The Privacy Act 2020

Contents hide
Our State Highway 1 of privacy law
Application
Information privacy principles
IPP1: Purpose of collection of personal information
IPP2: Source of personal information
IPP3: Collection of information from subject
IPP4: Manner of collection of personal information
IPP5: Storage and security of personal information
IPP6: Access to personal information
IPP7: Correction of personal information
IPP8: Accuracy of personal information to be checked before use or disclosure
IPP9: Personal information not to be kept for longer than necessary
IPP10: Limits on use of personal information
IPP11: Limits on disclosure of personal information
IPP12: Disclosure of personal information outside New Zealand
IPP13: Unique identifiers
Exceptions and exemptions
IPPs’ in-built exceptions
Specific laws override IPPs
Access requests are subject to Part 4
Personal information collected or held for personal or domestic affairs
Intelligence and security agencies
Correction principle does not apply to personal information collected under Statistics Act
Privacy Commissioner’s authorisation power
Codes of practice
Information sharing mechanisms
Approved information sharing agreements
Information matching programmes
Complaints for interferences with privacy
Notifiable privacy breaches
Other remedies available to the Privacy Commissioner
Compliance notices
Access directions

Our State Highway 1 of privacy law

Like its predecessor (the Privacy Act 1993), the Privacy Act 2020 contains a core set of principles relating to the collection, use, storage, disclosure and retention, by public and private sector agencies, of information relating to individuals. It can be thought of as our State Highway 1 of privacy law.

This article explains:

  • the range of “agencies” to which the Act applies;
  • the 13 information principle principles;
  • the Act’s exceptions and exemptions;
  • codes of practice;
  • information sharing mechanisms under the Act (beyond the IPPs);
  • the ability to complain to the Privacy Commissioner where there has been an interference with privacy;
  • notifiable privacy breaches; and
  • other remedies available to the Privacy Commissioner.

Application

Act applies to agencies

The Act applies to the conduct of “agencies”. In particular, it applies to:

  • a “New Zealand agency” in relation to any action it takes in respect of any personal information it collects or holds;
  • an “overseas agency” in relation to any action it takes in the course of carrying on business in New Zealand in respect of personal information it collects or holds; and
  • an individual who is not ordinarily resident in New Zealand in relation to any action the individual takes in respect of personal information collected when the individual was in New Zealand or personal information the individual held when in New Zealand (even if collected overseas).

What’s a New Zealand agency?

A “New Zealand agency” is an individual ordinarily resident in New Zealand, a public sector agency, a New Zealand private sector agency, or a court or tribunal (except in relation to its judicial functions), unless the organisation is among the handful of organisations to which the Act does not apply. That handful of organisations includes the Parliamentary Service Commission, the Ombudsmen, inquiries, and news entities to the extent that they are carrying on news activities.

What’s an overseas agency?

An “overseas agency” is an overseas person, body corporate, or unincorporated body that is not: a New Zealand agency, or the Government of an overseas country, or an overseas government entity to the extent that the entity is performing any public function on behalf of the overseas Government, or a news entity (to the extent that it is carrying on news activities).

Significantly, the Act states that an overseas agency may be treated as carrying on business in New Zealand without necessarily being a commercial operation, or having a place of business in New Zealand, or receiving any monetary payment for the supply of goods or services, or intending to make a profit from its business in New Zealand.

The 2020 Act is intended to have broad application to, for example, international digital platforms that carry on business in New Zealand. The Office of the Privacy Commissioner has said:

“If an international digital platform is carrying on business in New Zealand, with … New Zealanders’ personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they, or their servers are based.”

There may be practical enforcement-related questions here, just as there are with the extra-territorial reach of the EU’s GDPR, but the 2020 Act embodies what international law calls “prescriptive jurisdiction” over the conduct of overseas agencies where that conduct affects the privacy of individuals in New Zealand. (For a helpful summary of the differences between “prescriptive jurisdiction” and “enforcement jurisdiction”, see IAPP’s “Privacy across borders: Enforcement and prescriptive jurisdiction“.)

