The Privacy Act is intended to control how agencies (including employers) collect, use, disclose, store and grant access to personal information.

“Agency” means any person or body of persons, whether corporate or unincorporated, and whether in the public or the private sector; and for the avoidance of doubt, includes a Department of Government.

“Individual” means a natural person other than a deceased natural person.

“Personal Information” means information about an identifiable individual; and includes information contained in any register of deaths.

The Privacy Act establishes the following 12 principles:

1. Personal information shall only be collected where it is lawful and necessary (need to know principle).
2. Personal information shall be collected directly from the individual concerned (collection principle).
3. When collecting the information the agency must make the individual aware of the fact that the information is being collected, the purpose of collection and the rights of access and correction (right to know your rights principle).
4. The information shall not be collected by unlawful means or means that are unfair or intrude unreasonably upon the personal affairs of the individual (means principle).
5. The information must be protected against loss and unauthorised access, use, modification or disclosure (security principle).
6. An individual is entitled to obtain confirmation that an agency holds personal information about that individual and to have access to that information (access principle).
7. An individual is entitled to request correction of the personal information held concerning that individual (correction principle).
8. An agency shall not use personal information without taking reasonable steps to ensure that it is accurate, up-to-date, complete, relevant and not misleading (updating principle).
9. An agency shall not keep information for longer than is required (disposal principle).
10. An agency shall not use information for any purpose other than that for which it was collected (use principle).
11. An agency that holds personal information shall not disclose that information to any other person, body or agency without the individual’s agreement (disclosure principle).
12. An agency shall not allocate a unique identifier unless it is necessary for the agency’s efficient operation (unique identifier principle). An agency cannot use a unique identifier allocated by another agency.

An agency holding personal information must allow the individual access to that information. Information must be made available to the individual in the way he/she prefers (inspection, copy, excerpt, summary etc).

Exceptions include:

• S.27 Security, defence, international relations.
• S.28 Trade secrets.
• S.29 Other reasons:
  • Disclosure of the affairs of another individual
  • Disclosure of evaluative material breaches promise of confidentiality given to a third party (eg. solicitor or consultant)
  • Prejudice to health
  • Contrary to interests of individual under 16
  • Prejudice to safe custody/rehabilitation
  • Breach of legal professional privilege
  • Likely to reveal source of news
  • Contempt
  • Breach of condition of placement
  • Frivolous or vexatious requests
  • Not readily retrievable/does not exist

The Act requires the appointment of at least one Privacy Officer in every “agency”. Duties will include:

Encouraging compliance with the Privacy Principles.
Dealing with requests for information under the Act.
Working with the Privacy Commissioner in relation to investigations.
Promoting the Act.

