8.66 The purpose of the Privacy Act 1993 is to promote and protect individual privacy, and in particular to establish principles on:
- collection, use, and disclosure of information relating to individuals; and
- access by individuals to information held about them.
The Act covers both the public and private sectors.
8.67 The Privacy Act covers “personal information”, which is defined in section 2 of the Act as information about an identifiable individual. There are 12 information privacy principles (dealing with the collection, storage, use, and disclosure of personal information, and an individual's right to access his or her personal information and to request correction). Codes of practice that may modify or replace the information privacy principles (such as the Health Information Privacy Code 1994) are also issued from time to time.
8.68 Ministers and departments are responsible for compliance with the law when they collect, use, or disclose information concerning individuals. A breach of the Act may result in legal action, including in some cases an award of damages.
8.69Each agency must ensure that privacy officers within the agency are assigned responsibility to fulfil the compliance requirements set out in section 23 of the Privacy Act. The Office of the Privacy Commissioner is available for training, advice, and guidance in relation to the operation of the Privacy Act.
8.70The Government Chief Privacy Officer is responsible for developing standards, issuing guidance, and providing assurance to support the public service in building capability in privacy and security management.
8.71 Ministers should exercise great care in dealing with personal information, and seek advice from the Office of the Privacy Commissioner in cases of doubt. In particular, Ministers and departments must handle personal information in accordance with the information privacy principles, as set out in section 6 of the Privacy Act. Other primary legislative provisions may vary the application of the information privacy principles. Ministers and departments should be aware of, and comply with, any differing approaches in their particular regulatory systems.
8.72If a Minister requests (from his or her own department) personal information about an individual in order to deal with a portfolio issue, the department may in general provide this information to the Minister unless there is a legal obligation not to do so. The statutory provisions protecting information collected by the Inland Revenue Department are an example of such an obligation. The information privacy principles and any other relevant code should be considered carefully in relation to any such request.
8.73If a Minister wishes to access information about an individual that is held by a department in another portfolio area, the Minister should, in line with the general principle that Ministers deal only with their own departments, seek assistance from the Minister with responsibility for that area (see paragraph 3.24).
- If the person to whom the information relates requests the information, the request must be considered in accordance with the Privacy Act. Principle 6, in section 6 of the Act, gives individuals a legal right to access such personal information. Part 4 of the Act sets out reasons why such individual access request may be refused.
- If another person requests the information, the request must be considered in accordance with the Official Information Act. Section 9 of that Act provides that individual privacy may justify withholding the information if there is no overriding public interest in release. It will be important to identify and consider the strengths of all the relevant privacy interests and balance them against the strengths of the competing public interest in its release.
- A release by a Minister or department of information about an individual, in the absence of a request for it, is governed by Principle 11 of the Privacy Act. That principle allows only limited situations in which it would be appropriate to disclose personal information; for example:
- if the disclosure is directly related to the purposes for which the information was obtained;
- if disclosure is authorised by the individual concerned; or
- if disclosure is necessary to prevent a serious threat to public health or the life of another individual.
8.75Further guidance can be found on the Privacy Commissioner's website.
8.76The Privacy Commissioner can investigate complaints concerning breaches of the privacy principles in the Privacy Act (and of the rules in any code issued under that Act, such as the Health Information Privacy Code). Such a breach can occur when an individual is denied access to information about them or is wrongly refused the opportunity to correct information about them, or when an individual suffers some form of harm as a result of a breach of a privacy principle, a rule in a code of practice, or an information-matching or information-sharing provision.
8.77 The Privacy Commissioner’s other responsibilities include monitoring proposed legislation to see if it affects the privacy of individuals, and commenting on any privacy problems. The LAC Guidelines give guidance about factors to consider when developing legislative proposals that could affect individual privacy (see paragraph 7.38), including proposed information matching between agencies.