of Part 4. Compare: 1993 No 28 s 127
The Governor-General may, by Order in Council made on the recommendation of the responsible Minister given after consultation with the Commissioner, make regulations prescribing binding schemes for the purpose of IPP 12(1)(d).
The Minister may recommend the making of regulations under subsection (1) only if the Minister is satisfied that the binding schemes require a foreign per‐ son or entity to protect personal information in a way that, overall, provides comparable safeguards to those in this Act.
Regulations made under this section are secondary legislation (see Part 3 of the Legislation Act 2019 for publication requirements). Legislation Act 2019 requirements for secondary legislation made under this section Publication PCO must publish it on the legislation website and notify it in the Gazette LA19 s 69(1)(c) Version as at
Privacy Act 2020 Part 9 s 215 Presentation The Minister must present it to the House of Representatives LA19 s 114, Sch 1 cl 32(1)(a) Disallowance It may be disallowed by the House of Representatives LA19 ss 115, 116
Section 213(3): inserted, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7). Section 213(3): amended, on 28 October 2021, by regulation 85 of the Legislation Act (Amendments to Legislation) Regulations 2021 (SL 2021/247).
The Governor-General may, by Order in Council made on the recommendation of the responsible Minister given after consultation with the Commissioner, make regulations prescribing countries for the purpose of IPP 12(1)(e).
The Minister may recommend the making of regulations under subsection (1) only if the Minister is satisfied that the countries have privacy laws that, over‐ all, provide comparable safeguards to those in this Act.
A country may be prescribed subject to any specified limitation or qualification relating to—
the type of foreign person or entity in that country that personal informa‐ tion may be disclosed to:
the type of personal information that may be disclosed to a foreign per‐ son or entity in that country.
Regulations made under this section are secondary legislation (see Part 3 of the Legislation Act 2019 for publication requirements). Legislation Act 2019 requirements for secondary legislation made under this section Publication PCO must publish it on the legislation website and notify it in the Gazette Presentation The Minister must present it to the House of Representatives LA19 s 69(1)(c) LA19 s 114, Sch 1 cl 32(1)(a) Disallowance It may be disallowed by the House of Representatives LA19 ss 115, 116
Section 214(4): inserted, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7). Section 214(4): amended, on 28 October 2021, by regulation 85 of the Legislation Act (Amendments to Legislation) Regulations 2021 (SL 2021/247).
The Governor-General may, by Order in Council, made on the recommenda‐ tion of the responsible Minister, make regulations for all or any of the follow‐ ing purposes:
providing the procedure for giving, issuing, or serving notices and docu‐ ments under this Act, including to persons or agencies who are overseas:
Privacy Act 2020 Version as at 6 December 2023
prescribing a body as a regulatory body for the purposes of the definition of news entity in section 7(1):
specifying the information to be included in a compliance notice under section 125(1)(e):
prescribing the matters that the Commissioner may specify to a lead agency as matters that are to be included in a report by the lead agency under section 155:
providing for such matters as are contemplated by or necessary for giv‐ ing full effect to this Act and for its due administration.
The responsible Minister may not recommend the making of regulations under subsection (1)(b) unless the Minister—
has consulted with the Commissioner; and
is satisfied that the body—
acts independently in performing its functions and duties; and
encourages news entities to develop and observe principles, stand‐ ards, or codes of conduct appropriate to the type of news activity undertaken by the entities, particularly principles, standards, or codes of conduct in relation to the privacy of individuals; and
has a proper procedure for receiving and dealing with complaints about news activities.
Regulations made under this section are secondary legislation (see Part 3 of the Legislation Act 2019 for publication requirements). Compare: 1993 No 28 s 128 Legislation Act 2019 requirements for secondary legislation made under this section Publication PCO must publish it on the legislation website and notify it in the Gazette Presentation The Minister must present it to the House of Representatives LA19 s 69(1)(c) LA19 s 114, Sch 1 cl 32(1)(a) Disallowance It may be disallowed by the House of Representatives LA19 ss 115, 116
Section 215(3): inserted, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7). Section 215(3): amended, on 28 October 2021, by regulation 85 of the Legislation Act (Amendments to Legislation) Regulations 2021 (SL 2021/247).
The Privacy Act 1993 (1993 No 28) is repealed.
The Privacy Regulations 1993 (SR 1993/149) are revoked. Version as at
Privacy Act 2020 Part 9 s 218
Section 217: repealed, on the close of 8 December 2020, by section 218 of the Privacy Act 2020 (2020 No 31).
Section 217 and Schedule 9 are repealed on the close of 8 December 2020. Schedule 1 Privacy Act 2020 Version as at 6 December 2023 Schedule 1 Transitional, savings, and related provisions s 5
Provisions relating to this Act as enacted
In this schedule,— commencement day means 1 December 2020 this Act means the Privacy Act 2020.
The person who immediately before the commencement day held office as the Privacy Commissioner under the Privacy Act 1993 continues in office on and after that day as if the person were appointed under section 13 of this Act, and that person’s instrument of appointment is to be construed accordingly.
Any person who immediately before the commencement day was a privacy officer under section 23 of the Privacy Act 1993 continues on and after that day as a privacy officer under section 201 of this Act.
A request made to an agency under information privacy principle 6 of the Pri‐ vacy Act 1993 before the commencement day, but not dealt with by that day, must be treated as a request under IPP 6 and dealt with under this Act.
A request made to an agency under information privacy principle 7 of the Pri‐ vacy Act 1993 before the commencement day, but not dealt with by that day, must be treated as a request under IPP 7 and dealt with under this Act.
An authorisation given by the Commissioner under section 54 of the Privacy Act 1993 that is in force immediately before the commencement day continues in force on and after that day as if it had been made under section 30 of this Act, and is subject to the same conditions (if any) as applied immediately before the commencement day.
A code of practice that was issued by the Commissioner under section 46 of the Privacy Act 1993 and that is in force immediately before the day on which sub‐ part 2 of Part 3 of this Act comes into force continues in force on and after that Version as at
Privacy Act 2020 Schedule 1 day as if it had been issued under section 32 of this Act and may at any time be amended.
A complaint made before the commencement day under the Privacy Act 1993 that has not been resolved or otherwise dealt with by the Commissioner must be resolved or otherwise dealt with by the Commissioner under the procedures in this Act, even though the action that is the subject of the complaint occurred before that day.
A complaint made after the commencement day under this Act that relates to an action that occurred before the commencement day must be resolved or otherwise dealt with by the Commissioner under the procedures in this Act.
Any decision made, or thing done, by the Commissioner under the Privacy Act 1993 in relation to a complaint that before the commencement day was not the subject of an investigation must be treated as if it had been made or done under this Act.
This clause applies to—
an investigation that was commenced by the Commissioner under Part 8 of the Privacy Act 1993 before the commencement day, but not comple‐ ted by that day (a pending investigation):
an investigation that is commenced by the Commissioner under this Act after the commencement day and that relates to an action that occurred before the commencement day:
an inquiry that was commenced by the Commissioner under section 13(1)(m) or 61(1) of the Privacy Act 1993 before the commencement day but not completed by that day (a pending inquiry).
