Individuals in New Zealand have specific rights regarding their personal information held by businesses and organisations, collectively known as 'agencies'. These rights include accessing and correcting their information, and agencies have clear obligations regarding the timeframes for responding to such requests.
What is an 'Agency'?
Under New Zealand law, an agency is broadly defined as any person or body of persons, whether in the public or private sector, that holds personal information [Source: Privacy Act 2020, s 7]. This includes government departments, companies, sole traders, non-profit organisations, and even individuals who hold personal information in the course of their business.
What is 'Personal Information'?
Personal information is any information about an identifiable individual [Source: Privacy Act 2020, s 7]. This can include names, addresses, contact details, financial information, health records, employment history, and much more.
Right to Access Personal Information
Individuals have the right to ask an agency whether it holds personal information about them, and if so, to access that information [Source: Privacy Act 2020, s 22, Schedule 1, Part 2, Information Privacy Principle 6]. This right ensures transparency regarding what data agencies collect and store about individuals.
Right to Correct Personal Information
If an individual believes that personal information held by an agency is inaccurate, incomplete, or out-of-date, they have the right to request that the agency correct it [Source: Privacy Act 2020, s 22, Schedule 1, Part 2, Information Privacy Principle 7]. If the agency does not agree to make the correction, the individual can ask the agency to attach a statement of correction to the information [Source: Privacy Act 2020, s 22, Schedule 1, Part 2, Information Privacy Principle 7(3)].
Making a Privacy Request
A request for access to or correction of personal information must generally be in writing and should specify the personal information requested [Source: Privacy Act 2020, s 40]. While not always legally required to be in writing (agencies can agree to other formats), it is best practice to submit requests in writing to create a clear record.
Response Timeframe for Privacy Requests
Once an agency receives a request for access to or correction of personal information, it has a legal obligation to respond as soon as reasonably practicable. In any case, the response must be provided no later than 20 working days after the request is received [Source: Privacy Act 2020, s 41(1) and s 42(1)]. A working day is defined as a business day, excluding weekends and public holidays [Source: Privacy Act 2020, s 7, referencing Interpretation Act 1999, s 29].
Extending the Timeframe
An agency may extend the 20 working day time limit in certain circumstances. These include situations where:
- The request involves a large quantity of information, and responding within 20 working days would unreasonably interfere with the agency's operations [Source: Privacy Act 2020, s 45(1)(a)].
- Extensive consultations are necessary to make a decision on the request, and those consultations cannot reasonably be completed within 20 working days [Source: Privacy Act 2020, s 45(1)(b)].
- More time is needed to make a decision in the public interest [Source: Privacy Act 2020, s 45(1)(c)].
If an agency decides to extend the timeframe, it must notify the individual who made the request within 20 working days of receiving the request. This notification must state the reasons for the extension and provide an estimated date by which the agency expects to respond [Source: Privacy Act 2020, s 45(2)].
Transferring Requests
If an agency receives a request for personal information that it believes is held by another agency, it may transfer the request. The transferring agency must do this within 10 working days of receiving the request and must notify the individual that the request has been transferred [Source: Privacy Act 2020, s 43(1) and s 43(2)]. The agency that receives the transferred request then has 20 working days from the date it receives the request to respond [Source: Privacy Act 2020, s 43(4)].
Charges for Requests
Generally, agencies cannot charge an individual for making a request for access to or correction of their personal information [Source: Privacy Act 2020, s 47(1)]. However, an agency may charge a reasonable fee for the costs incurred in making the information available, provided the charge is not set at a level that discourages requests. If a charge is to be applied, the agency must inform the individual of the estimated cost [Source: Privacy Act 2020, s 47(2) and s 47(3)].
What if a Request is Refused?
An agency may refuse a request for access to or correction of personal information in limited circumstances, for example, if releasing the information would prejudice the privacy of another individual, compromise national security, or if the request is frivolous or vexatious [Source: Privacy Act 2020, ss 49, 51, 52]. If a request is refused, the agency must provide the reasons for the refusal [Source: Privacy Act 2020, s 54].
If an individual believes that an agency has not complied with their privacy request, they may make a complaint to the Privacy Commissioner [Source: Privacy Act 2020, Part 5].
When to Seek Independent Legal Advice
If an individual or agency requires clarification on specific obligations or rights under the Privacy Act 2020, or assistance with a privacy complaint or complex privacy request, it is advisable to seek independent legal advice. The Office of the Privacy Commissioner provides guidance and handles complaints. Free advice may also be available through Community Law Centres.
Key Resources
- Privacy Act 2020: https://www.legislation.govt.nz/act/public/2020/0031/latest/whole.html
- Office of the Privacy Commissioner: https://www.privacy.org.nz/
- Community Law Centres: https://communitylaw.org.nz/