Privacy Act 2020

Privacy Act 2020
Public Act 2020 No 31
Date of assent 30 June 2020
Commencement see section 2
Contents
Page
1 Title 9
2 Commencement 9
Part 1
Preliminary provisions
Subpart 1—Preliminary matters
3 Purpose of this Act 9
4 Application of this Act 10
5 Transitional, savings, and related provisions 11
6 Act binds the Crown 11
Subpart 2—Interpretation and related matters
7 Interpretation 11
8 Meaning of New Zealand agency 16
9 Meaning of overseas agency 16
10 Personal information held by agency if held by officer, employee,
or member of agency
17
11 Personal information treated as being held by another agency in
certain circumstances
17
12 Actions of, and disclosure of information to, staff of agency, etc 18
Part 2
Privacy Commissioner
Subpart 1—Appointment of Privacy Commissioner
13 Privacy Commissioner 18
14 Deputy Privacy Commissioner 18
1
15 Holding of other offices 19
16 Superannuation or retiring allowances 19
Subpart 2—Functions of Privacy Commissioner
17 Functions of Commissioner 20
18 Other functions of Commissioner 21
19 Responsible Minister must present copy of report on operation of
Act to House of Representatives
22
20 Duty to act independently 22
21 Commissioner to have regard to certain matters 22
Part 3
Information privacy principles and codes of practice
Subpart 1—Information privacy principles
22 Information privacy principles 23
23 Application of IPPs in relation to information held overseas 31
24 Relationships between IPPs and other New Zealand law 31
25 IPPs 1 to 4 do not apply to personal information collected before
1 July 1993
32
26 Restricted application of IPP 13 to unique identifiers assigned
before 1 July 1993
32
27 Restricted application of IPPs to personal information collected or
held for personal or domestic affairs
32
28 IPPs 2, 3, and 4(b) do not apply to personal information collected
by intelligence and security agencies
32
29 IPPs 6 and 7 do not apply to certain information 33
30 Commissioner may authorise collection, use, storage, or disclosure
of personal information otherwise in breach of IPP 2 or IPPs 9 to
12
33
31 Enforceability of IPPs 35
Subpart 2—Codes of practice
32 Codes of practice in relation to IPPs 35
33 Issue of code of practice 36
34 Urgent issue of code of practice 37
35 Notification, availability, and commencement of codes of practice 37
36 Application of Legislation Act 2012 to codes of practice 38
37 Amendment and revocation of codes of practice 38
38 Effect of codes of practice 38
Part 4
Access to and correction of personal information
Subpart 1—Access to personal information
39 Interpretation 38
40 Individuals may make IPP 6 request 38
41 Urgency 38
Privacy Act 2020 2020 No 31
2
42 Assistance 39
43 Transfer of IPP 6 request 39
44 Responding to IPP 6 request 39
45 Decision to grant access to personal information 40
46 Decision to refuse access to personal information 40
47 Decision to neither confirm nor deny personal information is held 41
48 Extension of time limits 41
49 Protection, etc, of individual as reason for refusing access to
personal information
42
50 Evaluative material as reason for refusing access to personal
information
43
51 Security, defence, international relations as reason for refusing
access to personal information
44
52 Trade secret as reason for refusing access to personal information 44
53 Other reasons for refusing access to personal information 45
54 Agency may impose conditions instead of refusing access to
personal information
45
55 Withholding personal information contained in document 46
56 Ways personal information in document may be made available 46
57 Responsibilities of agency before giving access to personal
information
47
Subpart 2—Correction of personal information
58 Interpretation 48
59 Individuals may make correction requests 48
60 Urgency 48
61 Assistance 48
62 Transfer of correction request 48
63 Decision on request to correct personal information 49
64 Decision on request to attach statement of correction 49
65 Extension of time limits 50
Subpart 3—Charges
66 Charges 50
67 Commissioner may authorise public sector agency to impose
charge
51
Part 5
Complaints, investigations, and proceedings
68 Interpretation 52
69 Interference with privacy of individual 52
Subpart 1—Complaints
70 Complaints 54
71 Who may make complaint 54
72 Form of complaint 54
2020 No 31 Privacy Act 2020
3
73 Procedure on receipt of complaint 54
74 Commissioner may decide not to investigate complaint 55
75 Referral of complaint to another person 55
76 Referral of complaint to overseas privacy enforcement authority 56
77 Exploring possibility of settlement and assurance without
investigating complaint
56
78 Referral of complaint to Director without conducting investigation 57
Subpart 2—Investigations by Commissioner
79 Application of this subpart 57
80 Commencing investigation 57
81 Conducting investigation 57
82 Commissioner may regulate own procedure 58
83 Exploring possibility of settlement and assurance during
investigation
58
84 Referral of complaint to Director without completing investigation 58
85 Compulsory conferences of parties to complaint 59
86 Power to summon persons 59
87 Power to require information and documents 60
88 Disclosure of information may be required despite obligation of
secrecy
61
89 Protection and privileges of persons required to provide
information, etc
61
90 Disclosed information privileged 63
91 Procedure after completion of investigation relating to access to
personal information
63
92 Access direction 64
93 Procedure after completion of investigation relating to charging 65
94 Procedure after completion of other investigations 65
95 Special procedure relating to intelligence and security agency 66
96 Commissioner to report breach of duty or misconduct 67
Subpart 3—Proceedings before Human Rights Review Tribunal
Proceedings in relation to complaints or investigations
97 Director may commence proceedings in Tribunal 67
98 Aggrieved individuals may commence proceedings in Tribunal 68
99 Right of Director to appear in proceedings commenced under
section 98
69
100 Apology not admissible except for assessment of remedies 70
101 Onus of proof 70
102 Remedies in respect of interference with privacy 70
103 Damages 71
Access order
104 Enforcement of access direction 72
Privacy Act 2020 2020 No 31
4
Appeal against access direction
105 Appeal to Tribunal against access direction 73
106 Time for lodging appeal 73
107 Interim order suspending Commissioner’s direction pending appeal 73
108 Determination of appeal 73
Miscellaneous
109 Proceedings involving access to personal information 74
110 Costs 74
111 Certain provisions of Human Rights Act 1993 to apply 74
Part 6
Notifiable privacy breaches and compliance notices
Subpart 1—Notifiable privacy breaches
112 Interpretation 75
113 Assessment of likelihood of serious harm being caused by privacy
breach
76
114 Agency to notify Commissioner of notifiable privacy breach 76
115 Agency to notify affected individual or give public notice of
notifiable privacy breach
76
116 Exceptions to or delay in complying with requirement to notify
affected individuals or give public notice of notifiable privacy
breach
77
117 Requirements for notification 78
118 Offence to fail to notify Commissioner 79
119 Section 211 does not apply to processes and proceedings relating
to failure to notify notifiable privacy breach
80
120 Liability for actions of employees, agents, and members of
agencies
80
121 Knowledge of employees, agents, and members of agencies to be
treated as knowledge of employers, principal agencies, and
agencies
80
122 Publication of identity of agencies in certain circumstances 81
Subpart 2—Compliance notices
123 Compliance notices 81
124 Issuing compliance notice 81
125 Form of compliance notice 82
126 Agency response to compliance notice 83
127 Commissioner may vary or cancel compliance notice 83
128 Commissioner’s power to obtain information 83
129 Publication of details of compliance notice 84
Proceedings
130 Enforcement of compliance notice 84
2020 No 31 Privacy Act 2020
5
131 Appeal against compliance notice or Commissioner’s decision to
vary or cancel notice
85
132 Interim order suspending compliance notice pending appeal 85
133 Remedies, costs, and enforcement 85
134 Application of Human Rights Act 1993 86
135 Commissioner may be represented in proceedings 86
Part 7
Sharing, accessing, and matching personal information
Subpart 1—Information sharing
136 Purpose of this subpart 87
137 Relationship between subpart 1 and other law relating to
information disclosure
87
138 Interpretation 88
139 Information sharing between agencies 90
140 Information sharing within agencies 90
141 Parties to information sharing agreement 90
142 Agreement may apply to classes of agencies 91
143 Lead agency 92
144 Form and content of information sharing agreement 92
145 Governor-General may approve information sharing agreement by
Order in Council
93
146 Requirements for Order in Council 93
147 Further provisions about Order in Council 94
148 Status of Order in Council 95
149 Matters to which relevant Minister must have regard before
recommending Order in Council
95
150 Consultation on proposed information sharing agreement 95
151 Commissioner may prepare and publish report on approved
information sharing agreement
96
152 Requirement to give notice of adverse action 96
153 When requirement to give notice of adverse action applies 97
154 Responsibilities of lead agency 97
155 Report of lead agency 98
156 Commissioner may specify frequency of reporting by lead agency 98
157 Amendment of approved information sharing agreement 99
158 Review of operation of approved information sharing agreement 99
159 Report on findings of review 100
160 Relevant Minister must present copy of report under section 159(1)
and report setting out Government’s response to House of
Representatives
100
161 Power to amend Schedule 2 by Order in Council 101
Subpart 2—Identity information
162 Purpose of this subpart 101
Privacy Act 2020 2020 No 31
6
163 Relationship between this subpart and other law relating to
information disclosure
101
164 Interpretation 102
165 Access by agencies to identity information 102
166 Manner and form of access 102
167 Annual reporting requirement 103
168 Power to amend Schedule 3 by Order in Council 103
Subpart 3—Law enforcement information
169 Purpose of this subpart 103
170 Relationship between this subpart and other law relating to
information disclosure
103
171 Interpretation 104
172 Access by accessing agencies to law enforcement information 104
173 Power to amend Schedule 4 by Order in Council 104
Subpart 4—Authorised information matching programmes
174 Purpose of this subpart 105
175 Application of this subpart 105