A pending investigation, an investigation referred to in subclause (1)(b), or a pending inquiry must be continued and completed or, in the case of an investi‐ gation referred to in subclause (1)(b), dealt with under this Act.
Any decision made, or thing done, by the Commissioner under the Privacy Act 1993 in relation to a pending investigation or pending inquiry must be treated as if it had been made or done under this Act.
Any proceedings commenced before the Human Rights Review Tribunal under Part 8 of the Privacy Act 1993 before the commencement day, but not comple‐ ted by that day, must be continued and completed under this Act.
Any proceedings that are commenced before the Human Rights Review Tribu‐ nal under this Act after the commencement day and that relate to an action that occurred before the commencement day must be dealt with under this Act. Schedule 1 Privacy Act 2020 Version as at 6 December 2023
In this clause, notifiable privacy breach has the meaning given to it in section 112 of this Act.
The provisions of subpart 1 of Part 6 do not apply to a notifiable privacy breach that occurred before the commencement day even if it continues after that day.
An information matching agreement that was made under Part 10 of the Pri‐ vacy Act 1993 and that is in force immediately before the commencement day continues in force, in accordance with its terms, as if it had been made under subpart 4 of Part 7 of this Act and may at any time be amended.
Any decision or thing done under the Privacy Act 1993 before the commence‐ ment day in relation to a proposed information matching agreement must be treated as if it had been made or done under this Act.
An information sharing agreement that was made under Part 9A of the Privacy Act 1993 and that is in force immediately before the commencement day con‐ tinues in force, in accordance with its terms, as if it had been made under sub‐ part 1 of Part 7 of this Act.
Any decision made or thing done under the Privacy Act 1993 before the com‐ mencement day in relation to a proposed information sharing agreement must be treated as if it had been made or done under this Act.
An Order in Council that was made under sections 96J to 96L of the Privacy Act 1993 and that is in force immediately before the commencement day con‐ tinues in force, in accordance with its terms, as if it had been made under sec‐ tions 145 to 147 of this Act, and may at any time be amended.
An Order in Council that was made under sections 96J to 96L of the Privacy Act 1993 but has not come into force before the commencement day, continues to have effect, in accordance with its terms, as if it had been made under sec‐ tions 145 to 147 of this Act, and may at any time be amended.
A transfer prohibition notice that was given by the Commissioner under section 114B of the Privacy Act 1993 and that is in force immediately before the com‐ mencement day continues in force, in accordance with its terms, as if it had been given by the Commissioner under section 195 of this Act. Version as at
Privacy Act 2020 Schedule 1
Subclause (2) applies if, immediately before the commencement day,—
the Police have commenced proceedings against a person aged 17 years, but those proceedings have not been completed, or, in respect of those proceedings, sentencing is pending; and
the Police are accessing, or intending to access, the item of law enforce‐ ment information in Schedule 5 of the Privacy Act 1993 relating to court records described as details of hearings.
If this subclause applies, Schedule 5 of the Privacy Act 1993 continues in force in relation to accessing the records of the person aged 17 years until—
the proceedings referred to in subclause (1)(a) are discontinued or com‐ pleted:
the sentencing referred to in subclause (1)(a) is completed:
the outcome of the proceedings and sentencing referred to in subclause (1)(a) has been recorded by the Police.
Subclause (2) does not limit the application of section 34 of the Legislation Act 2019. Schedule 1 clause 15(3): amended, on 28 October 2021, by section 3 of the Secondary Legislation Act 2021 (2021 No 7). Name of agreement Information sharing to support services for disengaged youth: information sharing agreement between Ministry of Education, Oranga Tamariki—Ministry for Children, and Ministry of Social Development made on 8 August 2012 and amended on 13 May 2020 Public service(s) to be facilitated by agreement To provide services to encourage and help young persons who have ceased to be enrolled at a registered school or a tertiary education organisation to move into, or remain in, education, training, and employment rather than receiving financial support under the Social Security Act 2018 Internet address where copy of agreement can be accessed Lead agency for agreement http://www.youthservice.govt.nz Ministry of Social Development type of personal information to be shared under agreement Information from Ministry of Education:
student name (and any alternative names):
gender:
ethnicity:
date of birth:
residency information (if known):
address:
home and mobile phone numbers (if known):
email address:
schools attended (including geographical regions and deciles):
number of schools attended:
date of leaving school and year level:
leaving reason (for each school):
qualification information at time of leaving school:
details of any interventions that student may have participated in:
any information on student’s participation in tertiary education Information from Oranga Tamariki— Ministry for Children: Name of agreement Public service(s) to be facilitated by agreement Internet address where copy of agreement can be accessed Lead agency for agreement Description of personal information or type of personal information to be shared under agreement
name (including any alternative names if applicable):
birth date:
gender:
ethnicity:
intakes to Oranga Tamariki— Ministry for Children, including dates, whether the intake was for care and protection or youth justice concerns, and the outcome decision from the intake:
dates of any family group conferences and/or hui-a-whānau and whether they were for care and protection or for youth justice purposes:
dates of any findings of abuse:
placements and periods in youth justice custody, including type and duration of placement:
placements and periods in care and protection custody, including type and duration of placement Supply of adult passport information for the purpose of locating overseas-based student loan borrowers who are in default of their repayment
Inland Revenue collecting student loan debt (including core assessment, penalties, and interest):
Inland Revenue collecting child support liable parent debt (including core assessments and penalties):
Inland Revenue advising overseas- based borrowers of their student http://www.ird.govt.nz Inland Revenue (a) first name(s):
surname:
date of birth:
passport number:
personal telephone number:
work telephone number:
mobile telephone number: Name of agreement obligations and child support liable parents living overseas who are in default of their repayment or contact obligations Information sharing agreement (made on 6 June 2014) Public service(s) to be facilitated by agreement loan obligations and entitlements, and requiring compliance with those obligations:
Inland Revenue advising liable parents living overseas of their child support payment obligations and entitlements, and requiring compliance with those obligations Internet address where copy of agreement can be accessed Lead agency for agreement Description of personal information or type of personal information to be shared under agreement
home address:
passport delivery address:
email address Approved Information Sharing Agreement for Improving Public Services for At-risk Children dated 25 June 2015 Improving the well-being of at-risk children http://www.msd.govt.nz http:// childrensactionplan.govt.nz Ministry of Social Development
the name and address of a child, and the names and address or addresses, of the child’s parents and caregivers:
a child’s date of birth:
a notification or an alert from a health practitioner that a child or the child’s family is at risk:
any history of harm to a child or history of harm to a child in the child’s family:
information about a child’s physical or mental health that may indicate that the child has been abused or neglected or is at risk of abuse or neglect:
information about a child’s current and previous well-being, including financial circumstances, and issues of concern about the child’s well- being, including financial circumstances: Name of agreement Public service(s) to be facilitated by agreement Internet address where copy of agreement can be accessed Lead agency for agreement Description of personal information or type of personal information to be shared under agreement
information about a child’s psychological or emotional difficulties:
information about the capacities and strengths of a child and the child’s family:
issues of concern that have been raised with respect to a child’s education, including any special education needs:
information that indicates that a child has a record of a substance abuse problem or a history of violence:
information about whether a parent or caregiver of a child has a mental illness:
