Restrictions on people using and giving out your information
Information must be checked before it’s used
A government agency, business or other organisation that holds information about you must not use or disclose the information without taking reasonable steps to make sure the information is accurate, up-to-date, complete, relevant and not misleading.
How long can organisations keep my information?
An organisation that holds information about you must not keep it for longer than is necessary for the purposes for which it was collected. For example, organisations that vets employees for jobs can’t keep information about those employees indefinitely, even though it may be appropriate for them to keep that information for a short time to protect themselves against legal action.
This principle encourages organisations to think about how long they need to keep information. They also need to take into account any specific laws that require information to be kept for certain minimum periods of time, such as tax information and health information.
Limits on use of your information
Personal information that has been collected for one purpose can’t later be used for another purpose unless the organisation or person using it believes on reasonable grounds that:
- the other purpose is directly related to the purpose for which the information was originally collected, or
- you won’t be identified, or
- you’ve agreed to the information being used for the other purpose, or
- the information is publicly available and it wouldn’t be unfair or unreasonable to use it for the other purpose, or
- using it for the other purpose is necessary to enforce the law, or to protect government revenue, or for any court proceedings, or
- using it for the other purpose is necessary to prevent or lessen a serious threat to your health or safety, or the health or safety of someone else, or
- the Privacy Commissioner has authorised the information being used for the other purpose.
In summary, information collected for one purpose shouldn’t be used for another purpose, unless one of the exceptions applies. For example, if a retail shop runs a competition where customers fill out a form to win a holiday, the shop shouldn’t use the customers’ information for marketing purposes (unless the customers were told of this other purpose when they filled out the form).
Limits on giving out (“disclosing”) your information
An organisation that holds information about you can’t give out the information to others unless they believe, on reasonable grounds, that:
- disclosing the information is one of the purposes the information was collected for, or is directly related to the original purpose, or
- the information is already publicly available and it wouldn’t be unfair or unreasonable to give it out, or
- you’ve agreed to the information being given out, or
- disclosing the information is necessary to enforce the law (for example, if the police need the information to investigate an offence), or to protect government revenue, or for any court proceedings, or
- disclosing the information is necessary to prevent or lessen a serious threat to your health or safety, or the health or safety of the public or of some other individual, or
- disclosing the information is necessary to facilitate the sale of a business as a going concern, or
- you won’t be identified if the information is disclosed, or
- the Privacy Commissioner has given permission for the information to be disclosed.
If the information is given out on the basis of the “serious threat” exception, it must be given to someone who’s in a position to do something about the threat. To decide whether the threat is serious, the information-holder will need to consider how likely it is that the threat will be realised, how serious the consequences will be, and when the threat may be realised.
Note: Just because information can be disclosed under the privacy principle above, that doesn’t necessarily mean it must be disclosed.
Limits on giving out (“disclosing”) your information overseas
When an organisation stores information overseas, for example by storing it on the cloud, they have to make sure that the information is protected at a standard that is similar to the standards under the Privacy Act in New Zealand. The organisation does this when:
- they are satisfied that the overseas person or organisation has to protect the information at a standard similar to the Privacy Act, or
- the overseas person or organisation agrees to protect the information at a standard similar to the Privacy Act, or
- they have told you that your information will be held by an overseas person or organisation and that this overseas person or organisation might not protect the information at a standard similar to the Privacy Act, and you have agreed to this possibly lower standard.
Can someone use or disclose my personal information that other people have already published online?
When sensitive information has been posted online or made public in some other way, other people who then use or distribute the information could be breaching the privacy rules. Before July 2015, the fact that the information had already been made public gave others the right to use it or pass it on. However, that exemption to the privacy rules has now been tightened, so that it’s also a requirement that the further use or distribution of the information isn’t unfair or unreasonable.
- If a government agency accidentally publishes its clients’ medical histories on its website, other people could be breaching the privacy rules if they use this information for their own purposes (see: “Limits on use of your information” above).
- If a hacker obtains individuals’ information from a government agency or business and posts this online, a blogger may be breaching the privacy rules if they then provide a link to that information (see: “Limits on giving out (‘disclosing’) your information” above).
Can government bodies share my personal information between each other?
The Privacy Act allows government agencies to pass on information through two different kinds of arrangements: “information sharing” and “information matching”.
“Information sharing” is where one agency passes on information to another. For example:
- Inland Revenue (IRD) has an information-sharing agreement with the Department of Internal Affairs (DIA). This agreement allows DIA to give IRD passport information, for IRD to use to locate people overseas who owe student loans or child support.
- A range of government agencies (including the Ministry of Social Development, the Ministry of Education, and the police) have an agreement that allows them to share information about vulnerable children.
- A range of government agencies (including ACC, MSD, the DIA, the Ministry of Business, Innovation and Economics, and Waka Kotahi/NZ Transport Agency) have an agreement to share information for the purpose of preventing, detecting, investigating or prosecuting criminal offences.
“Information matching” is where a set of records from one agency is compared with a set held by another agency, either by computer or manually (when done by computers it’s usually called “data-matching”).
Usually, one of the agencies is looking to see whether anyone comes up in both sets – although sometimes an alert might be triggered by the fact that a person is in one set only.
Information-matching is only allowed if it’s under an official programme authorised both by a specific Act and an agreement between the two agencies. For example, The Ministry of Social Development (authorised by the Social Security Act) has an agreement with the Ministry of Justice to share personal information (including addresses and phone numbers) if someone on a benefit has an unpaid fine.