176 Relationship between this subpart and other law relating to
information disclosure
105
177 Interpretation 105
178 Information matching agreements 106
179 Use of results of authorised information matching programme 106
180 Extension of time limit 107
181 Notice of adverse action proposed 107
182 Reporting requirements 109
183 Reports on authorised information matching programmes 110
184 Reports on information matching provisions 110
185 Responsible Minister must present copy of report under section
184 and report setting out Government’s response to House of
Representatives
111
186 Avoidance of controls on information matching through use of
exceptions to information privacy principles
111
187 Avoidance of controls on information matching through use of
official information statutes
111
188 Power to amend Schedule 5 by Order in Council 112
189 Power to amend Schedule 6 by Order in Council 112
190 Amendments to other enactments related to this subpart 112
191 Repeal of section 190 and Schedule 7 112
Part 8
Prohibiting onward transfer of personal information received
in New Zealand from overseas
192 Interpretation 112
2020 No 31 Privacy Act 2020
7
193 Prohibition on transfer of personal information outside New
Zealand
113
194 Commissioner’s power to obtain information 113
195 Transfer prohibition notice 114
196 Commissioner may vary or cancel transfer prohibition notice 114
197 Offence in relation to transfer prohibition notice 115
198 Appeals against transfer prohibition notice 115
199 Application of Human Rights Act 1993 116
200 Power to amend Schedule 8 by Order in Council 116
Part 9
Miscellaneous provisions
General
201 Privacy officers 117
202 Commissioner may require agency to supply information 117
203 Inquiries 117
204 Powers relating to declaratory judgments 117
205 Protection against certain actions 118
206 Commissioner and staff to maintain secrecy 118
207 Commissioner may share information with overseas privacy
enforcement authority
119
208 Consultation 119
209 Exclusion of public interest immunity 120
210 Adverse comment 120
Liability and offences
211 Liability of employers, principals, and agencies 120
212 Offences 121
Regulations
213 Regulations: prescribed binding schemes 121
214 Regulations: prescribed countries 122
215 Other regulations 122
Repeal, revocation, and consequential amendments
216 Repeal and revocation 123
217 Consequential amendments 123
218 Repeal of section 217 and Schedule 9 123
Schedule 1
Transitional, savings, and related provisions
124
Schedule 2
Approved information sharing agreements
128
Schedule 3
Identity information
137
Privacy Act 2020 2020 No 31
8
Schedule 4
Law enforcement information
140
Schedule 5
Information matching provisions
149
Schedule 6
Information matching rules
150
Schedule 7
Amendments to other enactments related to subpart 4 of Part 7
153
Schedule 8
Basic principles of national application set out in Part Two of
OECD Guidelines
163
Schedule 9
Consequential amendments
165
The Parliament of New Zealand enacts as follows:
1 Title
This Act is the Privacy Act 2020.
2 Commencement
(1) The following provisions come into force on the day after the date on which
this Act receives the Royal assent:
(a) subpart 2 of Part 3; and
(b) sections 213 to 215.
(2) The rest of this Act comes into force on 1 December 2020.
Part 1
Preliminary provisions
Subpart 1—Preliminary matters
3 Purpose of this Act
The purpose of this Act is to promote and protect individual privacy by—
(a) providing a framework for protecting an individual’s right to privacy of
personal information, including the right of an individual to access their
personal information, while recognising that other rights and interests
may at times also need to be taken into account; and
(b) giving effect to internationally recognised privacy obligations and standards in relation to the privacy of personal information, including the
OECD Guidelines and the International Covenant on Civil and Political
Rights.
2020 No 31 Privacy Act 2020 Part 1 s 3
9
4 Application of this Act
(1) This Act (except section 212) applies to—
(a) a New Zealand agency (A), in relation to any action taken by A (whether
or not while A is, or was, present in New Zealand) in respect of personal
information collected or held by A:
(b) an overseas agency (B), in relation to any action taken by B in the course
of carrying on business in New Zealand in respect of personal information collected or held by B:
(c) an individual (C) who is not ordinarily resident in New Zealand, in relation to any action taken by C in respect of—
(i) personal information collected by C while present in New Zealand, regardless of where the information is subsequently held by
C or where the individual to whom the information relates is, or
was, located:
(ii) personal information held by C while present in New Zealand (but
not collected by C while present in New Zealand), regardless of
where the individual to whom the information relates is, or was,
located.
(2) For the purposes of subsection (1)(a) and (b), it does not matter—
(a) where the personal information is, or was, collected by the agency; or
(b) where the personal information is held by the agency; or
(c) where the individual concerned is, or was, located.
(3) For the purposes of subsection (1)(b), an agency may be treated as carrying on
business in New Zealand without necessarily—
(a) being a commercial operation; or
(b) having a place of business in New Zealand; or
(c) receiving any monetary payment for the supply of goods or services; or
(d) intending to make a profit from its business in New Zealand.
(4) Subpart 3 of Part 7 also applies to a court in relation to its judicial functions.
(5) Section 212 applies to—
(a) a New Zealand agency:
(b) an overseas agency:
(c) an individual who is present in New Zealand:
(d) a person who is outside New Zealand if—
(i) any act or omission forming part of any offence under section 212
occurs in New Zealand; or
(ii) any event necessary to the completion of any offence under section 212 occurs in New Zealand.
Part 1 s 4 Privacy Act 2020 2020 No 31
10
5 Transitional, savings, and related provisions
The transitional, savings, and related provisions set out in Schedule 1 have
effect according to their terms.
6 Act binds the Crown
This Act binds the Crown.
Compare: 1993 No 28 s 5
Subpart 2—Interpretation and related matters
7 Interpretation
(1) In this Act, unless the context otherwise requires,—
action includes failure to act, and also includes any policy or practice
agency means a person described in section 4 to whom this Act applies
binding scheme means an internationally recognised scheme in which the participants agree to be bound by—
(a) specified measures for protecting personal information that is collected,
held, used, and disclosed; and
(b) mechanisms for enforcing compliance with those measures
Chairperson means the Chairperson of the Human Rights Review Tribunal,
and includes a Deputy Chairperson of the Tribunal
code of practice means a code of practice issued by the Commissioner under
section 32
collect, in relation to personal information, means to take any step to seek or
obtain the personal information, but does not include receipt of unsolicited
information
Commissioner means the Privacy Commissioner holding office under section
13 and appointed in accordance with section 28(1)(b) of the Crown Entities Act
2004
correct, in relation to personal information, means to alter that information by
way of correction, deletion, or addition, and correction has a corresponding
meaning
country includes a self-governing State, province, or territory
department—
(a) means a government department named in Part 1 of Schedule 1 of the
Ombudsmen Act 1975; and
(b) includes a departmental agency
Deputy Commissioner means the Deputy Privacy Commissioner appointed
under section 14
2020 No 31 Privacy Act 2020 Part 1 s 7
11
Director of Human Rights Proceedings or Director means the Director of
Human Rights Proceedings or alternate Director of Human Rights Proceedings
appointed under section 20A of the Human Rights Act 1993
document means a document in any form, and includes—
(a) any writing on any material:
(b) any information recorded or stored by means of any computer or other
device, and any material subsequently derived from information so
recorded or stored:
(c) any label, marking, or other writing that identifies or describes any thing
of which it forms part, or to which it is attached by any means:
(d) any book, map, plan, graph, or drawing:
(e) any photograph, film, negative, tape, or any device in which 1 or more
visual images are embodied so as to be capable (with or without the aid
of some other equipment) of being reproduced
foreign person or entity means—
(a) an individual who is neither—
(i) present in New Zealand; nor
(ii) ordinarily resident in New Zealand:
(b) a body, incorporated or unincorporated, that—
(i) is not established under the law of New Zealand; and
(ii) does not have its central control and management in New Zealand:
(c) the Government of an overseas country
General Data Protection Regulation means Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC
Human Rights Review Tribunal or Tribunal means the Human Rights
Review Tribunal continued by section 93 of the Human Rights Act 1993
individual means a natural person, other than a deceased natural person
individual concerned, in relation to personal information, means the individual to whom the information relates
information privacy principle or IPP means an information privacy principle
set out in section 22
inquiry means an inquiry to which section 6 of the Inquiries Act 2013 applies
intelligence and security agency means—
(a) the New Zealand Security Intelligence Service; and
(b) the Government Communications Security Bureau
Part 1 s 7 Privacy Act 2020 2020 No 31
12
international organisation means any organisation of States or Governments
of States or any organ or agency of any such organisation, and includes the
Commonwealth Secretariat
local authority—
(a) means a local authority or public body named or specified in Schedule 1
of the Local Government Official Information and Meetings Act 1987;
and
(b) includes—
(i) any committee, subcommittee, standing committee, special committee, joint standing committee, or joint special committee that
the local authority is empowered to appoint under its standing
orders or rules of procedure or under any enactment or Order in
Council constituting the local authority or regulating its proceedings; and
(ii) a committee of the whole local authority
Minister means a Minister of the Crown in the Minister’s capacity as a Minister
New Zealand agency has the meaning given to it in section 8
New Zealand private sector agency means a private sector agency that is an