Personal information

“Personal information” is “information about an identifiable individual and includes information relating to a death that is maintained by the Registrar-General under the Births, Deaths, Marriages, and Relationships Registration Act 1995, or any former Act” (section 2(1)).

Information is personal information when it identifies a person and information can also be personal information if it can be linked to an individual when combined with other available information. In other words, information can be personal information even if the individual is only identifiable with the use of extrinsic information or knowledge.

There are many types of personal information, including:

  • names, addresses, phone numbers and email addresses;
  • unique identifiers, like IRD numbers;
  • photos, videos or audio recordings;
  • financial or medical records;
  • ethnicity, and iwi and hapu affiliation;
  • religious details;
  • records of a person’s transactions;
  • handwritten notes, opinions and allegations; and
  • records of interactions with a client or customer.

Depending on the context, personal information may also include information relating to an individual’s property to the extent that this information says something about the individual themself, distinct from, for example, a company through which the individual may run a business. (On this latter point, see generally the Privacy Commissioner’s Advisory Opinion – NZPC-AO 001/2016).

Information privacy principles

Section 22 sets out 13 information privacy principles (IPPs) which are summarised below.

IPP1: Purpose of collection of personal information

Under IPP1, personal information must not be collected unless:

  • the collection is for a lawful purpose connected with a function or activity of the agency collecting the information; and
  • it is necessary to collect the information for that purpose.

IPP1 uses the language of ‘necessary for the purpose’ rather than ‘reasonably necessary’. However, it is generally accepted that an agency does not need to show that it absolutely must collect the information in order to achieve its purpose. Rather, it needs to show that it is reasonably necessary to collect it. See the Office of the Privacy Commissioner’s website.

Note that when IPP1 applies, if a collecting agency can achieve its purpose without collecting identifying information (personal identifiers such as name and residential address), then it shouldn’t collect identifying information. IPP1(2) states: “If the lawful purpose for which personal information about an individual is collected does not require the collection of an individual’s identifying information, the agency may not require the individual’s identifying information.”

IPP2: Source of personal information

Under IPP2, personal information must be collected from the individual concerned. The exceptions to this are when the agency collecting the information believes on reasonable grounds that:

  • the interests of the individual concerned are not prejudiced;
  • complying with this principle would prejudice the purposes of collection;
  • the individual concerned authorises collection of the information from someone else;
  • the information is publicly available;
  • it is necessary to avoid prejudice to the maintenance of the law by any public sector agency, or to enforce a law that imposes a pecuniary penalty, or to protect public revenue, or for the conduct of court or tribunal proceedings, or to prevent or lessen a serious threat to the life or health of any individual;
  • complying with this principle would not be reasonably practicable in the circumstances of the particular case;
  • the information will not be used in a form that identifies the individual; or
  • the information will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.

IPP3: Collection of information from subject

Under IPP3, if an agency collects personal information directly from individuals it must, unless an exception applies, take such steps (if any) as are, in the circumstances, reasonable to inform the individuals of:

  • the fact that the information is being collected;
  • the purpose(s) of collection;
  • the intended recipients;
  • the names and addresses of who is collecting the information and who will hold it;
  • if a specific law governs provision of the information, what the law is and whether provision of information is voluntary or mandatory;
  • the consequences if all or any part of the requested information is not provided, and
  • the individual’s rights of access to and to request correction of personal information.

The collecting agency doesn’t need to take these steps if it has already done so in relation to the same personal information, or information of the same kind, on a recent previous occasion, or if the agency believes on reasonable grounds that:

  • non-compliance would not prejudice the interests of the individual concerned;
  • non-compliance is necessary to avoid prejudice to the maintenance of the law by any public sector agency, or to enforce a law that imposes a pecuniary penalty, or to protect public revenue, or for the conduct of court or tribunal proceedings;
  • complying with this principle would prejudice the purposes of collection;
  • complying with this principle is not reasonably practical in the particular case; or
  • the information will not be used in a form in which the individual concerned is identified, or will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.

