Privacy Act 2020

Purpose of the Act

8.72 The purpose of the Privacy Act 2020 is to promote and protect individual privacy, by:

The Act covers both the public and private sectors.

8.73 The Privacy Act 2020 covers “personal information”, which is defined in section 7 of the Act as information about an identifiable individual. There are 13 information privacy principles (dealing with the collection, storage, use, and disclosure of personal information, and an individual's right to access their personal information and to request correction). Codes of practice that may modify the information privacy principles (such as the Health Information Privacy Code 2020) are also issued from time to time.

Compliance

8.74Ministers and agencies are responsible for compliance with the law when they collect, use, hold, or disclose information concerning individuals. A breach of the Privacy Act 2020 may lead to a complaint to the Privacy Commissioner, or the Privacy Commissioner can take compliance action without receiving a complaint. Agencies that breach the Act can face financial penalties, or may have to provide redress, which could include paying damages. A Minister and agency must not collect personal information unless the collection is necessary for a lawful purpose related to their functions. Section 7 of the Privacy Act 2020 defines “collect” as “to take any step to seek or obtain the personal information, but does not include receipt of unsolicited information”.

8.75Ministers and agencies are also responsible for complying with requirements in the Privacy Act 2020 to notify the Privacy Commissioner and (in most cases) affected individuals of privacy breaches that are likely to cause serious harm.

8.76Ministers are subject to the Privacy Act 2020 in their role as Ministers. They are not subject to the Privacy Act 2020 in their official capacity as members of Parliament. This distinction is set out in relation to official information at paragraph 8.26.

8.77Each agency must appoint a privacy officer for the agency (within or outside the agency) who is assigned responsibility to fulfil the compliance requirements set out in section 201 of the Privacy Act 2020. The Office of the Privacy Commissioner is available for advice and guidance in relation to the operation of the Privacy Act 2020.

8.78The Government Chief Privacy Officer is responsible for developing standards, issuing guidance, and providing assurance to support the public service in building capability in privacy and security management.

Ministerial access to and use of personal information

8.79Ministers should exercise great care in dealing with personal information, and seek advice from the Office of the Privacy Commissioner in cases of doubt. In particular, Ministers and agencies must handle personal information in accordance with the information privacy principles, as set out in section 22 of the Privacy Act 2020. Other primary legislative provisions may vary the application of the information privacy principles. Ministers and agencies should be aware of, and comply with, any differing approaches in their particular regulatory systems.

8.80In the course of their duties, Ministers may have occasion to be provided with or to request personal information held by the agencies for which they are responsible. There are types of disclosure of information that are routine and clearly authorised, such as when the Minister requires personal information to:

Other circumstances involve a case-by-case assessment of whether personal information can be disclosed in connection with a Minister's general portfolio responsibilities and accountability to the House. Decisions by officials to provide personal information to Ministers require judgement and discretion, and should be finely tuned to particular circumstances.

8.81Agencies need to have a clear understanding of the lawful basis on which they are able to disclose personal information to Ministers, and to ensure that any such disclosures comply with the Privacy Act 2020. Before disclosing personal information to a Minister, an agency must be satisfied that the disclosure is consistent with information privacy principle 11 in section 22 of the Act or another statutory provision. It must also consider whether there is a legal obligation under other legislation not to disclose the information (for example, under the statutory provisions protecting information collected by the Inland Revenue Department). The convention of ministerial accountability and the “no surprises” principle do not override the Privacy Act 2020's disclosure principles or other statutory restrictions on disclosure. Best practice is for the agency to consider whether personal details need to be disclosed to adequately inform the Minister, including:

Where the agency believes, on reasonable grounds, that disclosure of personal information to a Minister is one of the purposes for which the information was collected or is directly related to one of those purposes, the disclosure will not be a breach of information privacy principle 11.

8.82If a Minister wishes to access information about an individual that is held by an agency in another portfolio area, the Minister should, in line with the general principle that Ministers deal only with their own agencies, seek assistance from the Minister with responsibility for that area (see paragraph 3.28).

8.83The disclosure of information about an individual by Ministers or agencies is governed by both the Official Information Act 1982 and the Privacy Act 2020.

8.84Parliamentary privilege affords protection to statements made by Ministers as part of parliamentary proceedings, including when answering parliamentary questions (see the Parliamentary Privilege Act 2014). However, the same considerations set out in paragraph 8.83(c) should inform agencies and Ministers when deciding whether and to what extent it is necessary to disclose personal information that may end up becoming part of parliamentary proceedings.

8.85Further guidance can be found on the Office of the Privacy Commissioner website.

Role of the Privacy Commissioner

8.86The Privacy Commissioner can investigate complaints concerning breaches of the privacy principles in the Privacy Act 2020 (and of the rules in any code issued under that Act, such as the Health Information Privacy Code 2020). Such a breach can occur when an individual is denied access to information about them or is wrongly refused the opportunity to correct information about them, or when an individual suffers some form of harm as a result of a breach of a privacy principle, a rule in a code of practice, or an information-matching or information-sharing provision. The Privacy Commissioner can attempt to settle a complaint. If the parties are unable to reach a settlement, the complainant can take a case to the Human Rights Review Tribunal.

8.87The Privacy Commissioner can also inquire into any matter if it appears that the privacy of individuals may be infringed, and can take action to require an agency to comply with the Privacy Act 2020, regardless of whether the non-compliance has been the subject of a complaint.

8.88The Privacy Commissioner's other responsibilities include monitoring proposed legislation to see if it affects the privacy of individuals, and commenting on any privacy problems. The LDAC Guidelines give guidance about factors to consider when developing legislative proposals that could affect individual privacy (see paragraph 7.41) including proposed information sharing.

8.89The Office of the Privacy Commissioner should be consulted about all legislative proposals that have implications for personal information or for individual privacy more broadly. The Privacy Commissioner can also report directly to the Minister of Justice or the Prime Minister about legislation or other developments affecting individual privacy.