information about whether a parent or caregiver of a child has a substance abuse problem or a history of domestic violence:
information about a person who may pose a risk to a child and information about that risk:
any assessments of a child for the purposes of the Oranga Tamariki Act 1989 Information Sharing Agreement for Sharing Permitted Information with Statistics New Bona fide research in relation to matters of public interest Production of official statistics by Statistics New Zealand http://www.justice.govt.nz Ministry of Justice Permitted information, being permitted information that is specified in Part B of the items relating to court information in Schedule 2 of the Senior Courts Act 2016, but not including any permitted information Name of agreement Zealand made on 14 March 2017 Public service(s) to be facilitated by agreement Internet address where copy of agreement can be accessed Lead agency for agreement Description of personal information or type of personal information to be shared under agreement suppressed by or under a court order or any enactment Permitted information, being permitted information that is specified in Part B of the items relating to court information in Schedule 1 of the District Court Act 2016, but not including any permitted information suppressed by or under a court order or any enactment Information Sharing Agreement Between Ministry of Social Development And Inland Revenue Department made in September 2018 The accurate and efficient assessment of eligibility for, and entitlement to, benefits and subsidies The accurate and efficient assessment and enforcement of tax obligations, including recovering any associated debt The accurate and efficient assessment and enforcement of obligations relating to benefits and subsidies, including recovering any associated debt The development of public policy using personal information to assess the potential costs to the Crown and the impact on individuals, or groups of individuals, who may be affected Administration, research, and analysis for the purposes set out in the agreement for which information may be shared http://www.msd.govt.nz http://www.ird.govt.nz Inland Revenue (a) contact information:
identifying information:
information about domestic relationships, including—
the current and previous names, aliases, contact details, and dates of birth of persons with whom an identifiable individual has or had a domestic relationship; and
in relation to any of those persons, information about employment, information about finances and income, information about social assistance, and information about tax:
information about employment:
information about finances and income:
information about social assistance:
information about tax Name of agreement Public service(s) to be facilitated by agreement Internet address where copy of agreement can be accessed Lead agency for agreement Description of personal information or type of personal information to be shared under agreement Information sharing agreement between the Ministry of Justice and the Crown Law Office made on 31 July 2017
maintaining an efficient and effective criminal justice system:
improving the quality of public prosecutions:
managing the budget for Crown prosecutions http://www.justice.govt.nz Ministry of Justice (a) the CRI given to any proceeding commenced against a person:
permitted information, being permitted information that is specified in Part B of the items relating to court information in Schedule 2 of the Senior Courts Act 2016:
permitted information, being permitted information that is specified in Part B of the items relating to court information in Schedule 1 of the District Court Act 2016 Information Sharing Agreement between the New Zealand Gang Intelligence Centre Agencies made on 7 November 2018
maintaining public safety:
crime prevention:
law enforcement http://www.police.govt.nz New Zealand Police (a) identifying information:
contact details:
gang associations:
family relationship information:
health and disability information:
education information:
employment information:
social assistance information:
financial information:
financial relationship information:
financial transaction information:
tax information:
housing information:
asset information: Name of agreement Public service(s) to be facilitated by agreement Internet address where copy of agreement can be accessed Lead agency for agreement Description of personal information or type of personal information to be shared under agreement
travel, movement, and location information:
communications information:
criminal investigation information:
immigration information:
import and export information:
threat or risk to safety of others:
next-of-kin information Information Sharing Agreement between Ministry of Social Development and New Zealand Customs Service made on 1 April 2019
the accurate and efficient assessment of the entitlement to, or the eligibility for, any benefit:
the reduction in the amount of money owed by beneficiaries to the Crown. http://www.msd.govt.nz http://www.customs.govt.nz Ministry of Social Development
the individual’s full name:
the individual’s date of birth:
the individual’s gender:
the individual’s nationality:
the individual’s citizenship:
the number of the individual’s New Zealand travel document:
the individual’s flight or craft details:
the port where the individual boarded their plane or craft:
the port where the individual disembarked from their plane or craft:
the unique number generated for the individual’s movement by the New Zealand Customs Service’s computer systems:
the time, date, and place of the individual’s— Name of agreement Public service(s) to be facilitated by agreement Internet address where copy of agreement can be accessed Lead agency for agreement Description of personal information or type of personal information to be shared under agreement
departure from New Zealand; or
arrival in New Zealand. Information Sharing Agreement between Registrar-General and New Zealand Police made on 9 September 2019 Assisting New Zealand Police to perform its functions relating to the maintenance of the law specified in section 9 of the Policing Act 2008 https://www.police.govt.nz https://www.dia.govt.nz New Zealand Police (a) death information if an individual’s death is registered in New Zealand:
name change information if an individual’s name change is registered, and the individual’s birth is registered in New Zealand:
name change information if an individual’s name change is registered, but the individual’s birth is not registered in New Zealand:
non-disclosure direction made, withdrawn, or expired in relation to an individual’s birth information:
non-disclosure direction made, withdrawn, or expired in relation to an individual’s name change information, if the individual’s birth is registered in New Zealand:
non-disclosure direction made, withdrawn, or expired in relation to an individual’s name change information, if the individual’s birth is not registered in New Zealand. Information Sharing Agreement between
the efficient provision of identity services: https://www.dia.govt.nz Department of Internal Affairs (a) birth information:
death information:
marriage information: Name of agreement Department of Internal Affairs and Registrar-General made on 18 October 2019 Public service(s) to be facilitated by agreement
the prevention, detection, investigation, and prosecution of offences:
the conduct of civil proceedings. Internet address where copy of agreement can be accessed Lead agency for agreement Description of personal information or type of personal information to be shared under agreement
civil union information:
name change information:
celebrant information:
overseas death information:
overseas name change information:
overseas marriage and civil union information:
citizenship information:
New Zealand passport information:
New Zealand emergency travel document information:
New Zealand certificate of identity information:
New Zealand refugee travel document information:
communications information:
customer alerts:
contact details:
name change lodgements. Information Sharing Agreement facilitating customer nominated services made on 4 May 2020
the accurate and efficient assessment of eligibility for and entitlement to receive public services that an individual applies for or decides to utilise:
the accurate and efficient delivery of public services that an individual applies for or decides to utilise:
the prevention, detection, investigation, and prosecution of offences, and the conduct of civil https://www.dia.govt.nz Department of Internal Affairs (1) identifying information:
citizenship information:
New Zealand passport information:
New Zealand certificate of identity information:
New Zealand refugee travel document information:
electronic identity credential application information:
birth information: Name of agreement Public service(s) to be facilitated by agreement proceedings, including judicial review Internet address where copy of agreement can be accessed Lead agency for agreement Description of personal information or type of personal information to be shared under agreement
pre-sexual assignment or reassignment:
death information:
marriage information:
civil union information:
name change information:
name change lodgements:
overseas death information:
overseas name change information:
overseas marriage and civil union information:
non-disclosure directions information:
driver licence information:
driver licence images:
demerit points:
information relating to current debt to the Crown held by New Zealand Transport Agency, Ministry of Education, Ministry of Social Development, Registrar of Motor Vehicles, and RUC collector (as defined in section 5(1) of the Road User Charges Act 2012):
information relating to historic debt to the Crown held by New Zealand Transport Agency, Ministry of Education, Ministry of Social Development, Registrar of Motor Vehicles, and RUC collector (as defined in section 5(1) of the Road User Charges Act 2012): Name of agreement Public service(s) to be facilitated by agreement Internet address where copy of agreement can be accessed Lead agency for agreement Description of personal information or type of personal information to be shared under agreement
information relating to current debt to the Accident Compensation Corporation:
information relating to historic debt to the Accident Compensation Corporation:
parents’ or caregivers’ contact details:
confirmation individual known to Ministry of Social Development:
current visa information:
historic visa information:
details of known or suspected offending relevant to consideration of an individual’s liability for deportation:
English proficiency:
a notification from Ministry of Business, Innovation, and Employment that more information exists in relation to an individual’s character that is potentially relevant to a good character test:
assessment of character:
travel movements:
overseas birth information:
overseas citizenship information:
overseas passport and certificate of identity information:
information in overseas police reports held by Ministry of Name of agreement Public service(s) to be facilitated by agreement Internet address where copy of agreement can be accessed Lead agency for agreement Description of personal information or type of personal information to be shared under agreement Business, Innovation, and Employment:
confirmation individual known to Ministry of Education Information sharing agreement between Inland Revenue Department, New Zealand Police, New Zealand Customs Service, and Serious Fraud Office made on 27 July 2020 The maintenance of public safety. Law enforcement and crime prevention, in particular, the prevention, detection, and investigation of serious crimes and the provision of evidence of serious crimes http://www.ird.govt.nz http://www.police.govt.nz http://www.customs.govt.nz http://www.sfo.govt.nz Inland Revenue (a) tax information:
financial transaction information:
information about assets:
employment information:
personal record information:
social assistance information:
other personal information that Inland Revenue Department discovers in the course of performing its usual functions and duties Information Sharing Agreement Facilitating Access to Information about Deaths made on 22 November 2022
the accurate and efficient assessment of eligibility for and entitlement to receive public services:
the accurate and efficient delivery (c) https://www.dia.govt.nz Department of Internal Affairs (a) identifying information:
death information:
overseas death notifications:
birth information:
marriage information:
civil union information of public services by the Registrar- General and the other public sector agencies that are parties: the provision by the Registrar- General of accurate death information and overseas death information to parties that are New Zealand private sector agencies for their use in accordance with the agreement and clause 10 of the Privacy (Information Sharing Agreement Facilitating Access to Information about Deaths) Order 2023: Name of agreement Public service(s) to be facilitated by agreement
mortality reviews and advice on how to reduce preventable deaths:
the prevention, detection, investigation, and prosecution of offences, and the conduct of civil proceedings, including judicial review Internet address where copy of agreement can be accessed Lead agency for agreement Description of personal information or type of personal information to be shared under agreement Schedule 2: amended, on 1 July 2023, by clause 12(2) of the Privacy (Information Sharing Agreement between Inland Revenue and Ministry of Social Develop‐ ment) Amendment Order 2023 (SL 2023/80). Schedule 2: amended, on 20 April 2023, by clause 18 of the Privacy (Information Sharing Agreement Facilitating Access to Information about Deaths) Order 2023 (SL 2023/43). Schedule 2: amended, on 17 June 2022, by clause 4(1) of the Privacy Act (Schedule 2) Order 2022 (SL 2022/142). Schedule 2: amended, on 17 June 2022, by clause 4(2) of the Privacy Act (Schedule 2) Order 2022 (SL 2022/142). Schedule 2: amended, on 17 June 2022, by clause 4(3) of the Privacy Act (Schedule 2) Order 2022 (SL 2022/142). Schedule 2: amended, on 8 October 2021, by clause 10 of the Privacy (Information Sharing Agreement between Inland Revenue and Ministry of Social Develop‐ ment) Amendment Order 2021 (LI 2021/300). Version as at
Privacy Act 2020 Schedule 3 Schedule 3 Identity information Accessing agency Purpose of access Holder agency ss 165, 168 Department of Corrections To verify the identity of—
a person under control or supervision (as defined in section 3(1) of the Corrections Act 2004):
a person who, under section 30B of the Bail Act 2000, has been granted bail with an electronic monitoring condition Department of Internal Affairs MBIE (Immigration) Ministry of Health and Health New Zealand and Māori Health Authority (only in relation to special patients, restricted patients, and special care recipients) Ministry of Justice New Zealand Police New Zealand Transport Agency Registrar-General Department of Internal Affairs To verify the identity of a person who has applied for the issue of—
a New Zealand travel document:
a certificate of New Zealand citizenship:
an electronic identity credential Department of Corrections MBIE (Immigration) Ministry of Health and Health New Zealand and Māori Health Authority (only in relation to special patients, restricted patients, and special care recipients) New Zealand Police New Zealand Transport Agency MBIE (Immigration) To verify the identity of a person—
who is seeking to travel to New Zealand:
who is arriving in or departing from New Zealand:
who is applying for a visa:
who an immigration officer has good cause to suspect—
has committed an offence against the Department of Corrections Department of Internal Affairs Ministry of Health and Health New Zealand and Māori Health Authority (only in relation to special patients, restricted patients, and special care recipients) Ministry of Justice New Zealand Customs Service New Zealand Police New Zealand Transport Agency Registrar-General Schedule 3 Privacy Act 2020 Version as at 6 December 2023 Accessing agency Purpose of access Holder agency Immigration Act 2009:
has obtained a visa under a fraudulent identity:
is liable for deportation or turnaround:
is unlawfully in New Zealand Ministry of Health and Health New Zealand and Māori Health Authority To verify the identity of a person who—
is being admitted, or returned, to a hospital as a special patient or restricted patient; or
is being admitted, or returned, to a secure facility as a special care recipient Department of Corrections Department of Internal Affairs MBIE (Immigration) New Zealand Police Registrar-General New Zealand Customs Service To verify the identity of a person who—
is in a Customs- controlled area; and
is departing, or attempting to depart, from New Zealand Department of Corrections Department of Internal Affairs MBIE (Immigration) Ministry of Health and Health New Zealand and Māori Health Authority (only in relation to special patients, restricted patients, and special care recipients) New Zealand Transport Agency Registrar-General New Zealand Police To verify the identity of a person—
whose identifying particulars have been taken under section 32 or 33 of the Policing Act 2008:
whose identifying particulars have been taken under section Department of Corrections Department of Internal Affairs MBIE (Immigration) Ministry of Health and Health New Zealand and Māori Health Authority (only in relation to special patients, restricted patients, and special care recipients) Version as at
Privacy Act 2020 Schedule 3 Accessing agency Purpose of access Holder agency 11 of the Returning Offenders (Management and Information) Act 2015:
who has breached, has attempted to breach, or is preparing to breach a condition of any sentence, or order imposed under any enactment, that the person not leave New Zealand New Zealand Customs Service New Zealand Transport Agency Registrar-General Registrar-General To verify the identity of a person who has applied for the registration of a name change MBIE (Immigration) Ministry of Health and Health New Zealand and Māori Health Authority (only in relation to special patients, restricted patients, and special care recipients) New Zealand Police New Zealand Transport Agency Note:
References in this schedule to the Department of Internal Affairs are references to the parts of the Department of Internal Affairs that administer the Citizenship Act 1977 and the Passports Act 1992.