IPP4: Manner of collection of personal information

Under IPP4, an agency that collects personal information needs to collect it by a means:

  • that is lawful; and
  • that, in the circumstances (particularly in circumstances where personal information is being collected from children or young persons), is fair and does not intrude to an unreasonable extent upon the personal affairs of those individuals.

IPP5: Storage and security of personal information

Under IPP5, an agency holding personal information must ensure that:

  • there are reasonable safeguards against loss; unauthorised access, use, modification or disclosure; and other misuse; and
  • if it is necessary to give information to another person, such as someone working on contract, everything reasonable is done to prevent unauthorised use or unauthorised disclosure of the information.

IPP6: Access to personal information

Under IPP6:

  • individuals are entitled to access personal information that an agency holds about them; and
  • if an individual is given access to their personal information, the individual must be advised that, under IPP7, the individual may request the correction of that information.

There are situations where an agency can say no to a person requesting access to their personal information. The grounds on which an access request can be refused (in whole or part) are spread across 5 sections in the Act.

Click to see a summary of the grounds on which an access request can be refused

Protection of individual or public (section 49)Evaluative material (section 50)Security, defence or international relations (section 51)Trade secrets (section 52)Other reasons (section 53)
  • Serious threat: Disclosure would be likely to pose a serious threat to the life, health, or safety of any individual, or to public health or public safety
  • Harassment: Disclosure would create a significant likelihood of serious harassment of an individual
  • Victim of offence: Disclosure would include disclosure of information about another person who: is the victim of an offence or alleged offence, and would be caused significant distress, loss of dignity, or injury to feelings by disclosure of the information
  • Prejudice to health: The agency is satisfied, after consultation (where practicable) with the individual’s health practitioner, that the information relates to the physical or mental health of the requestor, and disclosure of it would be likely to prejudice the health of the individual
  • Under 16: The individual is under the age of 16 and disclosure would be contrary to their interests
  • Prejudice to safe custody or rehabilitation: the information is about an individual convicted of an offence or who is or has been detained in custody, and disclosure would be likely to prejudice their safe custody or rehabilitation

  • Confidential supply of evaluative material to your agency: The personal information is evaluative material, and disclosure of it or of information identifying the person who supplied it would breach an express or implied promise made to the person who supplied it to the effect that the information or the identity of the person who supplied it, or both, would be held in confidence
  • Confidential supply of evaluative material by your agency to another agency: The personal information is evaluative material that was made available by your agency to another agency, and that other agency may refuse to disclose the information under the ground above

Evaluative material” is evaluative or opinion material compiled sole for the purpose of:

  • determining the individual’s suitability, eligibility, or qualifications for: employment or appointment to office, or promotion in employment or office or continuance in employment or office; or removal from employment or office; or the awarding of contracts, awards, scholarships, honours, or other benefits; or
  • determining whether any contract, award, scholarship, honour, or benefit should be continued, modified, or cancelled; or
  • deciding whether to insure, or continue or renew the insurance of, any individual or property

but excluding any such material compiled by a person employed or engaged by an agency in the ordinary course of that person’s employment or duties.

  • Prejudice to NZ security, defence or international relations: Disclosure would be likely to prejudice New Zealand’s security or defence, or international relations
  • Prejudice to entrusting of confidential information: Disclosure would be likely to prejudice the entrusting of information to the Government on a basis of confidence by the government or an agency of government of another country or by any international organisation
  • Prejudice to security or defence of Cook Islands etc: Disclosure would be likely to prejudice the security or defence of the Cook Islands, Niue, Tokelau, or the Ross Dependency
  • Prejudice to relations between certain Governments: Disclosure would be likely to prejudice relations between any of the Governments of New Zealand, the Cook Islands, and Niue
  • Prejudice to international relations of Cook Islands or Niue: Disclosure would be likely to prejudice the international relations of the Government of the Cook Islands or Niue.