incorporated or unincorporated body and that—
(a) is established under New Zealand law; or
(b) has its central management and control in New Zealand
news activity means—
(a) gathering, preparing, or compiling, for the purposes of publication,
any—
(i) news:
(ii) observations on news:
(iii) current affairs:
(b) publishing any—
(i) news:
(ii) observations on news:
(iii) current affairs
news entity means an entity (including an individual)—
(a) whose business, in whole or part, consists of a news activity; and
(b) that is, or is employed by an employer that is, subject to the oversight
of—
(i) the Broadcasting Standards Authority; or
(ii) the New Zealand Media Council; or
2020 No 31 Privacy Act 2020 Part 1 s 7
13
(iii) an overseas regulator providing an independent procedure for the
consideration and adjudication of privacy complaints that is accessible to complainants, including complainants residing in New
Zealand; or
(iv) any other body prescribed as a regulatory body by regulations
made under section 215(1)(b) for the purposes of this definition
OECD Guidelines means the Organisation for Economic Co-operation and
Development Guidelines Governing the Protection of Privacy and Transborder
Flows of Personal Data
Ombudsman means an Ombudsman appointed under the Ombudsmen Act
1975
organisation—
(a) means—
(i) an organisation named in Part 2 of Schedule 1 of the Ombudsmen
Act 1975; and
(ii) an organisation named in Schedule 1 of the Official Information
Act 1982; and
(b) includes the Office of the Clerk of the House of Representatives
overseas agency has the meaning given to it in section 9
overseas privacy enforcement authority means an overseas body that is
responsible for enforcing legislation to protect personal information, and that
has the power to conduct investigations and pursue enforcement proceedings
Parliamentary Under-Secretary means a Parliamentary Under-Secretary in
their capacity as a Parliamentary Under-Secretary
personal information—
(a) means information about an identifiable individual; and
(b) includes information relating to a death that is maintained by the
Registrar-General under the Births, Deaths, Marriages, and Relationships Registration Act 1995 or any former Act (as defined in section 2 of
the Births, Deaths, Marriages, and Relationships Registration Act 1995)
private sector agency means an agency that is not a public sector agency
public sector agency—
(a) means an agency that is a Minister, a Parliamentary Under-Secretary, a
department, an organisation, or a local authority; and
(b) includes any agency that is an unincorporated body (being a board,
council, committee, or other body)—
(i) that is established for the purpose of assisting or advising, or performing functions connected with, any public sector agency
within the meaning of paragraph (a); and
Part 1 s 7 Privacy Act 2020 2020 No 31
14
(ii) that is established in accordance with the provisions of any enactment or by any such public sector agency
publication has a corresponding meaning to publish
publicly available information means personal information that is contained
in a publicly available publication
publicly available publication means a publication (including a register, list,
or roll of data) in printed or electronic form that is, or will be, generally available to members of the public free of charge or on payment of a fee
publish means to make publicly available in any manner, including by—
(a) displaying on any medium:
(b) printing in a newspaper or other periodical:
(c) broadcasting by any means:
(d) disseminating by means of the Internet or any other electronic medium:
(e) storing electronically in a way that is accessible to the public
responsible Minister means the Minister of Justice
serious threat means a threat that an agency reasonably believes to be a serious threat having regard to all of the following:
(a) the likelihood of the threat being realised; and
(b) the severity of the consequences if the threat is realised; and
(c) the time at which the threat may be realised
unique identifier, in relation to an individual, means an identifier other than
the individual’s name that uniquely identifies the individual
working day means any day of the week other than—
(a) a Saturday, a Sunday, Waitangi Day, Good Friday, Easter Monday,
Anzac Day, the Sovereign’s birthday, or Labour Day; or
(b) if Waitangi Day or Anzac Day falls on a Saturday or a Sunday, the following Monday; or
(c) a day in the period commencing on 25 December in one year and ending
with 15 January in the next year.
(2) For the purposes of this Act, a person is to be treated as ordinarily resident in
New Zealand if—
(a) the person’s home is in New Zealand; or
(b) the person is residing in New Zealand with the intention of residing in
New Zealand indefinitely; or
(c) having resided in New Zealand with the intention of establishing their
home in New Zealand, or with the intention of residing in New Zealand
indefinitely, the person is outside New Zealand but intends to return to
2020 No 31 Privacy Act 2020 Part 1 s 7
15
establish their home in New Zealand or to reside in New Zealand indefinitely.
Compare: 1993 No 28 s 2(1)
8 Meaning of New Zealand agency
In this Act, New Zealand agency—
(a) means—
(i) an individual who is ordinarily resident in New Zealand; or
(ii) a public sector agency; or
(iii) a New Zealand private sector agency; or
(iv) a court or tribunal, except in relation to its judicial functions; but
(b) does not include—
(i) the Sovereign; or
(ii) the Governor-General or the Administrator of the Government; or
(iii) the House of Representatives; or
(iv) a member of Parliament in their official capacity; or
(v) the Parliamentary Service Commission; or
(vi) the Parliamentary Service, except in relation to personal information about any employee or former employee of the Parliamentary
Service in their capacity as an employee; or
(vii) an Ombudsman; or
(viii) an inquiry; or
(ix) a board of inquiry or court of inquiry appointed under any Act to
inquire into a specified matter; or
(x) a news entity, to the extent that it is carrying on news activities.
9 Meaning of overseas agency
In this Act, overseas agency means an overseas person, body corporate, or
unincorporated body that is not—
(a) a New Zealand agency; or
(b) the Government of an overseas country; or
(c) an overseas government entity to the extent that the entity is performing
any public function on behalf of the overseas Government; or
(d) a news entity, to the extent that it is carrying on news activities.
Part 1 s 8 Privacy Act 2020 2020 No 31
16
10 Personal information held by agency if held by officer, employee, or
member of agency
(1) For the purposes of this Act, personal information held by a person in the person’s capacity as an officer, an employee, or a member of an agency is to be
treated as being held by the agency.
(2) However, subsection (1) does not apply to—
(a) personal information held by an officer, an employee, or a member of a
public sector agency (A) if—
(i) the information is held only because of the person’s connection
with a private sector agency; and
(ii) that connection is not in the person’s capacity as an officer, an
employee, or a member of A; or
(b) personal information held by an officer, an employee, or a member of a
private sector agency (B) if—
(i) the information is held only because of the person’s connection
with another agency (whether a public sector agency or private
sector agency); and
(ii) that connection is not in the person’s capacity as an officer, an
employee, or a member of B.
Compare: 1993 No 28 s 3(1)–(3)
11 Personal information treated as being held by another agency in certain
circumstances
(1) This section applies if an agency (A) holds information as an agent for another
agency (B) (for example, the information is held by A on behalf of B for safe
custody or processing).
(2) For the purposes of this Act, the personal information is to be treated as being
held by B, and not A.
(3) However, the personal information is to be treated as being held by A as well
as B if A uses or discloses the information for its own purposes.
(4) For the purposes of this section, it does not matter whether A—
(a) is outside New Zealand; or
(b) holds the information outside New Zealand.
(5) To avoid doubt, if, under subsection (2), B is treated as holding personal information,—
(a) the transfer of the information to A by B is not a use or disclosure of the
information by B; and
2020 No 31 Privacy Act 2020 Part 1 s 11
17
(b) the transfer of the information, and any information derived from the
processing of that information, to B by A is not a use or disclosure of the
information by A.
Compare: 1993 No 28 s 3(4)
12 Actions of, and disclosure of information to, staff of agency, etc
For the purposes of this Act, an action done by, or information disclosed to, a
person employed by, or in the service of, an agency in the performance of the
duties of the person’s employment is to be treated as having been done by, or
disclosed to, the agency.
Compare: 1993 No 28 s 4
Part 2
Privacy Commissioner
Subpart 1—Appointment of Privacy Commissioner
13 Privacy Commissioner
(1) There continues to be a Commissioner called the Privacy Commissioner.
(2) The Commissioner is—
(a) a corporation sole; and
(b) a Crown entity for the purposes of section 7 of the Crown Entities Act
2004; and
(c) the board for the purposes of the Crown Entities Act 2004.
(3) The Crown Entities Act 2004 applies to the Commissioner except to the extent
that this Act expressly provides otherwise.
Compare: 1993 No 28 s 12
14 Deputy Privacy Commissioner
(1) The Governor-General may, on the recommendation of the responsible Minister, appoint a Deputy Privacy Commissioner.
(2) Part 2 of the Crown Entities Act 2004, except section 46, applies to the
appointment and removal of a Deputy Commissioner in the same manner as it
applies to the appointment and removal of the Commissioner.
(3) Subject to the control of the Commissioner, the Deputy Commissioner may
perform or exercise all the functions, duties, and powers of the Commissioner.
(4) When there is a vacancy in the position of Commissioner or when the Commissioner is (for whatever reason) absent from duty, the Deputy Commissioner
may perform or exercise all the functions, duties, and powers of the Commissioner.
Part 1 s 12 Privacy Act 2020 2020 No 31
18
(5) The Deputy Commissioner is entitled to all the protections, privileges, and
immunities of the Commissioner.
Compare: 1993 No 28 s 15
15 Holding of other offices
(1) In addition to the persons specified in section 30(2) of the Crown Entities Act
2004, a member of a local authority is disqualified from being appointed as the
Commissioner or Deputy Commissioner.
