COVID-19 response

If you are looking for the latest legal information relating current Coronavirus laws in New Zealand, check out our new section: Coronavirus and the Law.

Communtity Law Manual | Privacy & information | Rules for when people collect information about you

Rules for when people collect information about you

Overview

Purpose of collecting the information

Privacy Act 1993, s 6, principle 1; Privacy Act 2020 s 22, principle 1

A government agency, business or other organisation can collect information about you only if:

  • they’re doing this for a lawful purpose that’s connected with their functions or activities, and
  • collecting the information is necessary for that purpose.

This means that if an organisation doesn’t need the information to perform its functions, it shouldn’t be collecting it. For example, if a school enrolment form asks parents to state their occupation, the school must be able to show that it needs this information to carry out its lawful purpose.

Who the information must be collected from

Privacy Act 1993, s 6, principle 2; Privacy Act 2020 s 22, principle 2

When an organisation collects information about you, they must collect it directly from you, rather than from someone else, unless they believe on reasonable grounds that:

  • the information is already publicly available, or
  • you’ve given them permission to collect the information from someone else, or
  • collecting it from someone else wouldn’t harm your interests, or
  • collecting it from someone else is necessary to enforce the law, or to protect government revenue, or for any court proceedings, or
  • collecting it from you directly would undermine the purposes of collecting the information, or
  • it’s not reasonably practicable to collect it directly from you in this particular case, or
  • the information won’t be used in a way that identifies you, or
  • the Privacy Commissioner has given permission to collect the information from other people because there are special circumstances.

    Note: The Privacy Commissioner can authorise an organisation to depart from the rules in the Privacy Act for collecting, using or disclosing information if this would be in the public interest or if there would be a clear benefit to the individuals involved.

    Privacy Act 1993, s 54; Privacy Act 2020 s 30

As a general rule, the information should be collected from the person concerned because they’re usually in the best position to give accurate information. For example, if you’re applying for a job and the employer wants to get references about you, the employer needs to get you to nominate referees and get your permission to talk to them.

If the referee wants their comments about you to be kept between the employer and the referee, and not available to you, then the referee and employer can agree to classify it as “evaluative” material, which will mean that they will both be able to refuse to give you the contents of the reference.

Things you must be told when your information is being collected

Privacy Act 1993, s 6, Principle 3; Privacy Act 2020 s 22, Principle 3

In general, organisations should only collect information with the knowledge of the person the information relates to. The Privacy Act requires that when an organisation collects your information directly from you, it must take reasonable steps to make you aware of:

  • the fact that the information is being collected
  • why it’s being collected
  • who will be given the information
  • the organisation’s name and address, and the name and address of any other organisation that will be holding the information
  • any particular law that governs the collection of the information, and whether that law requires you to provide the information
  • any consequences for you if you don’t provide the information
  • your right to have access to the information after it’s been collected, and to ask for it to be corrected if it’s wrong (see in this chapter, “How you can access your information, and correct it if necessary”).

    Note: These things should be explained to you before the information is collected or as soon as practicable after the information is collected. However, an agency is not required to explain these things if it has already done so in relation to the collection of similar information, from the same individual, on a recent occasion.

The organisation collecting the information from you doesn’t have to comply with those requirements if it believes, on reasonable grounds, that:

  • you’ve agreed that it doesn’t have to do this
  • your interests wouldn’t be affected
  • not complying with those requirements is necessary to enforce the law, or to protect government revenue, or for any court proceedings, or
  • complying would undermine the purpose of collecting the information, or
  • it’s not reasonably practicable to comply in this particular case, or
  • the information won’t be used in a way that identifies you.

Methods of collecting information

Privacy Act 1993, s 6, principle 4; Privacy Act 2020 s 22, principle 4

Your information mustn’t be collected by methods that:

  • are illegal, or
  • are unfair, or intrude unreasonably on your personal affairs.

For example, a private investigator who lied about their identity and intention in order to find out information for an insurance company would be using an unfair means of collecting information.

Note: In 2019, the Office of the Privacy Commissioner (OPC) produced a new set of guidelines about what information should and should not be collected by landlords when deciding whether someone will make a suitable tenant. You can read the guidelines here: www.privacy.org.nz/news-and-publications/guidance-resources/privacy-act-guidance-for-landlords-and-tenants/

back to top
Page Reader Press Enter to Read Page Content Out LoudPress Enter to Pause or Restart Reading Page Content Out LoudPress Enter to Stop Reading Page Content Out LoudScreen Reader Support