  • Protection of trade secret: Making the information available would disclose a trade secret, unless, in the circumstances of the particular case, withholding the information is outweighed by other considerations that make it desirable, in the public interest, to make the information available
  • Prejudice to commercial position of supplier or subject of the information: The information needs protecting because making the information available would be likely to unreasonably prejudice the commercial position of the person who supplied the information or who is the subject of the information, unless, in the circumstances of the particular case, withholding the information is outweighed by other considerations that make it desirable, in the public interest, to make the information available

  • Information doesn’t exist: the information requested does not exist or, despite reasonable efforts to locate it, cannot be found
  • Unwarranted disclosure of another’s affairs: disclosure would involve the unwarranted disclosure of the affairs of another individual or a deceased person
  • Prejudice to maintenance of the law: disclosure would be likely to prejudice the maintenance of the law by any public sector agency, including the prevention, investigation, and detection of offences; and the right to a fair trial
  • Legal professional privilege: disclosure would breach legal professional privilege
  • Information in material in library / museum / archive: disclosure would be of information contained in material placed in a library or museum or archive, and would breach a condition subject to which the material was placed
  • Contempt of court or Parliament: disclosure would constitute contempt of court or of the House of Representatives
  • Criminal Disclosure Act: the request is made by a defendant or their agent and is for information that could be sought under the Criminal Disclosure Act 2008, or that could be sought by the defendant under that Act and that has been disclosed to, or withheld from, the defendant under that Act
  • Frivolous etc request: the request is frivolous or vexatious, or the information requested is trivial

If you’ve received a request for access to personal information and need some help responding to it, you can use Ariella, our Privacy Act 2020 access request bot. Ariella will ask some questions to help you figure out how to deal with the request, and will then provide you with a suggested letter or letters you’ll need when responding.

IPP7: Correction of personal information

Under IPP7, everyone is entitled to:

  • request correction of their personal information; and
  • request that if it is not corrected, a statement is attached to the original information saying that a correction was sought (a statement of correction).

If agencies have already passed on personal information that they then correct or to which they then attach a statement of correction, they must (so far as is reasonably practicable) inform the recipients of that.

IPP8: Accuracy of personal information to be checked before use or disclosure

Under IPP8, an agency must not use or disclose personal information without taking any steps that are, in the circumstances, reasonable to ensure it is accurate, up to date, complete, relevant, and not misleading.

IPP9: Personal information not to be kept for longer than necessary

Under IPP9, an agency holding personal information must not keep it for longer than is required for the purposes for which the information may be lawfully used.

IPP10: Limits on use of personal information

Under IPP10, personal information obtained in connection with one purpose must not be used for another, unless an exception applies.

As to the exceptions, personal information can be used for another purpose if an agency believes on reasonable grounds that:

  • the use is directly related to the purpose for which the information was obtained;
  • the information is used in a form in which individuals are not identified;
  • the information is used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify individuals;
  • the individual concerned has authorised the use;
  • the agency got the information from a publicly available publication and, in the circumstances, it would not be unfair or unreasonable to use the information;
  • the use is necessary to avoid prejudice to the maintenance of the law by any public sector agency, to enforce a law that imposes a pecuniary penalty, to protect public revenue, or for the conduct of court or tribunal proceedings; or
  • the use is necessary to prevent or lessen a serious and imminent threat to public health or safety, or the life or health of any individual.

In addition, an intelligence and security agency that holds personal information that was obtained for one purpose may use the information for another purpose if the agency believes on reasonable grounds that using the information for the other purpose is necessary to enable the agency to perform any of its functions.

Sometimes people wonder whether a use is “directly related” to the purpose for which the information was obtained. The Office of the Privacy Commissioner has a useful summary on its website of what you need to consider.

