Rules for when people collect information about you
Overview
Purpose of collecting the information
Privacy Act 2020, s 22, principle 1
A government agency, business or other organisation can collect information about you only if:
- they’re doing this for a lawful purpose that’s connected with their functions or activities, and
- collecting the information is necessary for that purpose.
This means that if an organisation does not need your personal information to achieve something closely linked to their activities, it should not ask for it. For example, if a school enrolment form asks parents to state their occupation, the school must be able to show that it needs this information to carry out its lawful purpose.
Who the information must be collected from
Privacy Act 2020, s 22, principle 2
When an organisation collects information about you, they must collect it directly from you, rather than from someone else, unless they believe on reasonable grounds that:
- collecting it from someone else wouldn’t harm your interests, or
- collecting it from you directly would undermine the purposes of collecting the information, or
- you’ve given them permission to collect the information from someone else, or
- the information is already publicly available, or
- collecting it from someone else is necessary to enforce the law, or to protect government revenue, or for any court proceedings, or
- collecting it from someone else is necessary to prevent or lessen a serious threat to your health or safety, or the health or safety of someone else, or it’s not reasonably practicable to collect it directly from you in this particular case, or
- the information won’t be used in a way that identifies you.
Note: The Privacy Commissioner can authorise an organisation to depart from the rules in the Privacy Act for collecting, using or disclosing information if this would be in the public interest or if there would be a clear benefit to the individuals involved.
As a general rule, if the information is about you, it should be collected from you. This is because you’re usually in the best position to give accurate information. For example, if you’re applying for a job and the employer wants to get references about you, the employer needs to get you to nominate referees and get your permission to talk to them.
If the referee wants their comments about you to be kept between the employer and the referee, and not available to you, then the referee and employer can agree to consider it as “evaluative” material, which will mean that they will both be able to refuse to give you the contents of the reference.
Things you must be told when your information is being collected
Privacy Act 2020, s 22, Principle 3
In general, organisations should tell you if they are collecting information that relates to you. The Privacy Act requires that when an organisation collects your information directly from you, it must take reasonable steps to make you aware of:
- the fact that the information is being collected
- why it’s being collected
- who will be given the information
- the organisation’s name and address, and the name and address of any other organisation that will be holding the information
- any particular law that governs the collection of the information, and whether that law requires you to provide the information
- any consequences for you if you don’t provide the information
- your right to have access to the information after it’s been collected, and to ask for it to be corrected if it’s wrong (see in this chapter, “How you can access your information, and correct it if necessary”).
Note: These things should be explained to you before the information is collected or as soon as practicable after the information is collected. However, an agency is not required to explain these things if it has already done so in relation to the collection of similar information, from the same individual, on a recent occasion.
The organisation collecting the information from you doesn’t have to comply with those requirements if it believes, on reasonable grounds, that:
- your interests wouldn’t be affected
- not complying with those requirements is necessary to enforce the law, or to protect government revenue, or for any court proceedings, or
- complying would undermine the purpose of collecting the information, or
- it’s not reasonably practicable to comply in this particular case, or
- the information won’t be used in a way that identifies you.
Methods of collecting information
Privacy Act 2020, s 22, principle 4
Your information must be collected by methods that:
- are legal, and
- is fair, and does not intrude unreasonably on your personal affairs.
For example, a private investigator who lied about their identity and intention in order to find out information for an insurance company would be using an unfair means of collecting information.
Note: In 2019, the Office of the Privacy Commissioner (OPC) produced a new set of guidelines about what information should and should not be collected by landlords when deciding whether someone will make a suitable tenant. You can read the guidelines at www.privacy.org.nz and search “Guidance for landlords and tenants”.