Restrictions on people using and giving out your information
Overview
Information must be checked before it’s used
Privacy Act 2020, s 22, information privacy principle 8
A government agency, business or other organisation that holds information about you must not use or disclose the information without taking reasonable steps to make sure the information is accurate, up-to-date, complete, relevant, and not misleading.
How long can organisations keep my information?
Privacy Act 2020, s 22, information privacy principle 9
An organisation that holds information about you must not keep it for longer than is necessary for the purposes for which it was collected. For example, organisations that vets employees for jobs can’t keep information about those employees indefinitely, even though it may be appropriate for them to keep that information for a short time to protect themselves against legal action.
This principle encourages organisations to think about how long they need to keep information. They also need to take into account any specific laws that require information to be kept for certain minimum periods of time, such as tax information and health information.
Limits on use of your information
Privacy Act 2020, s 22, information privacy principle 10
Personal information that has been collected for one purpose can’t later be used for another purpose unless the organisation or person using it believes on reasonable grounds that:
- the other purpose is directly related to the purpose for which the information was originally collected, or
- you won’t be identified, or
- you’ve agreed to the information being used for the other purpose, or
- the information is publicly available and it wouldn’t be unfair or unreasonable to use it for the other purpose, or
- using it for the other purpose is necessary to enforce the law, or to protect government revenue, or for any court proceedings, or
- using it for the other purpose is necessary to prevent or lessen a serious threat to your health or safety, or the health or safety of someone else, or
- the Privacy Commissioner has authorised the information being used for the other purpose.
In summary, information collected for one purpose shouldn’t be used for another purpose, unless one of the exceptions in the Privacy Act applies. For example, if a retail shop runs a competition where customers fill out a form to win a holiday, the shop shouldn’t use the customers’ information for marketing purposes (unless the customers were told of this other purpose when they filled out the form).
Limits on giving out (“disclosing”) your information
Privacy Act 2020, s 22, information privacy principle 11
An organisation that holds information about you can’t give out the information to others unless they believe, on reasonable grounds, that:
- disclosing the information is one of the purposes the information was collected for, or is directly related to the original purpose, or
- the information is already publicly available and it wouldn’t be unfair or unreasonable to give it out, or
- you’ve agreed to the information being given out, or
- disclosing the information is necessary to enforce the law (for example, if the police need the information to investigate an offence), or to protect government revenue, or for any court proceedings, or
- disclosing the information is necessary to prevent or lessen a serious threat to your health or safety, or the health or safety of the public or of some other individual, or
- disclosing the information is necessary to facilitate the sale of a business as a going concern, or
- you won’t be identified if the information is disclosed, or
- the Privacy Commissioner has given permission for the information to be disclosed.
If the information is given out on the basis of the “serious threat” exception, it must be given to someone who’s in a position to do something about the threat. To decide whether the threat is serious, the information-holder will need to consider how likely it is that the threat will be realised, how serious the consequences will be, and when the threat may be realised.
Note: Just because information can be disclosed under the privacy principle above, that doesn’t necessarily mean it must be disclosed.
Limits on giving out (“disclosing”) your information overseas
Privacy Act 2020, s 22, information privacy principle 12
When an organisation stores information overseas, for example by storing it on the cloud, they have to make sure that the information is protected at a standard that’s similar to the standards under the Privacy Act in New Zealand. The organisation does this when:
- they are satisfied that the overseas person or organisation has to protect the information to a standard similar to the Privacy Act, or
- the overseas person or organisation agrees to protect the information to a standard similar to the Privacy Act, or
- they have told you that your information will be held by an overseas person or organisation and that this overseas person or organisation might not protect the information to a standard similar to the Privacy Act, and you have agreed to this possibly lower standard.
Can someone use or disclose my personal information that other people have already published online?
Privacy Act 2020, s 22, information privacy principle 10(1)(d), 11(1)(d)
When sensitive information has been posted online or made public in some other way, other people who then use or distribute the information could be breaching the privacy rules. Before July 2015, the fact that the information had already been made public gave others the right to use it or pass it on. However, that exemption to the privacy rules has now been tightened, so that it’s also a requirement that the further use or distribution of the information isn’t unfair or unreasonable.
For example:
- If a government agency accidentally publishes its clients’ medical histories on its website, other people could be breaching the privacy rules if they use this information for their own purposes (see: “Limits on use of your information” above).
- If a hacker obtains individuals’ information from a government agency or business and posts this online, a blogger may be breaching the privacy rules if they then provide a link to that information (see: “Limits on giving out (‘disclosing’) your information” above).
Can government bodies share my personal information between each other?
Privacy Act 2020, Part 7, Schedule 2
The Privacy Act allows government agencies to pass on information through two different kinds of arrangements: “information sharing” and “information matching”.
“Information sharing” is where one agency passes on information to another. For example:
- Inland Revenue (IRD) has an information-sharing agreement with the Department of Internal Affairs (DIA). This agreement allows DIA to give IRD passport information, which IRD can use to locate people overseas who owe student loans or child support.
- A range of government agencies (including the Ministry of Social Development (MSD), the Ministry of Education, and the police) have an agreement that allows them to share information about vulnerable children.
- A range of government agencies (including the Accident Compensation Corporation (ACC), MSD, the DIA, the Ministry of Business, Innovation and Employment, and Waka Kotahi) have an agreement to share information for the purpose of preventing, detecting, investigating or prosecuting criminal offences.
“Information matching” is where a set of records from one agency is compared with a set held by another agency, either by computer or manually (when done by computers it’s usually called “data-matching”).
Usually, one of the agencies is looking to see whether anyone comes up in both sets – although sometimes an alert might be triggered by the fact that a person is in one set only.
Information-matching is only allowed if it’s under an official programme authorised both by a specific Act (piece of legislation) and an agreement between the two agencies. For example, MSD (authorised by the Social Security Act 2018) has an agreement with the Ministry of Justice to share personal information (including addresses and phone numbers) if someone on a benefit has an unpaid fine.