IPP11: Limits on disclosure of personal information

Under IPP11, an agency must not disclose personal information it holds unless the agency believes on reasonable grounds that one of the listed exceptions applies. Those exceptions are that:

  • the disclosure is in connection with, or directly related to, one of the purposes for which it was obtained
  • disclosure is to the individual concerned
  • disclosure is authorised by the individual concerned
  • the agency got the information from a publicly available publication and, in the circumstances, it would not be unfair or unreasonable to disclose the information
  • disclosure of the information is necessary to avoid prejudice to the maintenance of the law by a public sector agency, or to enforce a law that imposes a pecuniary penalty, or to protect public revenue, or for the conduct of court or tribunal proceedings
  • disclosure is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of any individual
  • disclosure is necessary to enable an intelligence and security agency to perform any of its functions
  • the information is to be used in a form in which the individual concerned is not identified, or is to be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned
  • disclosure is necessary to facilitate the sale or other disposition of a business as a going concern.

IPP12: Disclosure of personal information outside New Zealand

IPP12 regulates the disclosure of personal information outside New Zealand. Its seeks to ensure that, when information is disclosed offshore, there are comparable safeguards to those in the Privacy Act. In essence, an agency can only disclose personal information to a foreign person or entity (i.e., overseas), in reliance on certain listed IPP11 exceptions, if one of a number of conditions is satisfied.

A “foreign person or entity” is defined as:

  • an individual who is neither present in New Zealand nor ordinarily resident in New Zealand
  • a body, incorporated or unincorporated, that is not established under the law of New Zealand and does not have its central control and management in New Zealand, or
  • the Government of an overseas country.

To understand IPP12, we need to understand the IPP11 exceptions it applies to, and the conditions it lists. We also need to understand when IPP12 does not apply.

The relevant IPP11 exceptions are those where:

  • the disclosure is in connection with, or directly related to, one of the purposes for which it was obtained;
  • disclosure is authorised by the individual concerned;
  • disclosure of the information is necessary to avoid prejudice to the maintenance of the law by a public sector agency, or to enforce a law that imposes a pecuniary penalty, or to protect public revenue, or for the conduct of court or tribunal proceedings;
  • disclosure is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of any individual;
  • the information is to be used in a form in which the individual concerned is not identified, or is to be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
  • disclosure is necessary to facilitate the sale or other disposition of a business as a going concern

The conditions in IPP12 are:

  • the individual authorises the disclosure after being told by the agency (A) that the offshore entity (B) may not be required to protect the information in a way that provides comparable safeguards to those in the Privacy Act;
  • B is carrying on business in New Zealand and, in relation to the information, A believes on reasonable grounds that B is subject to the Act;
  • A believes on reasonable grounds that B is subject to privacy laws that provide comparable safeguards to those in the Act;
  • A believes on reasonable grounds that B is a participant in a “prescribed binding scheme”;
  • A believes on reasonable grounds that B is subject to privacy laws of a “prescribed country”; or
  • A otherwise believes on reasonable grounds that B is required to protect the information in a way that, overall, provides comparable safeguards to those in the Act (for example, under an agreement entered into between A and B).

“Prescribed binding scheme” means a binding scheme specified in regulations and “prescribed country” means a country specified in regulations. There are no such regulations yet.

IPP12 does not apply:

  • where information is disclosed offshore in reliance on IPP11 exceptions not mentioned in IPP12:
    • disclosure is to the individual concerned;
    • publicly available information;
    • disclosure is necessary to enable an intelligence and security agency to perform its functions;
  • where personal information is disclosed to B (offshore) in reliance on IPP11(1)(e) (maintenance of law etc) or IPP11(1)(f) (serious threat) and it’s not reasonably practicable for the agency (A) to comply; or
  • to cloud service providers and others who, broadly speaking, act as agents for the agency in New Zealand and don’t use the information for their own purposes (in these cases, there is no “disclosure” and so IPPs 11 and 12 are not triggered – see section 11).