References in this schedule to MBIE (Immigration) are references to the part of the Ministry of Business, Innovation, and Employment that administers the Immigration Act 2009.
References in this schedule to the Registrar-General are references to the Registrar-General appointed under section 124(1) of the Births, Deaths, Marriages, and Relationships Registration Act 2021, and include a Deputy Registrar-General. Schedule 3: amended, on 1 July 2022, by section 104 of the Pae Ora (Healthy Futures) Act 2022 (2022 No 30). Schedule 3 note 3: amended, on 15 June 2023, by section 147 of the Births, Deaths, Marriages, and Relationships Registration Act 2021 (2021 No 57). Schedule 4 Privacy Act 2020 Version as at 6 December 2023 Schedule 4 Law enforcement information
Subject Description Access available to ss 172, 173 Court document processing Particulars of proceedings in respect of which informations are to be laid or charging documents filed; the acceptance of data for and the preparation of associated documents Police Serious Fraud Office Department of Corrections Legal Services Commissioner, limited only to finding out whether an applicant for criminal legal aid has any charges currently pending determination by the courts Details of hearings Details of hearings of proceedings in respect of which informations have been laid or charging documents have been filed, including convictions, sentences, and all other matters ancillary and subsequent to a determination Police (access is limited so as to exclude details relating to young persons, being persons over 14 years but under 18 years, where the offence did not carry a liability to imprisonment) New Zealand Transport Agency (access is limited to traffic cases only) Serious Fraud Office (access is limited so as to exclude details relating to young persons, being persons over 14 years but under 18 years, where the offence did not carry a liability to imprisonment) Department of Corrections Legal Services Commissioner, for the purpose of determining an application for a grant of legal aid (access is limited so as to exclude details relating to young persons, being persons over 14 years but under 18 years, where the offence did not carry a liability to imprisonment) Ministry of Justice (access for the purpose of responding to requests for criminal conviction histories) Enforcement of fines and other orders Non-performance of bail conditions Particulars of writs, warrants, or orders in force and issued or made on default in the payment of fines or other monetary sums ordered in proceedings; particulars of the persons to whom the writs, warrants, or orders relate; and particulars of fines, sentences, or orders imposed or made against those persons, including the amounts remaining payable thereunder and the arrangements for payment Records relating to failure to comply with bail conditions Police Department of Corrections Legal Services Commissioner, for the purpose of determining an application for a grant of legal aid in relation to a criminal matter Ministry of Justice (access for the purpose of responding to requests for criminal conviction histories) Police Version as at
Privacy Act 2020 Schedule 4 Subject Description Access available to entered under section 39(3) of the Bail Act 2000
Subject Description Access available to Driver licence stop orders Particulars of each order served, cancelled, or terminated, the full name, full address, telephone number, driver licence number, and date of birth of the person on whom the order was served; the date and time when the order was served on the person, the date of the cancellation or termination of the order, and any amendments required, as at the date of service, cancellation, or termination, to the person’s full address and telephone number New Zealand Transport Agency (access is limited to recording, on the driver licence register, the service, cancellation, or termination of an order and any amendments required to the person’s full address and telephone number, and to replacing a driver licence following the cancellation or termination of the order)
Subject Description Access available to Details of overseas hearings Details of hearings of overseas proceedings before overseas courts, including convictions, sentences, and all other matters ancillary and subsequent to a determination Ministry of Justice Department of Corrections Serious Fraud Office Ministry of Business, Innovation, and Employment (access is limited to obtaining information for the purposes of section 52 of the Outer Space and High-altitude Activities Act 2017) Offender identity Particulars of the identity of persons who have been charged with an offence Department of Corrections (access is limited to identity details for the purposes of—
entering information relating to prosecutions initiated otherwise than by the Police; or
undertaking criminal history checks of persons wishing to visit prisons who have consented to such a check; or
research conducted by the department, and with the limitation that information so obtained must not be published in a form that could reasonably be expected to identify the individual concerned) Ministry of Justice (access is limited to— Schedule 4 Privacy Act 2020 Version as at 6 December 2023 Subject Description Access available to
identity details for the purposes of—
entering information relating to prosecutions initiated otherwise than by the Police; or
providing assistance to victims in accordance with the Sentencing Act 2002, the Parole Act 2002, the Victims’ Rights Act 2002, and the Prisoners’ and Victims’ Claims Act 2005; or
updating an existing database of court proceedings; or
obtaining information for the purpose of research conducted by the Ministry, and with the limitation that information so obtained must not be published in a form that could reasonably be expected to identify the individual concerned) Ministry of Business, Innovation, and Employment (access is limited to obtaining information for the purposes of section 52 of the Outer Space and High-altitude Activities Act 2017) Victim identity The name, sex, date of birth, address, and telephone number of persons who are the victims of a criminal offence in respect of which another person has been charged Medical details An indicator to identify persons who are or have been special patients under the Mental Health (Compulsory Assessment and Treatment) Act 1992 or any former Act and the hospitals at which those persons are or have been detained as special patients, or as committed patients, or as patients (within the meaning of that Act) Ministry of Justice (access is limited to identity details for the purpose of providing assistance to victims in accordance with the Sentencing Act 2002, the Parole Act 2002, the Victims’ Rights Act 2002, and the Prisoners’ and Victims’ Claims Act 2005) New Zealand Transport Agency (access is limited to obtaining information for the purposes of—
section 19 of the Land Transport Act 1998; or
subpart 2 of Part 4A of the Land Transport Act 1998) Department of Corrections Ministry of Justice Traffic offence and infringement enforcement and document processing Traffic offence and infringement enforcement processing, including infringement fees enforcement and preparation of documents New Zealand Transport Agency Ministry of Justice (access is limited to obtaining information for the purpose of processing cases before a court) Legal Services Commissioner (access is limited to obtaining information for the Version as at
Privacy Act 2020 Schedule 4 Subject Description Access available to purpose of processing cases before a court, and for determining an application for a grant of legal aid relating to a criminal matter) Vehicles of interest Particulars of motor vehicles stolen, unlawfully taken, missing, abandoned, or found, or where location is for other reasons required to be known by the Police Registrar of Motor Vehicles (access is limited so as to exclude any particulars that the Police may determine in any case) Vehicles impounded under Land Transport Act 1998 Particulars of an impounded vehicle, including make, model, type, registration plate number, vehicle identification number; the section of the Land Transport Act 1998 under which it is impounded, the date on which it was impounded, and the place where it is impounded; whether any appeals are yet to be determined; particulars of the person who was driving the vehicle immediately before its impoundment, including the full name, full address, telephone number, occupation, driver licence number, and date of birth of that person and the same particulars also for every other person who is registered in respect of the vehicle Ministry of Justice (access is limited to giving effect to action taken, under Part 3 of the Summary Proceedings Act 1957, to enforce the payment of fines, reparation, and related payments) Wanted persons Particulars concerning persons wanted for arrest New Zealand Transport Agency (access is limited to obtaining information for the purposes of—