(2) If a Judge is appointed as the Commissioner or Deputy Commissioner,—
(a) the appointment does not affect the Judge’s tenure of judicial office,
rank, title, status, precedence, salary, annual or other allowances, or
other rights or privileges as a Judge (including those in relation to superannuation); and
(b) for all purposes, the Judge’s service as Commissioner or Deputy Commissioner must be taken to be service as a Judge.
Compare: 1993 No 28 s 19
16 Superannuation or retiring allowances
(1) For the purpose of providing superannuation or retiring allowances for the
Commissioner or Deputy Commissioner, the Commissioner may, out of the
funds of the Commissioner, make payments to or subsidise any retirement
scheme (within the meaning of section 6(1) of the Financial Markets Conduct
Act 2013).
(2) Subsections (3) to (5) apply to a person who, immediately before being appointed as the Commissioner or the Deputy Commissioner or, as the case may be,
becoming an employee of the Commissioner, is a contributor to the Government Superannuation Fund under Part 2 or 2A of the Government Superannuation Fund Act 1956 (the 1956 Act).
(3) The person is, for the purposes of the 1956 Act, to be treated as if the person
continues to be employed in the Government service while the person is the
Commissioner or Deputy Commissioner or, as the case may be, an employee of
the Commissioner.
(4) However, if the person ceases to be a contributor to the Government Superannuation Fund after their appointment or employment, the person may not
resume making contributions to the Fund.
(5) For the purposes of applying the 1956 Act to a person under this section, controlling authority, in relation to the person, means the Commissioner.
Compare: 1993 No 28 Schedule 1 cl 4
2020 No 31 Privacy Act 2020 Part 2 s 16
19
Subpart 2—Functions of Privacy Commissioner
17 Functions of Commissioner
(1) The functions of the Commissioner are—
(a) to exercise the powers, and carry out the functions and duties, conferred
on the Commissioner by or under this Act or any other enactment:
(b) to provide advice (with or without a request) to a Minister, a Parliamentary Under-Secretary, or an agency on any matter relevant to the operation of this Act:
(c) to promote, by education and publicity, an understanding and acceptance
of the information privacy principles and of the objectives of those principles:
(d) to make public statements in relation to any matter affecting the privacy
of individuals:
(e) to receive and invite representations from members of the public on any
matter affecting the privacy of individuals:
(f) to consult and co-operate with other persons and bodies concerned with
the privacy of individuals:
(g) to examine any proposed legislation (including subordinate legislation)
or proposed government policy that the Commissioner considers may
affect the privacy of individuals, including any proposed legislation that
makes provision for either or both of the following:
(i) the collection of personal information by a public sector agency:
(ii) the sharing of personal information between public sector agencies (including parts of public sector agencies):
(h) to monitor the use of unique identifiers:
(i) to inquire generally into any matter, including any other enactment or
any law, or any practice or procedure, whether governmental or nongovernmental, or any technical development, if it appears to the Commissioner that the privacy of individuals is being, or may be, infringed
(for powers of the Commissioner in relation to inquiries, see section
203):
(j) to undertake research into, and to monitor developments in, data processing and technology to ensure that any adverse effects of the developments on the privacy of individuals are minimised:
(k) to give advice to any person in relation to any matter that concerns the
need for, or desirability of, action by that person in the interests of the
privacy of individuals:
(l) when requested to do so by an agency, to conduct an audit of personal
information maintained by that agency for the purpose of ascertaining
Part 2 s 17 Privacy Act 2020 2020 No 31
20
whether the information is maintained according to the information privacy principles:
(m) to monitor the operation of this Act and consider whether any amendments to this Act are necessary or desirable:
(n) to report to the responsible Minister on the results of—
(i) any examination conducted under paragraph (g):
(ii) the monitoring undertaken under paragraph (h):
(iii) the research and monitoring undertaken under paragraph (j):
(iv) the monitoring and consideration undertaken under paragraph
(m):
(o) to report to the Prime Minister on—
(i) any matter affecting the privacy of individuals, including the need
for, or desirability of, taking legislative, administrative, or other
action to give protection or better protection to the privacy of individuals:
(ii) the desirability of New Zealand accepting any international instrument relating to the privacy of individuals:
(iii) any other matter relating to the privacy of individuals that, in the
Commissioner’s opinion, should be drawn to the Prime Minister’s
attention:
(p) to gather any information that will assist in carrying out the functions in
paragraphs (a) to (o).
(2) The Commissioner may at any time, if it is in the public interest or in the interests of any person or body of persons to do so, publish—
(a) reports relating generally to the performance of the Commissioner’s
functions under this Act:
(b) reports relating to any case or cases investigated by the Commissioner.
(3) Subsection (2) applies regardless of whether the matters to be dealt with in a
report under that subsection have been the subject of a report to the responsible
Minister or the Prime Minister.
Compare: 1993 No 28 ss 13(1), (2), 26(1)
18 Other functions of Commissioner
(1) The responsible Minister may, for any of the following purposes, request the
Commissioner to provide advice on whether a binding scheme requires a foreign person or entity to protect personal information in a way that, overall, provides comparable safeguards to those in this Act:
(a) to assist the Minister in deciding whether to recommend the making of
regulations under section 213 prescribing the binding scheme:
2020 No 31 Privacy Act 2020 Part 2 s 18
21
(b) to assist the Minister in deciding whether any regulations made under
section 213 prescribing the binding scheme should be—
(i) continued without amendment; or
(ii) continued with amendment; or
(iii) revoked; or
(iv) replaced.
(2) The responsible Minister may, for the following purposes, request the Commissioner to provide advice on whether the privacy laws of a country, overall, provide comparable safeguards to those in this Act:
(a) to assist the Minister in deciding whether to recommend the making of
regulations under section 214 prescribing the country:
(b) to assist the Minister in deciding whether any regulations made under
section 214 prescribing the country should be—
(i) continued without amendment; or
(ii) continued with amendment; or
(iii) revoked:
(c) to assist the Minister in deciding whether, for the purposes in paragraph
(a) or (b)(i) or (ii), the country should be subject to any limitation or
qualification of the kind specified in section 214(3).
19 Responsible Minister must present copy of report on operation of Act to
House of Representatives
As soon as practicable after receiving a report under section 17(1)(n)(iv), the
responsible Minister must present a copy of the report to the House of Representatives.
Compare: 1993 No 28 s 26(2)
20 Duty to act independently
The Commissioner must act independently in performing statutory functions
and duties, and exercising statutory powers, under—
(a) this Act; and
(b) any other Act that expressly provides for the functions, powers, or duties
of the Commissioner (other than the Crown Entities Act 2004).
Compare: 1993 No 28 s 13(1A)
21 Commissioner to have regard to certain matters
The Commissioner must, in performing any statutory function or duty, and in
exercising any statutory power,—
(a) have regard to the privacy interests of individuals alongside other human
rights and interests, including—
Part 2 s 19 Privacy Act 2020 2020 No 31
22
(i) the desirability of facilitating the free flow of information in society; and
(ii) government and businesses being able to achieve their objectives
efficiently; and
(b) take account of international obligations accepted by New Zealand,
including those concerning the international technology of communications; and
(c) take account of cultural perspectives on privacy; and
(d) consider any developing general international guidelines relevant to the
better protection of individual privacy; and
(e) have regard to the IPPs.
Compare: 1993 No 28 s 14
Part 3
Information privacy principles and codes of practice
Subpart 1—Information privacy principles
22 Information privacy principles
The information privacy principles are as follows:
Information privacy principle 1
Purpose of collection of personal information
(1) Personal information must not be collected by an agency unless—
(a) the information is collected for a lawful purpose connected with a
function or an activity of the agency; and
(b) the collection of the information is necessary for that purpose.
(2) If the lawful purpose for which personal information about an individual is collected does not require the collection of an individual’s
identifying information, the agency may not require the individual’s
identifying information.
Information privacy principle 2
Source of personal information
(1) If an agency collects personal information, the information must be collected from the individual concerned.
(2) It is not necessary for an agency to comply with subclause (1) if the
agency believes, on reasonable grounds,—
(a) that non-compliance would not prejudice the interests of the
individual concerned; or
2020 No 31 Privacy Act 2020 Part 3 s 22
23
(b) that compliance would prejudice the purposes of the collection;
or
(c) that the individual concerned authorises collection of the information from someone else; or
(d) that the information is publicly available information; or
(e) that non-compliance is necessary—
(i) to avoid prejudice to the maintenance of the law by any
public sector agency, including prejudice to the prevention,
detection, investigation, prosecution, and punishment of
offences; or
(ii) for the enforcement of a law that imposes a pecuniary penalty; or
(iii) for the protection of public revenue; or
(iv) for the conduct of proceedings before any court or tribunal
(being proceedings that have been commenced or are
reasonably in contemplation); or
(v) to prevent or lessen a serious threat to the life or health of
the individual concerned or any other individual; or
(f) that compliance is not reasonably practicable in the circumstances of the particular case; or
(g) that the information—
(i) will not be used in a form in which the individual concerned is identified; or
(ii) will be used for statistical or research purposes and will
not be published in a form that could reasonably be expected to identify the individual concerned.