IPP13: Unique identifiers

The Privacy Act defines “unique identifier”, in relation to an individual, as “an identifier other than the individual’s name that uniquely identifies the individual”. Examples of unique identifiers are SWNs (Social Welfare/Client Numbers), driver’s licence numbers, passport numbers, student ID numbers, and IRD numbers. Once an agency has assigned such an identifier to an individual, the unique identifier is personal information about the person.

IPP13 contains the four main rules relating to unique identifiers:

  • an agency (A) may assign a unique identifier to an individual for use in its operations only if that identifier is necessary to enable A to carry out 1 or more of its functions efficiently;
  • A may not assign to an individual a unique identifier that, to A’s knowledge, is the same unique identifier as has been assigned to that individual by another agency (B), unless:
    • A and B are associated persons within the meaning of subpart YB of the Income Tax Act 2007; or
    • the unique identifier is to be used by A for statistical or research purposes and no other purpose;
  • A must take any steps that are, in the circumstances, reasonable to ensure that a unique identifier is assigned only to an individual whose identity is clearly established, and that the risk of misuse of a unique identifier by any person is minimised (for example, by showing truncated account numbers on receipts or in correspondence); and
  • an agency may not require an individual to disclose any unique identifier assigned to that individual unless the disclosure is for one of the purposes in connection with which that unique identifier was assigned or is for a purpose that is directly related to one of those purposes.

IPP13 also clarifies that A does not “assign” a unique identifier to an individual by simply recording a unique identifier assigned to the individual by B for the sole purpose of communicating with B about the individual.

Exceptions and exemptions

The Act contains a number of exceptions and exemptions to the default positions in the IPPs.

IPPs’ in-built exceptions

As is apparent from the summary of the IPPs above, many of the principles have built-in exceptions.

Specific laws override IPPs

Further, and importantly, section 24 of the Act states, in effect, that if another statute is contrary to certain privacy principles or authorises or requires conduct that the principles would not, then that other statute will prevail over the relevant principles. In other words, the privacy principles are subordinate to other laws which govern, for example, the collection, use or sharing of personal information. At the same time, it’s important to note that it’s common for specific laws to override certain principles (such as IPPs1, 2, 10 or 11), while leaving the other principles untouched and fully effective. A good example of this is IPP3 (Collection of information from subject). It is very uncommon for a law that authorises or requires  the collection of personal information from individuals, to override IPP3.

Access requests are subject to Part 4

As noted above, specific exceptions to IPP6 (Access to personal information) are set out in Part 4 of the Act.

Personal information collected or held for personal or domestic affairs

Under section 27:

  • IPPs 1 to 3 and 4(b) do not apply to individuals who are collecting personal information solely for the purposes of, or in connection with, their personal or domestic affairs; and
  • IPPs 5 to 12 do not apply to individuals who are holding personal information that was collected by a lawful means solely for the purposes of, or in connection with, their personal or domestic affairs.

Note, however, that these exemptions do not apply if the collection, use, or disclosure of the personal information would be highly offensive to a reasonable person.

Intelligence and security agencies

Under section 28 IPPs 2, 3, and 4(b) (which relates to the means of collection being fair and not unreasonably intrusive) do not apply to personal information collected by an intelligence and security agency (the New Zealand Security Intelligence Service and the Government Communications Security Bureau).

Correction principle does not apply to personal information collected under Statistics Act

Under section 29(2), IPP7 does not apply to personal information collected by Statistics New Zealand under the Statistics Act 1975.

Privacy Commissioner’s authorisation power

The Privacy Commissioner has a limited power under section 30, on application from an agency, to authorise the collection, use, storage or disclosure of personal information that would otherwise be in breach of IPP 2 or IPPs 9 to 12. Section 30 contains constraints as to when this power can be used and, as noted in a blog post on the Office of the Privacy Commissioner’s website (in relation to the corresponding provision under the Privacy Act 1993), it is seldom used in practice.