• To have the protection of the Act’s privacy principles. An employer may collect personal information only for a lawful purpose connected with the employer’s business.
• To have requests from an employer, or prospective employer, for personal information addressed directly to the employee himself/herself unless:
  • The information is publicly available.
  • The employee has authorised collection from someone else.
  • The employee’s interests would not be prejudiced by non-compliance.
  • Non-compliance is necessary for law and order purposes, for the purpose of enforcing a fine, for the protection of public revenue or for the conduct of any court proceedings.
  • Compliance would prejudice the purpose of collection.
  • Compliance is not reasonably practicable in the particular circumstances.
  • The information will not be used in a way which identifies the individual or will be used only for statistical or research purposes.
  • Collection (in limited circumstances) has been authorised by the Privacy Commissioner.
• To be made aware that personal information is being collected, the reason why, who it is for and whether it is required or authorised by law (and the particular law which applies). If the information’s collection is authorised by law, the employee must be told whether it has to be provided or whether its provision is voluntary. An employee must also be told what, if any, consequences there will be if the information is not provided and that he or she has a right to see and correct the information. Collection must not be by unlawful, unfair, or unreasonably intrusive means.
• To receive confirmation (where information can be readily retrieved), that an employer is holding personal information and to have access to it.
• To request the correction of any information held and, if it is not corrected, to have attached to the information a statement of the correction sought (with anyone else affected also informed, if practicable, of any action taken).
• To be given reasonable assistance when seeking access to personal information, including help in complying with the Act’s requirements.
• To have an information request (where the employer does not hold the information sought) transferred within ten working days to someone believed by the person dealing with the request to hold it and be told of the transfer.
• To be told within 20 days of making a request whether the request will be granted, the way in which it will be granted and whether there will be any charge (which may be payable in advance).
• To be allowed, where the information sought is contained in a document, to inspect the document, or be provided with a copy of the document, or be allowed to see any visual material, hear any recorded material or have a written transcript of any codified material or of anything written in shorthand.
• To have information contained in any document provided in the manner requested, unless compliance would impair efficient administration, be contrary to any of the employer’s legal duties in respect to the document, prejudice national security, defence, international relations, or commercial position, disclose trade secrets or have any other adverse effect identified in the Act.
• To be told, if any information is not provided in the way requested, the reason why not and to be given, where these are asked for, the grounds supporting that reason; and also to be told of the right to make a complaint concerning the response received (unless to do so would prejudice interests protected by the Act).
• To be given, where any document provided contains deletions, the reason for withholding this information and, where these are asked for, the grounds supporting that reason; and to be told of the right to make a complaint concerning the response received.
• To be told, where an information privacy request is refused, why it has been refused, and to be told of the right to make a complaint concerning the response received.

• To disclose personal information only where there are reasonable grounds for believing that:
  • The disclosure of the information is one of the purposes for which the information was obtained or is directly related to that purpose.
  • The source of the information is a publication which is publicly available.
  • Disclosure is to the employee concerned or authorised by the employee.
  • Non-compliance is necessary for law and order purposes, or for the enforcement of a law imposing a pecuniary penalty, to protect the public revenue or for the conduct of proceedings before any court or tribunal.
  • Disclosure is necessary to prevent a serious or imminent threat to public health and safety or the life or health of the employee or some other individual.
  • Disclosure is necessary to facilitate the sale or other disposition of a business, as a going concern.
  • The information is to be used in a way which does not identify the individual, including for statistical and research purposes.
  • Disclosure has been authorised by the Privacy Commissioner.

• To ensure any personal information held is reasonably protected against loss, unauthorised access, and, except with the employer’s authority, against use, modification, or disclosure, and against any other misuse. If the information must be given to someone who is providing a service to the employer, the employer must do everything reasonably possible to prevent unauthorised use or disclosure.
• To use personal information only if steps have been taken to ensure that, having regard to the intended use, the information is up to date, complete, relevant and not misleading.
• To inform an employee (if this is reasonably practicable) both when, at the employee’s request or on the employer’s own initiative, personal information has been corrected and when the employer is not willing to correct personal information and a statement provided by the employee has been attached. Whenever a request for a correction is received, the employer must tell the employee what action has been taken as a result.
• To keep personal information only as long as it is needed for those purposes for which it may lawfully be used.
• To use personal information only for the purpose for which it was obtained unless there are reasonable grounds for believing that:
  • The information-source is a publicly available publication.
  • The use of information about an employee for another purpose other than that authorised by the employee.
  • Non-compliance is necessary for law and order purposes, for the enforcement of a law imposing a pecuniary penalty, to protect the public revenue, or for the conduct of any court or tribunal proceedings.
• To release personal information where required to do so by the provisions of an Act of Parliament.
• To allow access to easily retrievable information only if satisfied about the identity of the person making the request, making sure that the information in question goes only to the employee for whom it is intended or to that employee’s agent.
• To ensure that any agent appointed by an employee has been properly authorised to obtain the information, preferably by means of a written authority.
• To tell the employee, where an information privacy request is refused, the reason for refusal, unless to do so would be likely to prejudice national security, commercial position etc. In this case a written reply neither confirming nor denying the existence of the information requested may be provided.