Restrictions on people using and giving out your information
Information must be checked before it’s used
A government agency, business or other organisation that holds information about you must not use the information or disclose it to others without taking reasonable steps to make sure the information is accurate, up-to-date, complete, relevant and not misleading.
Information can’t be kept for longer than necessary
An organisation that holds information about you must not keep it for longer than is necessary for the purposes for which it was collected. For example, an organisation that vets employees for jobs can’t keep information about those employees indefinitely, though it may be appropriate to keep the files for a short time to protect itself against legal action.
This principle encourages organisations to think about how long they need to keep information. They’ll also need to take into account any specific laws that require information to be kept for certain minimum periods of time, such as tax information and health information.
Limits on use of your information
If information about you has been collected for one purpose it can’t later be used for a different purpose, unless the organisation or person using it believes on reasonable grounds that:
- the other purpose is directly related to the purpose for which the information was originally collected, or
- you won’t be identified, or
- you’ve agreed to the information being used for the other purpose, or
- the information is publicly available and it wouldn’t be unfair or unreasonable to use it for the other purpose, or
- using it for the other purpose is necessary to enforce the law, or to protect government revenue, or for any court proceedings, or
- using it for the other purpose is necessary to prevent or lessen a serious threat to your health or safety, or the health or safety of someone else, or
- the Privacy Commissioner has authorised the information being used for another purpose.
In summary, information obtained for one purpose shouldn’t be used for another purpose, unless one of the exceptions applies. For example, if a retail shop runs a competition and customers fill out a form to win a holiday, the shop shouldn’t use the customer’s information for marketing purposes as well as for the competition, unless customers were told this would be done when they filled out the form.
Limits on giving out (“disclosing”) your information
An organisation that holds information about you mustn’t give out the information to others unless they believe, on reasonable grounds, that:
- disclosing it is one of the purposes the information was collected for, or is directly related to the original purpose, or
- the information is already publicly available and it wouldn’t be unfair or unreasonable to give it out, or
- you’ve agreed to the information being given out, or
- disclosing the information is necessary to enforce the law (for example, if the police need the information to investigate an offence), or to protect government revenue, or for any court proceedings, or
- disclosing it is necessary to prevent or lessen a serious threat to your health or safety, or the health or safety of the public or of some other individual, or
- disclosing the information is necessary to facilitate the sale of a business as a going concern, or
- you won’t be identified if it’s disclosed, or
- the Privacy Commissioner has given permission for the information to be disclosed.
If the information is given out on the basis of the “serious threat” exception above, it must be given to someone who’s in a position to do something about the threat. To decide whether the threat is serious, the information-holder will need to consider how likely it is that the threat will be realised, how serious the consequences will be, and when the threat may be realised.
Note: Just because information can be disclosed under the privacy principle above, that doesn’t mean it must be disclosed (unless the law requires it to be disclosed).
Limits on giving out (“disclosing”) your information overseas
When an organisation stores information overseas, such as using cloud storage, they have to make sure that information is protected by similar standards under the Privacy Act in New Zealand. The organisation does this when:
- they are satisfied that the overseas person or organisation has to protect the information with similar standards as those in the Privacy Act, or
- the overseas person or organisation agrees to protect the information with similar standards as those in the Privacy Act, or
- they have told you that your information will be held by an overseas person or organisation and they may not have to protect the information with similar standards, and you agree to that.
Using or distributing information that’s been published online
When sensitive information has been posted online or made public in some other way, other people who then use or distribute the information could be breaching the privacy rules. Until July 2015, the fact that the information had already been made public gave others the right to use it or pass it on. Now, however, that exemption to the privacy rules has been tightened, so that it’s also a requirement that the further use or distribution of the information isn’t unfair or unreasonable.
This means, for example, that if a government agency accidentally publishes sensitive information about its clients on its website, such as their medical history, other people could be breaching the privacy rules if they use this information for their own purposes (see above, “Limits on use of your information”). Also, if a hacker obtains individuals’ information from a government agency or business and posts this online, a blogger may be breaching the privacy rules if they then provide a link to that information (see above, “Limits on giving out (‘disclosing’) your information”).
Information-sharing and information-matching between government bodies
The Privacy Act allows government agencies to pass on information to each other in certain situations. This happens through two different kinds of arrangements: “information sharing” and “information matching”.
What is “information-sharing” between government bodies?
“Information sharing” is where one agency passes on information to another. For example, Inland Revenue (IRD) has an information-sharing agreement with the Department of Internal Affairs, under which Internal Affairs provides IRD with passport information so that IRD can locate overseas-based student loan borrowers and parents living overseas who owe child support. A number of government agencies, including the Ministry of Social Development, the Ministry of Education and the police, are party to another agreement that allows them to share information about “vulnerable children”.
An information sharing agreement in force from 25 July 2020 allows nine government departments including ACC, MSD, Dept of Internal Affairs, MBIE and NZTA to share information. One of the purposes of this agreement is the prevention, detection, investigation and prosecution of offences.
What is information-matching between government bodies?
“Information matching” is where a set of records from one agency is compared with a set held by another agency, either by computer or manually (when done by computers it’s usually called “data-matching”). Usually one of the agencies is looking to see whether anyone comes up in both sets – although sometimes an alert might be triggered by the fact that a person is in one set only.
Information-matching between government agencies can happen only if it’s under an official programme authorised both by a specific Act and an agreement between the two agencies. For example, the Social Security Act and a specific agreement allows the Ministry of Social Development (Work and Income’s parent body) to pass on beneficiaries’ addresses and phone numbers to the Ministry of Justice if they have unpaid fines.