Codes of practice

The Privacy Act gives the Privacy Commissioner the power to issue codes of practice that become part of the law (the provisions for which are set out in Part 3, Subpart 2 of the Act). These codes may modify the operation of the Act for specific industries, agencies, activities or types of personal information. Codes usually modify one or more of the information privacy principles to take account of special circumstances which affect a class of agencies or a class of information. The rules established by a code may be more stringent or less stringent than the principles they replace. Codes can be amended or revoked by the Privacy Commissioner.

Codes of practice are “disallowable instruments” (a term that describes delegated legislation that must be presented to the House of Representatives and can be disallowed by the House). As such, they must be presented to the House and will be subject to scrutiny by the Regulations Review Committee.

Codes of practice currently in force are as follows:

  • Civil Defence National Emergencies (Information Sharing) Code 2020;
  • Credit Reporting Privacy Code 2020;
  • Health Information Privacy Code 2020;
  • Justice Sector Unique Identifier Code 2020;
  • Superannuation Schemes Unique Identifier Code 2020; and
  • Telecommunications Information Privacy Code 2020.

These are all available on the Privacy Commissioner’s website.

Information sharing mechanisms

Approved information sharing agreements

The purpose of Subpart 1 (Information sharing) of Part 7 (Sharing, accessing, and matching personal information) is to authorise agencies to share personal information in accordance with an approved information sharing agreement (AISA) to facilitate the provision of public services.

As the Office of the Privacy Commissioner explains in its A to Z of Approved Information Sharing Agreements (AISAs) (March 2015):

“An AISA authorises agreed departures from the privacy principles (except principles 6 and 7 – access and correction rights) if there is a clear public policy justification and the privacy risks of doing so are managed appropriately.

An AISA is a means of obtaining agreement about when agencies will share personal information and in what circumstances. This can provide a high degree of certainty about the sharing of information.”

For the following reasons, getting an AISA in place can be a time-consuming process:

  • an AISA must address certain matters set out in section 144 and the parties to it must negotiate and agree upon its content;
  • the Privacy Commissioner will expect to see a privacy impact assessment on what is proposed;
  • the agreement requires approval by way of Order in Council under section 145;
  • the Order in Council must address a range of matters specified in sections 146-147;
  • the relevant Minister who recommends the making of the Order in Council must be satisfied of certain matters set out in section 149 before recommending the making of the Order in Council; and
  • there must have been consultation on the proposed agreement in accordance with section 150.

These and other requirements are explained in OPC’s A to Z guide mentioned above.

Information matching programmes

Subpart 4 (Authorised information matching programmes) of Part 7 relates to information matching programmes that are authorised by an information matching provision. An “information matching programme” is (in essence) the comparison of documents containing personal information for the purpose of producing or verifying information that could be used to take adverse action against an individual. Adverse actions include cancelling payments, imposing fines, or investigating offences. “Information matching provisions” are specific statutory sharing/matching provisions in other legislation that are listed in the Privacy Act as information matching provisions.

Under the Privacy Act 1993, these kinds of programmes needed to comply with a range of rules. The Privacy Act 2020 enabled information matching programmes that were in place prior to repeal of the Privacy Act 1993 to continue, with the same set of rules applying to them. Schedule 7 to the 2020 Act made a range of amendments to information matching provisions to allow existing programmes to continue, but no new programmes to be entered into (AISAs are to be used instead).

Complaints for interferences with privacy

Under Part 5 of the Act, any individual may may make a complaint to the Privacy Commissioner alleging that an agency has interfered with the individual’s privacy. An agency’s action is an  “interference with privacy” if the action:

  • breaches an IPP privacy principle, or an AISA, or an information matching agreement, or section 115 (which requires an agency to give notice to affected individuals or the public of a notifiable privacy breach) ; and
  • the action has caused or may cause a kind of harm referred to in the Act.

