Home | Browse Topics | Individual rights & freedoms | Privacy and information | Rules for when people collect information about you

Individual rights & freedoms

Rules for when people collect information about you


Purpose of collecting the information

Privacy Act 2020, s 22, principle 1

A government agency, business or other organisation can collect information about you only if:

  • they’re doing this for a lawful purpose that’s connected with their functions or activities, and
  • collecting the information is necessary for that purpose.

This means that if an organisation does not need your personal information to achieve something closely linked to their activities, it should not ask for it. For example, if a school enrolment form asks parents to state their occupation, the school must be able to show that it needs this information to carry out its lawful purpose.

Who the information must be collected from

Privacy Act 2020, s 22, principle 2

When an organisation collects information about you, they must collect it directly from you, rather than from someone else, unless they believe on reasonable grounds that:

  • collecting it from someone else wouldn’t harm your interests, or
  • collecting it from you directly would undermine the purposes of collecting the information, or
  • you’ve given them permission to collect the information from someone else, or
  • the information is already publicly available, or
  • collecting it from someone else is necessary to enforce the law, or to protect government revenue, or for any court proceedings, or
  • collecting it from someone else is necessary to prevent or lessen a serious threat to your health or safety, or the health or safety of someone else, or it’s not reasonably practicable to collect it directly from you in this particular case, or
  • the information won’t be used in a way that identifies you.

    Note: The Privacy Commissioner can authorise an organisation to depart from the rules in the Privacy Act for collecting, using or disclosing information if this would be in the public interest or if there would be a clear benefit to the individuals involved.

Privacy Act 2020, s 30

As a general rule, if the information is about you, it should be collected from you. This is because you’re usually in the best position to give accurate information. For example, if you’re applying for a job and the employer wants to get references about you, the employer needs to get you to nominate referees and get your permission to talk to them.

If the referee wants their comments about you to be kept between the employer and the referee, and not available to you, then the referee and employer can agree to consider it as “evaluative” material, which will mean that they will both be able to refuse to give you the contents of the reference.

Things you must be told when your information is being collected

Privacy Act 2020, s 22, Principle 3

In general, organisations should tell you if they are collecting information that relates to you. The Privacy Act requires that when an organisation collects your information directly from you, it must take reasonable steps to make you aware of:

  • the fact that the information is being collected
  • why it’s being collected
  • who will be given the information
  • the organisation’s name and address, and the name and address of any other organisation that will be holding the information
  • any particular law that governs the collection of the information, and whether that law requires you to provide the information
  • any consequences for you if you don’t provide the information
  • your right to have access to the information after it’s been collected, and to ask for it to be corrected if it’s wrong (see in this chapter, “How you can access your information, and correct it if necessary).

    Note: These things should be explained to you before the information is collected or as soon as practicable after the information is collected. However, an agency is not required to explain these things if it has already done so in relation to the collection of similar information, from the same individual, on a recent occasion.

The organisation collecting the information from you doesn’t have to comply with those requirements if it believes, on reasonable grounds, that:

  • your interests wouldn’t be affected
  • not complying with those requirements is necessary to enforce the law, or to protect government revenue, or for any court proceedings, or
  • complying would undermine the purpose of collecting the information, or
  • it’s not reasonably practicable to comply in this particular case, or
  • the information won’t be used in a way that identifies you.

Methods of collecting information

Privacy Act 2020, s 22, principle 4

Your information must be collected by methods that:

  • are legal, and
  • is fair, and does not intrude unreasonably on your personal affairs.

For example, a private investigator who lied about their identity and intention in order to find out information for an insurance company would be using an unfair means of collecting information.

Note: In 2019, the Office of the Privacy Commissioner (OPC) produced a new set of guidelines about what information should and should not be collected by landlords when deciding whether someone will make a suitable tenant. You can read the guidelines at www.privacy.org.nz and search “Guidance for landlords and tenants”.

Did this answer your question?

Privacy and information

Where to go for more support

Community Law


Your local Community Law Centre can provide initial free legal advice and information.

Office of the Privacy Commissioner

Website: www.privacy.org.nz
Phone: (04) 474 7590 or freephone 0800 803 909
Email: enquiries@privacy.org.nz

For complaints, You can submit a complaint online using the online self-assessment form, ring the 0800 number above or send an email.

Mental health and addiction pamphlet


“What happens to your mental health and addiction information” – available from the Ministry of Health website.

This pamphlet gives you details of how and why consumer information is collected by PRIMHD (Programme for the Integration of Mental Health Data). It also looks at who uses the information, and the privacy rights of consumers under the Health Information Privacy Act 1993.

Also available as a book

The Community Law Manual

The Manual contains over 1000 pages of easy-to-read legal info and comprehensive answers to common legal questions. From ACC to family law, health & disability, jobs, benefits & flats, Tāonga Māori, immigration and refugee law and much more, the Manual covers just about every area of community and personal life.

Buy The Community Law Manual

Help the manual

We’re a small team that relies on the generosity of all our supporters. You can make a one-off donation or become a supporter by sponsoring the Manual for a community organisation near you. Every contribution helps us to continue updating and improving our legal information, year after year.

Donate Become a Supporter

Find the Answer to your Legal Question

back to top