Information privacy principle 3
Collection of information from subject
(1) If an agency collects personal information from the individual concerned, the agency must take any steps that are, in the circumstances,
reasonable to ensure that the individual concerned is aware of—
(a) the fact that the information is being collected; and
(b) the purpose for which the information is being collected; and
(c) the intended recipients of the information; and
(d) the name and address of—
(i) the agency that is collecting the information; and
(ii) the agency that will hold the information; and
(e) if the collection of the information is authorised or required by
or under law,—
Part 3 s 22 Privacy Act 2020 2020 No 31
24
(i) the particular law by or under which the collection of the
information is authorised or required; and
(ii) whether the supply of the information by that individual is
voluntary or mandatory; and
(f) the consequences (if any) for that individual if all or any part of
the requested information is not provided; and
(g) the rights of access to, and correction of, information provided
by the IPPs.
(2) The steps referred to in subclause (1) must be taken before the information is collected or, if that is not practicable, as soon as practicable after
the information is collected.
(3) An agency is not required to take the steps referred to in subclause (1)
in relation to the collection of information from an individual if the
agency has taken those steps on a recent previous occasion in relation to
the collection, from that individual, of the same information or information of the same kind.
(4) It is not necessary for an agency to comply with subclause (1) if the
agency believes, on reasonable grounds,—
(a) that non-compliance would not prejudice the interests of the
individual concerned; or
(b) that non-compliance is necessary—
(i) to avoid prejudice to the maintenance of the law by any
public sector agency, including prejudice to the prevention,
detection, investigation, prosecution, and punishment of
offences; or
(ii) for the enforcement of a law that imposes a pecuniary penalty; or
(iii) for the protection of public revenue; or
(iv) for the conduct of proceedings before any court or tribunal
(being proceedings that have been commenced or are
reasonably in contemplation); or
(c) that compliance would prejudice the purposes of the collection;
or
(d) that compliance is not reasonably practicable in the circumstances of the particular case; or
(e) that the information—
(i) will not be used in a form in which the individual concerned is identified; or
(ii) will be used for statistical or research purposes and will
not be published in a form that could reasonably be expected to identify the individual concerned.
2020 No 31 Privacy Act 2020 Part 3 s 22
25
Information privacy principle 4
Manner of collection of personal information
An agency may collect personal information only—
(a) by a lawful means; and
(b) by a means that, in the circumstances of the case (particularly in circumstances where personal information is being collected from children or
young persons),—
(i) is fair; and
(ii) does not intrude to an unreasonable extent upon the personal
affairs of the individual concerned.
Information privacy principle 5
Storage and security of personal information
An agency that holds personal information must ensure—
(a) that the information is protected, by such security safeguards as are
reasonable in the circumstances to take, against—
(i) loss; and
(ii) access, use, modification, or disclosure that is not authorised by
the agency; and
(iii) other misuse; and
(b) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use
or unauthorised disclosure of the information.
Information privacy principle 6
Access to personal information
(1) An individual is entitled to receive from an agency upon request—
(a) confirmation of whether the agency holds any personal information about them; and
(b) access to their personal information.
(2) If an individual concerned is given access to personal information, the
individual must be advised that, under IPP 7, the individual may request
the correction of that information.
(3) This IPP is subject to the provisions of Part 4.
Part 3 s 22 Privacy Act 2020 2020 No 31
26
Information privacy principle 7
Correction of personal information
(1) An individual whose personal information is held by an agency is
entitled to request the agency to correct the information.
(2) An agency that holds personal information must, on request or on its
own initiative, take such steps (if any) that are reasonable in the circumstances to ensure that, having regard to the purposes for which the information may lawfully be used, the information is accurate, up to date,
complete, and not misleading.
(3) When requesting the correction of personal information, or at any later
time, an individual is entitled to—
(a) provide the agency with a statement of the correction sought to
the information (a statement of correction); and
(b) request the agency to attach the statement of correction to the
information if the agency does not make the correction sought.
(4) If an agency that holds personal information is not willing to correct the
information as requested and has been provided with a statement of correction, the agency must take such steps (if any) that are reasonable in
the circumstances to ensure that the statement of correction is attached
to the information in a manner that ensures that it will always be read
with the information.
(5) If an agency corrects personal information or attaches a statement of
correction to personal information, that agency must, so far as is reasonably practicable, inform every other person to whom the agency has disclosed the information.
(6) Subclauses (1) to (4) are subject to the provisions of Part 4.
Information privacy principle 8
Accuracy, etc, of personal information to be checked before use or disclosure
An agency that holds personal information must not use or disclose that information without taking any steps that are, in the circumstances, reasonable to
ensure that the information is accurate, up to date, complete, relevant, and not
misleading.
Information privacy principle 9
Agency not to keep personal information for longer than necessary
An agency that holds personal information must not keep that information for
longer than is required for the purposes for which the information may lawfully
be used.
2020 No 31 Privacy Act 2020 Part 3 s 22
27
Information privacy principle 10
Limits on use of personal information
(1) An agency that holds personal information that was obtained in
connection with one purpose may not use the information for any other
purpose unless the agency believes, on reasonable grounds,—
(a) that the purpose for which the information is to be used is
directly related to the purpose in connection with which the
information was obtained; or
(b) that the information—
(i) is to be used in a form in which the individual concerned is
not identified; or
(ii) is to be used for statistical or research purposes and will
not be published in a form that could reasonably be expected to identify the individual concerned; or
(c) that the use of the information for that other purpose is authorised by the individual concerned; or
(d) that the source of the information is a publicly available publication and that, in the circumstances of the case, it would not be
unfair or unreasonable to use the information; or
(e) that the use of the information for that other purpose is necessary—
(i) to avoid prejudice to the maintenance of the law by any
public sector agency, including prejudice to the prevention,
detection, investigation, prosecution, and punishment of
offences; or
(ii) for the enforcement of a law that imposes a pecuniary penalty; or
(iii) for the protection of public revenue; or
(iv) for the conduct of proceedings before any court or tribunal
(being proceedings that have been commenced or are
reasonably in contemplation); or
(f) that the use of the information for that other purpose is necessary to prevent or lessen a serious threat to—
(i) public health or public safety; or
(ii) the life or health of the individual concerned or another
individual.
(2) In addition to the uses authorised by subclause (1), an intelligence and
security agency that holds personal information that was obtained in
connection with one purpose may use the information for any other purpose (a secondary purpose) if the agency believes on reasonable
Part 3 s 22 Privacy Act 2020 2020 No 31
28
grounds that the use of the information for the secondary purpose is
necessary to enable the agency to perform any of its functions.
Information privacy principle 11
Limits on disclosure of personal information
(1) An agency that holds personal information must not disclose the information to any other agency or to any person unless the agency believes,
on reasonable grounds,—
(a) that the disclosure of the information is one of the purposes in
connection with which the information was obtained or is
directly related to the purposes in connection with which the
information was obtained; or
(b) that the disclosure is to the individual concerned; or
(c) that the disclosure is authorised by the individual concerned; or
(d) that the source of the information is a publicly available publication and that, in the circumstances of the case, it would not be
unfair or unreasonable to disclose the information; or
(e) that the disclosure of the information is necessary—
(i) to avoid prejudice to the maintenance of the law by any
public sector agency, including prejudice to the prevention,
detection, investigation, prosecution, and punishment of
offences; or
(ii) for the enforcement of a law that imposes a pecuniary penalty; or
(iii) for the protection of public revenue; or
(iv) for the conduct of proceedings before any court or tribunal
(being proceedings that have been commenced or are
reasonably in contemplation); or
(f) that the disclosure of the information is necessary to prevent or
lessen a serious threat to—
(i) public health or public safety; or
(ii) the life or health of the individual concerned or another
individual; or
(g) that the disclosure of the information is necessary to enable an
intelligence and security agency to perform any of its functions;
or
(h) that the information—
(i) is to be used in a form in which the individual concerned is
not identified; or
2020 No 31 Privacy Act 2020 Part 3 s 22
29
(ii) is to be used for statistical or research purposes and will
not be published in a form that could reasonably be expected to identify the individual concerned; or
(i) that the disclosure of the information is necessary to facilitate
the sale or other disposition of a business as a going concern.
(2) This IPP is subject to IPP 12.
Information privacy principle 12
Disclosure of personal information outside New Zealand
(1) An agency (A) may disclose personal information to a foreign person or
entity (B) in reliance on IPP 11(1)(a), (c), (e), (f), (h), or (i) only if—
(a) the individual concerned authorises the disclosure to B after
being expressly informed by A that B may not be required to
protect the information in a way that, overall, provides comparable safeguards to those in this Act; or
(b) B is carrying on business in New Zealand and, in relation to the
information, A believes on reasonable grounds that B is subject
to this Act; or
(c) A believes on reasonable grounds that B is subject to privacy
laws that, overall, provide comparable safeguards to those in this
Act; or
(d) A believes on reasonable grounds that B is a participant in a prescribed binding scheme; or
(e) A believes on reasonable grounds that B is subject to privacy
laws of a prescribed country; or
(f) A otherwise believes on reasonable grounds that B is required to
protect the information in a way that, overall, provides comparable safeguards to those in this Act (for example, pursuant to an
agreement entered into between A and B).
(2) However, subclause (1) does not apply if the personal information is to
be disclosed to B in reliance on IPP 11(1)(e) or (f) and it is not reasonably practicable in the circumstances for A to comply with the requirements of subclause (1).
(3) In this IPP,—
prescribed binding scheme means a binding scheme specified in regulations made under section 213
prescribed country means a country specified in regulations made
under section 214.