subpart 2 of Part 4A of the Land Transport Act 1998:
carrying out the functions conferred on the Agency by section 95(1) of the Land Transport Management Act 2003)
the Director of Land Transport carrying out the functions conferred on the Director by section 104B of the Land Transport Management Act 2003 Ministry of Justice (access is limited to persons wanted in connection with fines enforcement) Ministry of Business, Innovation, and Employment (access is limited to obtaining information for the purposes of section 52 of the Outer Space and High-altitude Activities Act 2017) Schedule 4 Privacy Act 2020 Version as at 6 December 2023 Subject Description Access available to Missing persons Particulars concerning persons missing or required to be located Firearms licences Particulars of persons authorised to possess firearms in accordance with the Arms Act 1983 New Zealand Transport Agency (access is limited so as to exclude any particulars that the Police may determine in any case) Ministry of Justice (access is limited to persons required to be located in connection with fines enforcement) Ministry of Justice (access is limited to identity details of persons who possess firearms, where that information is required for the purpose of serving orders made under the Family Violence Act 2018) Firearms prohibition order Details of firearms prohibition orders made under the Arms Act 1983 Department of Corrections (access is limited to obtaining information about any offender who is subject to a firearms prohibition order while also subject to—
a full-time custodial sentence (including while released on parole or subject to conditions imposed under section 93 of the Sentencing Act 2002); or
a sentence of supervision, intensive supervision, community work, or community detention; or
a non-association order; or
a sentence of home detention (including while subject to post- detention conditions); or
an extended supervision order; or
a public protection order, a prison detention order, or a protective supervision order under the Public Safety (Public Protection Orders) Act 2014 Access is for the purpose of managing the offender’s sentence, any post-sentence conditions, any post-sentence supervision, or any order under the Public Safety (Public Protection Orders) Act 2014 in a manner consistent with the conditions of any firearms prohibition order) Protection orders Details of protection orders made under the Domestic Violence Act 1995 Department of Corrections (access is limited to obtaining information about any offender who is subject to a protection order while also subject to—
a full-time custodial sentence (including while released on parole or subject to conditions imposed under section 93 of the Sentencing Act 2002); or
a sentence of supervision, intensive supervision, community work, or community detention; or Version as at
Privacy Act 2020 Schedule 4 Subject Description Access available to
a non-association order; or
a sentence of home detention (including while subject to post- detention conditions); or
an extended supervision order; or
a public protection order, a prison detention order, or a protective supervision order under the Public Safety (Public Protection Orders) Act 2014 Access is for the purpose of managing the offender’s sentence, any post-sentence conditions, any post-sentence supervision, or any order under the Public Safety (Public Protection Orders) Act 2014 in a manner consistent with any protection order) Restraining orders Details of restraining orders made under the Harassment Act 1997 Non-contact orders Details of non-contact orders made under the Victims’ Orders Against Violent Offenders Act 2014 Department of Corrections (access is limited to obtaining information about any offender who is subject to a restraining order while also subject to—
a full-time custodial sentence (including while released on parole or subject to conditions imposed under section 93 of the Sentencing Act 2002); or
a sentence of supervision, intensive supervision, community work, or community detention; or
a non-association order; or
a sentence of home detention (including while subject to post- detention conditions); or
an extended supervision order; or
a public protection order, a prison detention order, or a protective supervision order under the Public Safety (Public Protection) Orders Act 2014 Access is for the purpose of managing the offender’s sentence, any post-sentence conditions, any post-sentence supervision, or any order under the Public Safety (Public Protection Orders) Act 2014 in a manner consistent with any restraining order) Department of Corrections (access is limited to obtaining information about any offender who is subject to a non-contact order while also subject to—
a full-time custodial sentence (including while released on parole or subject to an extended Schedule 4 Privacy Act 2020 Version as at 6 December 2023 Subject Description Access available to supervision order made under section 107I of the Parole Act 2002 or to conditions imposed under section 93 of the Sentencing Act 2002); or
a sentence of intensive supervision, community detention, community work, or supervision; or
a non-association order; or
a sentence of home detention (including while subject to post- detention conditions); or
an extended supervision order; or
a public protection order, a prison detention order, or a protective supervision order under the Public Safety (Public Protection) Orders Act 2014 Access is for the purpose of managing the offender’s sentence, any post-sentence conditions, any post-sentence supervision, or any order under the Public Safety (Public Protection Orders) Act 2014 in a manner consistent with any non-contact order)
Subject Description Access available to Driver licence register (except photographic images on driver licences) A national register of all driver licences Department of Corrections Ministry of Justice Police Serious Fraud Office Road User Charges Collector (access is limited to obtaining information for the purpose of verifying the identity of people who are or apply to be holders of licences issued under the Road User Charges Act 2012) Registrar of Motor Vehicles (access is limited to obtaining information for the purposes of—
verifying the identity of people who are or apply to be registered on the register of motor vehicles in respect of motor vehicles; or
correcting or updating information held on the register of motor vehicles about such people) Transport services licensing register A national register of all transport service licences Police Version as at
Privacy Act 2020 Schedule 4 Subject Description Access available to Demerit points The recording of demerit points in relation to traffic offences Police Rail licensing register Traffic offence and infringement enforcement and document processing A national register of all licences under the Railways Act 2005 Traffic offence and infringement enforcement processing, including infringement fees enforcement and preparation of documents Police Police (access is limited to obtaining information for the purposes of—
conducting road policing activities and enforcing the Land Transport Act 1998 (including any rules and regulations made under that Act):
preventing or lessening a serious threat to public health or public safety, or the life or health of an individual, where a motor vehicle is or is likely to be involved:
helping to locate vehicles that were involved, or were likely to be involved, in the commission of offences) Ministry of Justice (access is limited to obtaining information for the purpose of processing cases before a court) Legal Services Commissioner (access is limited to obtaining information for the purpose of processing cases before a court, and for determining an application for a grant of legal aid relating to a criminal matter)
