Privacy Act 2020, ss 69–70

You can complain to the Privacy Commissioner if:

• there’s been a breach of the privacy rules (for example, a breach of one of the privacy principles in the Privacy Act or the rules in a code of practice), and
• that breach caused (or may cause) some kind of loss or harm, including non-financial harm such as humiliation or loss of dignity.

An example could be if your doctor discloses medical information about you to an insurance company without your permission, and on the basis of that information your insurance claim is turned down.

It’s also an interference with your privacy if an organisation refuses, without a proper basis, to give you access to your information or to correct information after you’ve asked for a correction (see in this chapter “How you can access your information, and correct it if necessary”). But in these cases, unlike with other breaches of the privacy rules, you don’t have to show that the breach caused you some kind of loss or harm.

Under the Privacy Act 1993, you could only make a complaint if the breach of information happened to you. From 1 December 2020, any person can make a complaint to the Privacy Commissioner on behalf of someone or a group of people.

Privacy Act 2020, s 72

You can complain verbally or in writing, but if you complain verbally you should put the complaint in writing as soon as possible. The Privacy Commissioner can help you with putting the complaint in writing.

To complain in writing you can write a letter yourself or you can fill in the complaint form that’s available from the Privacy Commissioner. The Commissioner also provides guidance on the type of information to include in the complaint.

Privacy Act 2020, ss 74–78

The Privacy Commissioner will decide whether to investigate your complaint, and if they do investigate, will decide whether there’s been a breach of the privacy laws that has caused you, or someone else, loss or harm. The Commissioner can refer the complaint to the Ombudsman if the Commissioner thinks this would be more appropriate (for information about the Ombudsman, see the chapter “Dealing with government agencies”). At every stage of the investigation the Commissioner will try to help the two sides resolve the complaint.

Privacy Act 2020, ss 123, 133

Note: Under the Privacy Act 1993 the Privacy Commissioner couldn’t fine or prosecute an organisation, or order it to pay compensation, for breaching the privacy laws. From 1 December 2020 the Privacy Commissioner has the power to issue compliance notices to make an organisation do or stop something. If they don’t comply they could get a penalty of up to $10,000.

Privacy Act 2020, s 78

If your complaint isn’t settled during the investigation, the Privacy Commissioner will form a provisional opinion on how the law applies to the complaint. This will be sent to both sides, giving both sides an opportunity to comment. Once the Commissioner has taken those comments into account, and if the complaint is still not settled or withdrawn, the Commissioner will come to a final opinion.

The Privacy Commissioner’s opinions on privacy complaints aren’t legally binding, but they’re taken seriously.

If the Commissioner decides that your complaint is justified, they may refer it to the Director of Human Rights Proceedings, who will decide whether to take the case to the Human Rights Review Tribunal.

Privacy Act 2020, ss 97–103

If your complaint goes to the Human Rights Review Tribunal, it will make a decision about whether there has been a breach of the privacy laws, and can award you damages (the payment of money) and other remedies. (For more information about going to the Tribunal, see “Taking action: what you can do if you’re discriminated against” in the chapter “Discrimination”.)

Note: If the Privacy Commissioner thinks there hasn’t been an interference of your privacy, you can still take the matter to the Human Rights Review Tribunal yourself.