Part 3 s 22 Privacy Act 2020 2020 No 31
30
Information privacy principle 13
Unique identifiers
(1) An agency (A) may assign a unique identifier to an individual for use in
its operations only if that identifier is necessary to enable A to carry out
1 or more of its functions efficiently.
(2) A may not assign to an individual a unique identifier that, to A’s knowledge, is the same unique identifier as has been assigned to that individual by another agency (B), unless—
(a) A and B are associated persons within the meaning of subpart
YB of the Income Tax Act 2007; or
(b) the unique identifier is to be used by A for statistical or research
purposes and no other purpose.
(3) To avoid doubt, A does not assign a unique identifier to an individual
under subclause (1) by simply recording a unique identifier assigned to
the individual by B for the sole purpose of communicating with B about
the individual.
(4) A must take any steps that are, in the circumstances, reasonable to
ensure that—
(a) a unique identifier is assigned only to an individual whose identity is clearly established; and
(b) the risk of misuse of a unique identifier by any person is minimised (for example, by showing truncated account numbers on
receipts or in correspondence).
(5) An agency may not require an individual to disclose any unique identifier assigned to that individual unless the disclosure is for one of the
purposes in connection with which that unique identifier was assigned
or is for a purpose that is directly related to one of those purposes.
Compare: 1993 No 28 s 6
23 Application of IPPs in relation to information held overseas
An action taken by an agency in relation to information held overseas does not
breach any of the IPPs if the action is required by or under the law of any country other than New Zealand.
Compare: 1993 No 28 s 10(3)
24 Relationships between IPPs and other New Zealand law
(1) Nothing in IPP 6, 11, or 12 limits or affects—
(a) a provision contained in any New Zealand enactment that authorises or
requires personal information to be made available; or
(b) a provision contained in any other New Zealand Act that—
(i) imposes a prohibition or restriction in relation to the availability
of personal information; or
2020 No 31 Privacy Act 2020 Part 3 s 24
31
(ii) regulates the manner in which personal information may be
obtained or made available.
(2) An action taken by an agency does not breach IPPs 1 to 5, 7 to 10, or 13 if the
action is authorised or required by or under New Zealand law.
Compare: 1993 No 28 s 7(1), (2), (4)
25 IPPs 1 to 4 do not apply to personal information collected before 1 July
1993
IPPs 1 to 4 do not apply to personal information collected before 1 July 1993.
Compare: 1993 No 28 s 8(1)
26 Restricted application of IPP 13 to unique identifiers assigned before
1 July 1993
(1) IPP 13(1) to (4)(a) does not apply to unique identifiers assigned before 1 July
1993.
(2) However, IPP 13(2) applies to the assignment of a unique identifier on or after
1 July 1993 even if the unique identifier assigned is the same as that assigned
by another agency before that date.
Compare: 1993 No 28 s 8(5), (6)
27 Restricted application of IPPs to personal information collected or held for
personal or domestic affairs
(1) IPPs 1 to 3 and 4(b) do not apply to an agency if that agency—
(a) is an individual; and
(b) is collecting personal information solely for the purposes of, or in connection with, the individual’s personal or domestic affairs.
(2) IPPs 5 to 12 do not apply to an agency if that agency—
(a) is an individual; and
(b) is holding personal information that was collected by a lawful means
solely for the purposes of, or in connection with, the individual’s personal or domestic affairs.
(3) However, the exemptions in subsections (1) and (2) do not apply if the collection, use, or disclosure of the personal information would be highly offensive
to a reasonable person.
Compare: 1993 No 28 s 56
28 IPPs 2, 3, and 4(b) do not apply to personal information collected by
intelligence and security agencies
IPPs 2, 3, and 4(b) do not apply to personal information collected by an intelligence and security agency.
Compare: 1993 No 28 s 57
Part 3 s 25 Privacy Act 2020 2020 No 31
32
29 IPPs 6 and 7 do not apply to certain information
(1) IPPs 6 and 7 do not apply in respect of—
(a) personal information during transmission by post, personal delivery, or
electronic means; or
(b) personal information that is contained in any correspondence or communication between an agency and any of the following persons and that
relates to an investigation conducted by that person under any Act, not
being information that was in existence before the commencement of the
investigation:
(i) an Ombudsman:
(ii) any officer or employee appointed by the Chief Ombudsman
under section 11(1) of the Ombudsmen Act 1975:
(iii) the Commissioner:
(iv) any employee or delegate of the Commissioner; or
(c) personal information held by the Auditor-General, the Deputy AuditorGeneral, or any employee of the Auditor-General in connection with the
performance or exercise of the Auditor-General’s functions, duties, or
powers that is not personal information about any employee or former
employee of the Auditor-General in their capacity as an employee; or
(d) personal information contained in evidence given or submissions made
to—
(i) a government inquiry, until the final report of that inquiry is presented to the appointing Minister:
(ii) a public inquiry (including a Royal commission), until the final
report of that inquiry is presented to the House of Representatives:
(iii) a person or body appointed under any Act to inquire into a specified matter; or
(e) personal information contained in a video record made under the Evidence Regulations 2007 or any copy or transcript of the video record.
(2) IPP 7 does not apply to personal information collected by Statistics New Zealand under the Statistics Act 1975.
Compare: 1993 No 28 ss 7(5), 55
30 Commissioner may authorise collection, use, storage, or disclosure of
personal information otherwise in breach of IPP 2 or IPPs 9 to 12
(1) An agency may apply to the Commissioner for authorisation to do any of the
following in the circumstances of a particular case:
(a) collect personal information even if the collection of that information
would otherwise be in breach of IPP 2:
2020 No 31 Privacy Act 2020 Part 3 s 30
33
(b) keep personal information even if the keeping of that information would
otherwise be in breach of IPP 9:
(c) use personal information even if the use of that information would otherwise be in breach of IPP 10:
(d) disclose personal information even if the disclosure of that information
would otherwise be in breach of IPP 11 or 12.
(2) An application under subsection (1) must be made in the manner required by
the Commissioner.
(3) If, on receiving an application, the Commissioner is not satisfied that the applicant has taken sufficient steps to give notice of the application to all individuals
concerned, the Commissioner may require the applicant to give public notice of
the application in a manner that the Commissioner specifies.
(4) If, on receiving an application, the Commissioner is not satisfied that the applicant has given sufficient opportunity to individuals concerned to object to the
application, the Commissioner may require the applicant to give any further
opportunity that the Commissioner specifies.
(5) In considering whether to grant an authorisation, the Commissioner must take
into account any objections to the application received from individuals concerned.
(6) The Commissioner may grant an authorisation sought by an applicant only if
the Commissioner is satisfied that, in the special circumstances of the case,—
(a) the public interest in granting the authorisation outweighs, to a substantial degree, the possibility of—
(i) any loss, detriment, damage, or injury to the individuals concerned; or
(ii) any adverse affect on the rights, benefits, privileges, obligations,
or interests of the individuals concerned; or
(iii) any significant humiliation, significant loss of dignity, or significant injury to the feelings of the individuals concerned; or
(b) granting the authorisation would result in a clear benefit to the individuals concerned that outweighs the possibility of—
(i) any loss, detriment, damage, or injury to the individuals concerned; or
(ii) any adverse affect on the rights, benefits, privileges, obligations,
or interests of the individuals concerned; or
(iii) any significant humiliation, significant loss of dignity, or significant injury to the feelings of the individuals concerned.
(7) The Commissioner may not grant an authorisation under subsection (6) in
respect of any specified personal information if the individual concerned objected.
Part 3 s 30 Privacy Act 2020 2020 No 31
34
(8) An authorisation granted under subsection (6) may be subject to any conditions
that the Commissioner considers appropriate.
(9) The Commissioner must maintain on the Commissioner’s Internet site a list of
current authorisations granted under this section.
Compare: 1993 No 28 s 54
31 Enforceability of IPPs
(1) Except as provided in subsection (2), the IPPs do not confer on any person any
right that is enforceable in a court of law.
(2) The entitlements conferred on an individual by IPP 6(1), to the extent that
those entitlements relate to personal information held by a public sector
agency, are legal rights and are enforceable in a court of law.
Compare: 1993 No 28 s 11
Subpart 2—Codes of practice
32 Codes of practice in relation to IPPs
(1) The Commissioner may at any time issue a code of practice in relation to the
IPPs.
(2) A code of practice may—
(a) modify the application of 1 or more of the IPPs by—
(i) prescribing more stringent or less stringent standards:
(ii) exempting any action from an IPP, either unconditionally or conditionally:
(b) apply 1 or more of the IPPs without modification:
(c) prescribe how 1 or more of the IPPs are to be applied or complied with.
(3) A code of practice may apply in relation to 1 or more of the following:
(a) any specified information or class or classes of information:
(b) any specified agency or class or classes of agency:
(c) any specified activity or class or classes of activity:
(d) any specified industry, profession, or calling or class or classes of industry, profession, or calling.
(4) A code of practice may also—
(a) impose, in relation to any private sector agency, controls in relation to
the comparison (whether done manually or by means of any electronic
or other device) of personal information with other personal information
for the purpose of producing or verifying information about an identifiable individual:
(b) in relation to charging under section 66,—
2020 No 31 Privacy Act 2020 Part 3 s 32
35
(i) set guidelines to be followed by agencies in determining charges:
(ii) prescribe circumstances in which no charge may be imposed:
(c) prescribe procedures for dealing with complaints alleging a breach of the
code, without limiting or restricting any provision of Part 5:
(d) provide for the review of the code by the Commissioner:
(e) provide for the expiry of the code.