Subject Description Access available to Motor vehicles register A national register of all motor vehicles Ministry of Justice (including for the purpose of enforcing civil debts) Police Serious Fraud Office WorkSafe New Zealand (access is limited to name and address details of persons who are or were previously registered in respect of a specified vehicle for the purposes of enforcing the health and safety at work legislation) Ministry of Business, Innovation, and Employment (access is limited to name and address details of persons who are or were previously registered in respect of a specified vehicle for the purposes of enforcing immigration legislation) Ministry for Primary Industries (access is limited to name and address details of persons who are or were previously Schedule 4 Privacy Act 2020 Version as at 6 December 2023 Subject Description Access available to registered in respect of a specified vehicle for the purposes of enforcing fisheries legislation and any other enactment that confers enforcement powers on fisheries officers) New Zealand Customs Service (access is limited to obtaining information for the purposes of enforcing legislation for which the Service has enforcement powers) New Zealand Transport Agency (access is limited to obtaining information for the purposes of—
the Agency carrying out the functions conferred on the Agency by section 95(1) of the Land Transport Management Act 2003:
the Director of Land Transport carrying out the functions conferred on the Director by section 104B of the Land Transport Management Act 2003) Legal Services Commissioner (access is limited to obtaining information for the purpose of determining an applicant’s financial eligibility for a grant of legal aid in relation to a criminal matter) An enforcement authority under the Land Transport Management Act 2003. Plumbers, Gasfitters, and Drainlayers Board (access is limited to name and address details of persons who are or were previously registered in respect of a specified vehicle for the purposes of the Board carrying out the functions conferred on the Board by sections 87J(3)(b) and 87K(2)(b) of the Plumbers, Gasfitters, and Drainlayers Act 2006)
Subject Description Access available to Road user charges Details of licences issued under the Road User Charges Act 2012 and details of the corresponding licence holders Police (access is limited to obtaining information for the purpose of enforcing the Road User Charges Act 2012) New Zealand Transport Agency (access is limited to obtaining information for the purposes of—
the Agency carrying out the functions conferred on the Agency by section 95(1) of the Land Transport Management Act 2003: Version as at
Privacy Act 2020 Schedule 4 Subject Description Access available to
the Director of Land Transport carrying out the functions conferred on the Director by section 104B of the Land Transport Management Act 2003)
Subject Description Access available to Community-based sentences, sentences of home detention, and conditions of release Extended supervision orders Particulars of persons—
released on probation or parole, or released on conditions under Part 6 of the Criminal Justice Act 1985, or sentenced to supervision; or
released on parole, home detention, or compassionate release under subpart 2 of Part 1 of the Parole Act 2002 or sentenced to supervision, intensive supervision, community work, community detention, or home detention. Details of extended supervision orders made under Part 1A of the Parole Act 2002 Police (access is limited to—
the person’s area of reporting:
in the case of a person released from a prison, the conditions of the person’s release (whether imposed on release or imposed or varied subsequently, and including any direction issued to that person by a probation officer)) Ministry of Justice Police (access is for the purpose of managing the conditions of the extended supervision order) Records of prisoners Particulars of prisoners in a prison, including the date of release from the prison Police (access is limited to the location and the date of release of the prisoner) Ministry of Justice Schedule 4 New Zealand Transport Agency records: amended, on 1 November 2023, by section 55 of the Land Transport (Road Safety) Amendment Act 2023 (2023 No 62). Schedule 4 Police records: amended, on 15 November 2022, by section 16 of the Firearms Prohib‐ ition Orders Legislation Act 2022 (2022 No 41). Schedule 4 Police records: amended, on 1 April 2021, by section 175(1) of the Land Transport (NZTA) Legislation Amendment Act 2020 (2020 No 48). Schedule 4 Registrar of Motor Vehicles records: amended, on 6 December 2023, by section 56 of the Self-contained Motor Vehicles Legislation Act 2023 (2023 No 24). Schedule 4 Registrar of Motor Vehicles records: amended, on 1 April 2021, by section 175(1) of the Land Transport (NZTA) Legislation Amendment Act 2020 (2020 No 48). Schedule 4 Road User Charges Collector records: amended, on 1 April 2021, by section 175(1) of the Land Transport (NZTA) Legislation Amendment Act 2020 (2020 No 48). Schedule 5 Privacy Act 2020 Version as at 6 December 2023 Schedule 5 Information matching provisions ss 177, 188 Enactment Information matching provision Accident Compensation Act 2001 Sections 246, 280, and 281 Births, Deaths, Marriages, and Relationships Registration Act 2021 Section 112 Citizenship Act 1977 Section 26A Corrections Act 2004 Sections 180 to 180D and 181 Customs and Excise Act 2018 Sections 306 to 310 Education and Training Act 2020 clause 9 of Schedule 3 and clauses 7, 8, and 9 of Schedule 9 Electoral Act 1993 Sections 263A and 263B Electronic Identity Verification Act 2012 Section 39 Immigration Act 2009 Sections 294, 295, 298, 299, and 300 Motor Vehicle Sales Act 2003 Sections 120 to 123 Social Security Act 2018 Section 385(3), clauses 13 and 15 of Schedule 6 Student Loan Scheme Act 2011 Section 208 Tax Administration Act 1994 Clauses 41, 42, 43, and 45 of Schedule 7 Schedule 5 Births, Deaths, Marriages, and Relationships Registration Act 1995: repealed, on 15 June 2023, by section 147 of the Births, Deaths, Marriages, and Relationships Registration Act 2021 (2021 No 57). Schedule 5 Births, Deaths, Marriages, and Relationships Registration Act 2021: inserted, on 15 June 2023, by section 147 of the Births, Deaths, Marriages, and Relationships Registration Act 2021 (2021 No 57). Schedule 5 Education Act 1989: repealed, on 1 August 2020, by section 668 of the Education and Training Act 2020 (2020 No 38). Schedule 5 Education and Training Act 2020: inserted, on 1 August 2020, by section 668 of the Edu‐ cation and Training Act 2020 (2020 No 38). Version as at
Privacy Act 2020 Schedule 6 Schedule 6 Information matching rules
ss 177, 178, 189
Agencies involved in an authorised information matching programme must take all reasonable steps (which may consist of or include public notification) to ensure that the individuals who will be affected by the programme are noti‐ fied of the programme.
Nothing in subclause (1) requires an agency to notify any individual about an authorised information matching programme if to do so would be likely to frus‐ trate the objective of the programme.
Except as provided in any other enactment, unique identifiers may not be used as part of any authorised information matching programme unless their use is essential to the success of the programme.
The agency primarily responsible for the operation of an authorised informa‐ tion matching programme must establish and maintain detailed technical stand‐ ards to govern the operation of the programme.
The technical standards established by an agency in accordance with subclause (1) must deal with the following matters:
the integrity of the information to be matched, with particular reference to—
key terms and their definition; and
relevance, timeliness, and completeness:
the matching techniques to be used in the programme, with particular reference to—
the matching algorithm:
any use of unique identifiers:
the nature of the matters being sought to be identified by the matching process:
the relevant information definitions:
the procedure for recognising matches:
the controls being used to ensure the continued integrity of the pro‐ gramme, including the procedures that have been established to confirm the validity of matching results: Schedule 6 Privacy Act 2020 Version as at 6 December 2023
the security features included within the programme to minimise and audit access to personal information, including the means by which the information is to be transferred between agencies.