Harm can be in the nature of:

  • loss, detriment, damage, or injury to the individual;
  • an adverse effect on the individual’s rights, benefits, privileges, obligations, or interests; or
  • significant humiliation, significant loss of dignity, or significant injury to the feelings of the individual.

An unjustified refusal to allow a person to access their personal information or to correct personal information when requested is also an interference with privacy. There is no need to establish harm for these kinds of interference with privacy.

For more information on complaints and what the Privacy Commissioner can do, see the Office of the Privacy Commissioner’s website.

Notifiable privacy breaches

Under the Privacy Act 2020, an agency must notify the Privacy Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred (section 114). A “notifiable privacy breach” is a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so (section 112(1)).

“Serious harm” is not defined. However, when an agency is assessing whether a privacy breach is likely to cause serious harm in order to decide whether the breach is a notifiable privacy breach, the agency must consider:

  • any action taken by the agency to reduce the risk of harm following the breach;
  • whether the personal information is sensitive;
  • the nature of the harm that may be caused to affected individuals;
  • the person or body that has obtained or may obtain personal information as a result of the breach (if known);
  • whether the personal information is protected by a security measure, and any other relevant matters (section 113).

An agency must notify affected individuals as soon as practicable after becoming aware that a notifiable privacy breach has occurred, unless:

  • section 113(2) applies (which requires a public notice of the breach where it’s not reasonably practicable to notify an affected individual or each member of a group of affected individuals, unless an exception in section 116 applies or a delay is permitted under section 116(4)), or
  • an exception in section 116 applies or a delay is permitted under section 116(4).

The Act contains a number of important exceptions that agencies will need to be familiar with (see section 116) and it specifies content requirements for notifications to the Privacy Commissioner and to affected individuals (see section 117).

An agency that fails (without reasonable excuse) to notify the Commissioner of a notifiable privacy breach commits an offence and is liable on conviction to a fine not exceeding $10,000 (section 118). In addition, the Privacy Commissioner may publish the identity of an agency that has notified the Commissioner of a notifiable privacy breach if the agency consents to publication or the Commissioner is satisfied it’s in the public interest to do so (section 122).

Other remedies available to the Privacy Commissioner

Compliance notices

Under the 2020 Act’s new compliance notice regime, the Privacy Commissioner may issue a compliance notice if the Commissioner believes that 1 or more of the following have occurred:

  • a breach of the Act, including a breach of an IPP, breach of an approved information sharing agreement or information matching agreement, or not notifying individuals of a privacy breach when required to do so;
  • an action that is to be treated as a breach of an IPP or an interference with the privacy of an individual under another Act;
  • a breach of a code of practice issued under the Privacy Act or a code of conduct (or similar) issued under another Act (if a complaint about a breach of the code can be the subject of a complaint under Part 5 of the Privacy Act) (section 123(1)).

If the Privacy Commissioner issues a compliance notice, the notice must describe the breach and require the agency to remedy the breach (section 125(1)). A compliance notice can also:

  • identify particular steps that the Commissioner considers need to be taken to remedy the breach include conditions that the Commissioner considers are appropriate;
  • state the date or dates by which the agency must remedy the breach and report to the Commissioner on the steps taken to do so; and
  • include other information that the Commissioner considers would be useful (section 125(2)).

Before issuing a compliance notice, the Commissioner may, but is not required to:

  • assess whether any person has suffered harm; or
  • use other means under the Act or another Act for dealing with the breach (section 123(2)).

Note, here, that compliance notices may be issued in the absence of harm. Compliance notices could cover the likes of, for example:

  • agencies failing to comply with their transparency obligations under IPP3; or
  • agencies collecting personal information in a misleading manner, contrary to IPP4, or agencies failing to secure personal information provided to them as required by IPP5.

Access directions

Under the Privacy Act 2020, the Privacy Commissioner has a new power to require an agency to give individuals access to their personal information. Under section 92, the Commissioner may direct an agency to provide an individual access to the individual’s personal information in any manner that the Commissioner considers appropriate.