(5) A code of practice may not limit or restrict the entitlements under IPP 6 or 7.
(6) Despite the definition of the term individual in section 7(1),—
(a) a sector-specific code of practice may be issued that applies 1 or more of
the IPPs to information about deceased persons (whether or not the code
also applies 1 or more of the IPPs to other information); and
(b) the code of practice has effect under section 38 as if those IPPs so
applied, and the provisions of this Act apply accordingly.
Compare: 1993 No 28 s 46
33 Issue of code of practice
(1) The Commissioner may issue a code of practice on—
(a) the Commissioner’s own initiative; or
(b) the application of any person.
(2) An application may be made under subsection (1)(b) only—
(a) by a body that represents the interests of any class or classes of agency,
industry, profession, or calling (a group); and
(b) if the code of practice sought by the applicant is intended to apply to that
group, or any activity of the group.
(3) Before issuing a code of practice, the Commissioner must—
(a) give public notice of the Commissioner’s intention to issue the code and
include a statement that—
(i) the details of the proposed code, including a draft of the proposed
code, may be obtained from the Commissioner; and
(ii) submissions on the proposed code may be made in writing to the
Commissioner within the period specified in the notice; and
(b) do everything reasonably possible to advise all persons affected by the
proposed code, or the representatives of those persons, of—
(i) the details of the proposed code; and
(ii) the reasons for the proposed code; and
(c) give the persons affected by the code, or the representatives of those persons, the opportunity to make submissions on the proposed code; and
(d) consider any submissions made on the proposed code.
Part 3 s 33 Privacy Act 2020 2020 No 31
36
(4) Publication in the Gazette of a notice under subsection (3)(a) is conclusive
proof that the requirements of that provision have been complied with in
respect of the code of practice to which the notice relates.
Compare: 1993 No 28 ss 47(1), (3), (4), 48(1), (2)
34 Urgent issue of code of practice
(1) If the Commissioner considers that it is necessary to issue a code of practice, or
to amend or revoke any code of practice, and that following the procedure set
out in section 33(3) would be impracticable because it is necessary to issue the
code or, as the case may be, the amendment or revocation urgently, the Commissioner may issue the code or, as the case may be, the amendment or revocation without complying with that procedure.
(2) Every code of practice, and every amendment to or revocation of a code of
practice, issued in accordance with this section,—
(a) must be identified as a temporary code or amendment or revocation; and
(b) remains in force for the period (not exceeding 1 year after the date of its
issue) specified for that purpose in the code or, as the case may be, the
amendment or the revocation.
(3) Section 35(2) does not apply to a code of practice, or any amendment to or
revocation of a code of practice, issued in accordance with this section.
Compare: 1993 No 28 s 52
35 Notification, availability, and commencement of codes of practice
(1) If the Commissioner issues a code of practice,—
(a) the Commissioner must, as soon as practicable after the code is issued,
ensure that a notice is published in the Gazette that—
(i) states that the code has been issued; and
(ii) specifies a place at which copies of the code are available for
inspection free of charge and for purchase; and
(b) the Commissioner must ensure that, so long as the code remains in force,
the code is publicly available on an Internet site maintained by or on
behalf of the Commissioner, and that copies of the code are available—
(i) for inspection by members of the public free of charge; and
(ii) for purchase by members of the public at a reasonable price.
(2) A code of practice comes into force on the 28th day after the date of its notification in the Gazette or on any later day that is specified in the code.
Compare: 1993 No 28 s 49
2020 No 31 Privacy Act 2020 Part 3 s 35
37
36 Application of Legislation Act 2012 to codes of practice
All codes of practice are disallowable instruments, but not legislative instruments, for the purposes of the Legislation Act 2012 and must be presented to
the House of Representatives under section 41 of that Act.
Compare: 1993 No 28 s 50
37 Amendment and revocation of codes of practice
(1) The Commissioner may at any time issue an amendment or a revocation of a
code of practice.
(2) The provisions of sections 33, 35, and 36 apply in respect of any amendment or
revocation of a code of practice.
Compare: 1993 No 28 s 51
38 Effect of codes of practice
If a code of practice is in force,—
(a) any action that would otherwise be a breach of an IPP is, for the purposes of Part 5, treated as not breaching that IPP if the action complies
with the code; and
(b) failure to comply with the code, even if the failure would not otherwise
be a breach of any IPP, is, for the purposes of Part 5, treated as a breach
of an IPP.
Compare: 1993 No 28 ss 53, 64
Part 4
Access to and correction of personal information
Subpart 1—Access to personal information
39 Interpretation
(1) In this subpart and subpart 3, IPP 6 request means a request made under IPP 6.
(2) In this subpart, requestor, in relation to an IPP 6 request, means the person
who made the request.
Compare: 1993 No 28 s 33
40 Individuals may make IPP 6 request
An IPP 6 request may be made only by the individual concerned or that individual’s representative.
Compare: 1993 No 28 s 34
41 Urgency
(1) A requestor may ask that an IPP 6 request be treated as urgent (an urgent IPP
6 request).
Part 3 s 36 Privacy Act 2020 2020 No 31
38
(2) A requestor making an urgent IPP 6 request must state the reason why the
request should be treated as urgent.
(3) On receiving an urgent IPP 6 request, an agency must consider the request and
the reason stated for its urgency when determining the priority to be given to
responding to it.
Compare: 1993 No 28 s 37
42 Assistance
An agency must give reasonable assistance to a person who—
(a) wishes to make an IPP 6 request; or
(b) is making an IPP 6 request.
Compare: 1993 No 28 s 38
43 Transfer of IPP 6 request
(1) This section applies if an agency that receives an IPP 6 request—
(a) does not hold the information to which the request relates, but believes
that the information is held by another agency; or
(b) believes that the information to which the request relates is more closely
connected with the functions or activities of another agency.
(2) The agency must promptly, and in any case not later than 10 working days after
the day on which the IPP 6 request is received, transfer the request to the other
agency and inform the requestor accordingly.
(3) However, subsection (2) does not apply if the agency has good cause to believe
that the requestor does not want the request transferred to another agency.
(4) If, in reliance on subsection (3), the agency does not transfer the request, the
agency must promptly, and in any case not later than 10 working days after the
day on which the IPP 6 request was received, inform the requestor that—
(a) this section applies in respect of the request; and
(b) in reliance on subsection (3), the request has not been transferred; and
(c) the name of the agency to which the request could be transferred.
Compare: 1993 No 28 s 39
44 Responding to IPP 6 request
(1) If an agency does not transfer an IPP 6 request under section 43, the agency
must, as soon as is reasonably practicable, and in any case not later than 20
working days after the day on which the request is received, respond to the
request.
(2) A response must notify the requestor that—
(a) the agency does not hold personal information in a way that enables the
information to be readily retrieved; or
2020 No 31 Privacy Act 2020 Part 4 s 44
39
(b) the agency does not hold any personal information about the individual
to whom the request relates; or
(c) the agency does hold personal information about the individual to whom
the request relates and, if access to the information has been requested,
that—
(i) access to that information, or some of that information, is granted;
or
(ii) access to that information, or some of that information, is refused;
or
(d) the agency neither confirms nor denies that it holds any personal information about the individual to whom the request relates.
45 Decision to grant access to personal information
(1) If an agency grants access to personal information, the notice under section
44(2)(c)(i) must state—
(a) the way the information is to be made available; and
(b) the charge (if any) payable under section 66 in respect of the request,
and whether all or part of that charge is required to be paid in advance;
and
(c) the requestor’s right to make a complaint to the Commissioner about the
charge that is payable (if any).
(2) After giving notice under section 44(2)(c)(i) and receiving any charge required
to be paid in advance, the agency must make the information available to the
requestor.
Compare: 1993 No 28 s 40(1), (2)
46 Decision to refuse access to personal information
(1) An agency may refuse access to the personal information requested, or some of
the personal information requested, only if the agency is able to rely on any of
sections 49 to 53 (see also section 24).
(2) The notice given under section 44(2)(c)(ii) must state—
(a) the reason for the refusal; and
(b) the requestor’s right to make a complaint to the Commissioner in respect
of the refusal.
(3) The notice must also state the grounds in support of the reason for the refusal
if—
(a) the reason is that set out in section 50; or
(b) the reason is not that set out in section 50, but the requestor has requested disclosure of the grounds.
(4) However,—
Part 4 s 45 Privacy Act 2020 2020 No 31
40
(a) subsection (3)(a) does not apply if disclosing the grounds would prejudice the interests protected by section 50:
(b) subsection (3)(b) does not apply if disclosing the grounds would prejudice the interests protected by any of sections 49, 51, and 53:
(c) subsection (3)(b) does not apply if disclosing the grounds would prejudice the interests protected by section 52 and the reason for not disclosing those grounds is not outweighed by other considerations that make it
desirable, in the public interest, to disclose them.
Compare: 1993 No 28 ss 30, 44
47 Decision to neither confirm nor deny personal information is held
(1) An agency may neither confirm nor deny that it holds the personal information,
or some of the personal information, requested if the agency—
(a) is able to rely on section 49(1)(a)(i) or (d), 51, 52, or 53(c) to refuse to
disclose the information or refuse to disclose the information if it existed; and
(b) is satisfied that the interest protected by any of those provisions would
be likely to be prejudiced by the agency confirming whether or not it
holds information about the requestor.