The technical standards established in accordance with subclause (1) must be incorporated in a written document (in this clause, a Technical Standards Report), and copies of the Technical Standards Report must be held by all agencies that are involved in the authorised information matching programme.
Variations may be made to a Technical Standards Report by way of a Variation Report appended to the original report.
The agency that prepares a Technical Standards Report must forward a copy of that report, and of every Variation Report appended to that report, to the Com‐ missioner.
The Commissioner may at any time direct that a Technical Standards Report be varied, and that direction must be complied with by the agency that prepared the report.
Every agency involved in an authorised information matching programme must comply with the requirements of the associated Technical Standards Report (including any variations made to the report).
The agencies involved in an authorised information matching programme must establish reasonable procedures for confirming the validity of discrepancies before an agency seeks to rely on them as a basis for action in respect of an individual.
Subclause (1) does not apply if the agencies concerned consider that there are reasonable grounds to believe that the results are not likely to be in error, and in forming that view the agencies must have regard to the consistency in content and context of the information being matched.
Where those confirmation procedures do not take the form of checking the results against the source information, but instead involve direct communica‐ tion with the individual affected, the agency that seeks to rely on the discrep‐ ancy as a basis for action in respect of an individual must notify the individual affected that no check has been made against the information which formed the basis for the information supplied for the programme.
Every notification in accordance with subclause (3) must include an explan‐ ation of the procedures that are involved in the examination of a discrepancy revealed by the programme.
In this clause, information matching information means— Version as at
Privacy Act 2020 Schedule 6
information that is disclosed to an agency under an information match‐ ing provision for use in an authorised information matching programme; and
information that is produced from an authorised information matching programme.
Information matching information held by an agency that does not reveal a dis‐ crepancy must be destroyed as soon as practicable by the agency.
An agency that holds information matching information that reveals a discrep‐ ancy must destroy that information within 60 working days after becoming aware of the discrepancy unless the agency decides to take adverse action against any individual on the basis of that discrepancy.
An agency that decides to take adverse action against any individual on the basis of a discrepancy must destroy the information as soon as practicable after the information is no longer required.
This clause does not apply in relation to the Inland Revenue Department.
Subject to subclauses (2) and (3), the agencies involved in an authorised infor‐ mation matching programme must not permit the information used in the pro‐ gramme to be linked or merged in such a way that a new separate permanent register or databank of information is created about all or any of the individuals whose information has been subject to the programme.
Subclause (1) does not prevent an agency from maintaining a register of indi‐ viduals in respect of whom further inquiries are warranted following a discrep‐ ancy revealed by the programme, but information relating to an individual may be maintained on a register of that kind only for so long as is necessary to enable those inquiries to be carried out, and in no case longer than is necessary to enable any adverse action to be taken against an individual.
Subclause (1) does not prevent an agency from maintaining a register for the purpose of excluding individuals from being selected for investigation, but that register may contain only the minimum amount of information necessary for that purpose. Schedule 7 Privacy Act 2020 Version as at 6 December 2023 Schedule 7 Amendments to other enactments related to subpart 4 of Part 7
s 190 Schedule 7: repealed, on the close of 8 December 2020, by section 191 of the Privacy Act 2020 (2020 No 31). Version as at
Privacy Act 2020 Schedule 8 Schedule 8 Basic principles of national application set out in Part Two of OECD Guidelines ss 193, 200 Collection limitation principle There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. Data quality principle Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to- date. Purpose specification principle The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are speci‐ fied on each occasion of change of purpose. Use limitation principle Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the Purpose specification principle above] except:
with the consent of the data subject; or
by the authority of law. Security safeguards principle Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. Openness principle There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establish‐ ing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. Individual participation principle An individual should have the right:
to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; Schedule 8 Privacy Act 2020 Version as at 6 December 2023
to have communicated to him, data relating to him— • within a reasonable time; • at a charge, if any, that is not excessive; • in a reasonable manner; and • in a form that is readily intelligible to him;
to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. Accountability principle A data controller should be accountable for complying with measures which give effect to the principles stated above. Version as at
Privacy Act 2020 Schedule 9 Schedule 9 Consequential amendments
s 217 Schedule 9: repealed, on the close of 8 December 2020, by section 218 of the Privacy Act 2020 (2020 No 31). Notes Privacy Act 2020 Version as at 6 December 2023 Notes
General This is a consolidation of the Privacy Act 2020 that incorporates the amend‐ ments made to the legislation so that it shows the law as at its stated date.
Legal status A consolidation is taken to correctly state, as at its stated date, the law enacted or made by the legislation consolidated and by the amendments. This presump‐ tion applies unless the contrary is shown. Section 78 of the Legislation Act 2019 provides that this consolidation, pub‐ lished as an electronic version, is an official version. A printed version of legis‐ lation that is produced directly from this official electronic version is also an official version.
Editorial and format changes The Parliamentary Counsel Office makes editorial and format changes to con‐ solidations using the powers under subpart 2 of Part 3 of the Legislation Act 2019. See also PCO editorial conventions for consolidations.
Amendments incorporated in this consolidation Land Transport (Road Safety) Amendment Act 2023 (2023 No 62): section 55 Self-contained Motor Vehicles Legislation Act 2023 (2023 No 24): section 56 Privacy (Information Sharing Agreement between Inland Revenue and Ministry of Social Develop‐ ment) Amendment Order 2023 (SL 2023/80): clause 12(2) Privacy (Information Sharing Agreement Facilitating Access to Information about Deaths) Order 2023 (SL 2023/43): clause 18 Statutes Amendment Act 2022 (2022 No 75): Part 31 Firearms Prohibition Orders Legislation Act 2022 (2022 No 41): section 16 Data and Statistics Act 2022 (2022 No 39): section 107(1) Pae Ora (Healthy Futures) Act 2022 (2022 No 30): section 104 Privacy Act (Schedule 2) Order 2022 (SL 2022/142) Te Ture mō te Hararei Tūmatanui o te Kāhui o Matariki 2022/Te Kāhui o Matariki Public Holiday Act 2022 (2022 No 14): wehenga 7/section 7 Births, Deaths, Marriages, and Relationships Registration Act 2021 (2021 No 57): section 147 Legislation Act (Amendments to Legislation) Regulations 2021 (SL 2021/247): regulation 85 Secondary Legislation Act 2021 (2021 No 7): section 3 Privacy (Information Sharing Agreement between Inland Revenue and Ministry of Social Develop‐ ment) Amendment Order 2021 (LI 2021/300): clause 10 Land Transport (NZTA) Legislation Amendment Act 2020 (2020 No 48): section 175(1) Public Service Act 2020 (2020 No 40): sections 125–129 Education and Training Act 2020 (2020 No 38): section 668 Privacy Act 2020 (2020 No 31): sections 191, 218 Version as at
Privacy Act 2020 Wellington, New Zealand: Published under the authority of the New Zealand Government—2023