Skip to main content

Disclaimer: Educational purposes only. Not legal advice. Consult a qualified NZ legal practitioner for your specific circumstances.

SimplifiedLaw.co.nz
general

The Privacy Act 2020: What are your fundamental rights?

Key Takeaway

The Privacy Act 2020 establishes fundamental rights for individuals regarding their personal information in New Zealand. These rights include access to and correction of personal data, and controls over how agencies collect, use, and disclose it. Agencies must adhere to Information Privacy Principles to ensure responsible data handling practices.

The Privacy Act 2020: Understanding Your Fundamental Rights

The Privacy Act 2020 is New Zealand's primary law governing how organisations and businesses, referred to as agencies, collect, use, store, and disclose personal information [Source: Privacy Act 2020, s 3, s 8]. Personal information is defined as information about an identifiable individual [Source: Privacy Act 2020, s 7]. The Act is designed to protect an individual's privacy by setting out rules that agencies must follow.

Core Principles for Personal Information

The foundation of individual rights under the Privacy Act 2020 lies in the Information Privacy Principles (IPPs). These are 13 principles that govern the lifecycle of personal information, from its collection to its disposal [Source: Privacy Act 2020, Schedule 1].

Key rights derived from these principles include:

  • Right to know why information is collected (IPP 1): An agency must collect personal information only if it is for a lawful purpose connected with a function or activity of the agency, and the collection is necessary for that purpose [Source: Privacy Act 2020, Schedule 1, clause 1].
  • Right to know the source of information (IPP 2): Generally, agencies should collect personal information directly from the individual concerned [Source: Privacy Act 2020, Schedule 1, clause 2].
  • Right to be informed about collection (IPP 3): When an agency collects personal information directly from an individual, it must take reasonable steps to ensure the individual is aware of the fact that the information is being collected, the purpose of collection, the intended recipients of the information, the names and addresses of the agencies collecting and holding the information, and the individual's rights of access to and correction of the information [Source: Privacy Act 2020, Schedule 1, clause 3].
  • Right to have accurate information (IPP 8): An agency that holds personal information must take reasonable steps to ensure that the information is accurate, up to date, complete, and not misleading before using or disclosing it [Source: Privacy Act 2020, Schedule 1, clause 8].
  • Right to limits on use (IPP 10): An agency that holds personal information obtained in connection with one purpose must not use that information for another purpose unless certain conditions are met, such as the individual's authorisation or if the new purpose is directly related to the original purpose [Source: Privacy Act 2020, Schedule 1, clause 10].
  • Right to limits on disclosure (IPP 11): An agency that holds personal information must not disclose the information to another person or agency unless certain conditions are met, including that the disclosure is for one of the purposes in connection with which the information was obtained, or with the individual's consent [Source: Privacy Act 2020, Schedule 1, clause 11].

Right to Access Your Personal Information

Individuals have a fundamental right to request confirmation from an agency as to whether it holds personal information about them. If an agency does hold such information, the individual has the right to access that information [Source: Privacy Act 2020, Schedule 1, clause 6]. This right allows individuals to see what data agencies have collected about them. An individual concerned refers to the person to whom the personal information relates [Source: Privacy Act 2020, s 7].

Agencies must respond to a request for access to personal information as soon as reasonably practicable, and no later than 20 working days after receiving the request [Source: Privacy Act 2020, s 39(1)]. While there are specific grounds under which an agency may refuse an access request, these are limited and specified in the Act [Source: Privacy Act 2020, s 49].

Right to Request Correction of Personal Information

If an individual believes that personal information held about them by an agency is inaccurate, incomplete, misleading, or out of date, they have the right to request that the agency correct that information [Source: Privacy Act 2020, Schedule 1, clause 7].

If an agency agrees to correct the information, it must take reasonable steps to do so. If an agency refuses to correct the information, the individual has the right to request that the agency attach a statement of the correction sought to the information [Source: Privacy Act 2020, Schedule 1, clause 7(4)]. The agency must respond to a correction request within 20 working days [Source: Privacy Act 2020, s 41].

Notifiable Privacy Breaches

Agencies have an obligation to notify the Privacy Commissioner and affected individuals if there is a notifiable privacy breach [Source: Privacy Act 2020, s 114]. A notifiable privacy breach is a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or is likely to do so [Source: Privacy Act 2020, s 112]. This helps individuals understand when their personal information may have been compromised and take appropriate steps.

When to Seek Independent Legal Advice

Individuals seeking to understand their specific rights under the Privacy Act 2020 in a particular situation, or who require assistance with a privacy complaint, may find it beneficial to consult the Office of the Privacy Commissioner or their local Community Law Centres for free legal information. For complex matters, advice from a qualified legal professional is appropriate.

Key Resources