(2) The notice given under section 44(2)(d) must inform the requestor of the
requestor’s right to make a complaint to the Commissioner in respect of the
agency’s response.
Compare: 1993 No 28 s 32
48 Extension of time limits
(1) On receiving an IPP 6 request, an agency may extend the time limit set out in
section 43 or 44 in respect of the request if—
(a) the request is for a large quantity of information, or necessitates a search
through a large quantity of information, and meeting the original time
limit would unreasonably interfere with the operations of the agency; or
(b) consultations necessary to make a decision on the request are such that a
response to the request cannot reasonably be given within the original
time limit; or
(c) the processing of the request raises issues of such complexity that a
response to the request cannot reasonably be given within the original
time limit.
(2) Any extension under subsection (1) must be for a reasonable period of time
having regard to the circumstances.
(3) The extension is effected by giving notice of the extension to the requestor
within 20 working days after the day on which the request is received.
(4) The notice effecting the extension must—
2020 No 31 Privacy Act 2020 Part 4 s 48
41
(a) specify the period of the extension; and
(b) give the reasons for the extension; and
(c) state that the requestor has the right to make a complaint to the Commissioner about the extension; and
(d) contain any other information that may be necessary.
Compare: 1993 No 28 s 41
49 Protection, etc, of individual as reason for refusing access to personal
information
(1) An agency may refuse access to any personal information requested if—
(a) the disclosure of the information would—
(i) be likely to pose a serious threat to the life, health, or safety of any
individual, or to public health or public safety; or
(ii) create a significant likelihood of serious harassment of an individual; or
(iii) include disclosure of information about another person who—
(A) is the victim of an offence or alleged offence; and
(B) would be caused significant distress, loss of dignity, or
injury to feelings by the disclosure of the information; or
(b) after consultation is undertaken (where practicable) by or on behalf of
the agency with the health practitioner of the individual concerned, the
agency is satisfied that—
(i) the information relates to the individual concerned; and
(ii) the disclosure of the information (being information that relates to
the physical or mental health of the requestor) would be likely to
prejudice the health of the individual concerned; or
(c) the individual concerned is under the age of 16 and the disclosure of the
information would be contrary to the interests of the individual concerned; or
(d) the disclosure of the information (being information in respect of the
individual concerned who has been convicted of an offence or is or has
been detained in custody) would be likely to prejudice the safe custody
or the rehabilitation of the individual concerned.
(2) In this section,—
health practitioner means—
(a) a medical practitioner; or
(b) a person who is, or is deemed to be, registered with an authority appointed by or under the Health Practitioners Competence Assurance Act
Part 4 s 49 Privacy Act 2020 2020 No 31
42
2003 as a practitioner of a particular health profession and whose scope
of practice includes the assessment of a person’s mental capacity
medical practitioner means a person who—
(a) is, or is deemed to be, registered with the Medical Council of New Zealand as a practitioner of the profession of medicine; and
(b) holds a current practising certificate
victim has the meaning given to it in section 8 of the Prisoners’ and Victims’
Claims Act 2005.
Compare: 1993 No 28 ss 27(1)(d), 29(1)(c), (d), (e), (4)
50 Evaluative material as reason for refusing access to personal information
(1) An agency may refuse access to any personal information requested if—
(a) the information is evaluative material and the disclosure of that information or of the information identifying the person who supplied it would
breach an express or implied promise—
(i) that was made to the person who supplied the information; and
(ii) that was to the effect that the information or the identity of the
person who supplied it, or both, would be held in confidence; or
(b) the information is evaluative material that was made available by the
agency to another agency, and that other agency may refuse to disclose
the information under paragraph (a).
(2) In this section, evaluative material—
(a) means evaluative or opinion material compiled solely—
(i) for the purpose of determining the suitability, eligibility, or qualifications of the individual to whom the material relates—
(A) for employment or for appointment to office; or
(B) for promotion in employment or office or for continuance
in employment or office; or
(C) for removal from employment or office; or
(D) for the awarding of contracts, awards, scholarships, honours, or other benefits; or
(ii) for the purpose of determining whether any contract, award,
scholarship, honour, or benefit should be continued, modified, or
cancelled; or
(iii) for the purpose of deciding whether to insure any individual or
property or to continue or renew the insurance of any individual
or property; but
2020 No 31 Privacy Act 2020 Part 4 s 50
43
(b) does not include any evaluative or opinion material described in paragraph (a) that is compiled by a person employed or engaged by an
agency in the ordinary course of that person’s employment or duties.
Compare: 1993 No 28 s 29(1)(b), (3)
51 Security, defence, international relations as reason for refusing access to
personal information
An agency may refuse access to any personal information requested if the disclosure of the information would be likely—
(a) to prejudice the security or defence of New Zealand or the international
relations of the Government of New Zealand; or
(b) to prejudice the entrusting of information to the Government of New
Zealand on a basis of confidence by—
(i) the Government of any other country or any agency of the Government of any other country; or
(ii) any international organisation; or
(c) to prejudice the security or defence of—
(i) the Cook Islands; or
(ii) Niue; or
(iii) Tokelau; or
(iv) the Ross Dependency; or
(d) to prejudice relations between any of the Governments of—
(i) New Zealand:
(ii) the Cook Islands:
(iii) Niue; or
(e) to prejudice the international relations of the Government of—
(i) the Cook Islands; or
(ii) Niue.
Compare: 1993 No 28 s 27
52 Trade secret as reason for refusing access to personal information
(1) An agency may refuse access to any personal information requested if the
information needs protecting because making the information available
would—
(a) disclose a trade secret; or
(b) be likely to unreasonably prejudice the commercial position of the person who supplied the information or who is the subject of the information.
Part 4 s 51 Privacy Act 2020 2020 No 31
44
(2) Subsection (1) does not apply if, in the circumstances of the particular case, the
withholding of that information is outweighed by other considerations that
make it desirable, in the public interest, to make the information available.
Compare: 1993 No 28 s 28
53 Other reasons for refusing access to personal information
An agency may refuse access to any personal information requested if—
(a) the information requested does not exist or, despite reasonable efforts to
locate it, cannot be found; or
(b) the disclosure of the information would involve the unwarranted disclosure of the affairs of—
(i) another individual; or
(ii) a deceased person; or
(c) the disclosure of the information would be likely to prejudice the maintenance of the law by any public sector agency, including—
(i) the prevention, investigation, and detection of offences; and
(ii) the right to a fair trial; or
(d) the disclosure of the information would breach legal professional privilege; or
(e) the disclosure of the information, being information contained in material placed in any library or museum or archive, would breach a condition
subject to which that material was placed; or
(f) the disclosure of the information would constitute contempt of court or
of the House of Representatives; or
(g) the request is made by a defendant or a defendant’s agent and is—
(i) for information that could be sought by the defendant under the
Criminal Disclosure Act 2008; or
(ii) for information that could be sought by the defendant under that
Act and that has been disclosed to, or withheld from, the defendant under that Act; or
(h) the request is frivolous or vexatious, or the information requested is trivial.
Compare: 1993 No 28 ss 27(1)(c), 29(1)(a), (f), (h)–(j), (2)
54 Agency may impose conditions instead of refusing access to personal
information
(1) This section applies if an agency has good reason under any of sections 49 to
53 to refuse access to any personal information requested.
2020 No 31 Privacy Act 2020 Part 4 s 54
45
(2) Instead of refusing access to the personal information requested, the agency
may grant access to the information, but may impose conditions relating to
either or both of the following:
(a) the requestor’s use of the information:
(b) the requestor’s disclosure of the information to any other person.
55 Withholding personal information contained in document
(1) If the personal information requested is contained in a document and there is
good reason under any of sections 49 to 53 for withholding some of that information, the agency may decide to grant the requestor access to a copy of that
document under section 44(2)(c)(i) with any deletions or alterations in respect
of the information that could be withheld that it considers necessary.
(2) If information is withheld under subsection (1), the agency must inform the
requestor of—
(a) the reason for the decision to withhold the information; and
(b) the requestor’s right to make a complaint to the Commissioner in respect
of that decision.
(3) The agency must also disclose to the requestor the grounds in support of the
reason for the decision to withhold the information if—
(a) the reason is that set out in section 50(1); or
(b) the reason is not that set out in section 50(1), but the requestor has
requested disclosure of the grounds.
(4) However,—
(a) subsection (3)(a) does not apply if disclosing the grounds would prejudice the interests protected by section 50(1):
(b) subsection (3)(b) does not apply if disclosing the grounds would prejudice the interests protected by any of sections 49, 51, and 53:
(c) subsection (3)(b) does not apply if disclosing the grounds would prejudice the interests protected by section 52 and the withholding of those
grounds is not outweighed by other considerations that make it desirable,
in the public interest, to disclose them.
Compare: 1993 No 28 s 43
56 Ways personal information in document may be made available
(1) If the personal information requested by an individual is in a document, that
information may be made available in 1 or more of the following ways:
(a) by giving the requestor a reasonable opportunity to inspect the document; or
(b) by providing the requestor with a hard copy or an electronic copy of the
document; or
Part 4 s 55 Privacy Act 2020 2020 No 31
46
(c) in the case of a document that is an article or a thing from which sounds
or visual images are capable of being reproduced, by making arrangements for the requestor to hear or view the sounds or visual images; or
(d) in the case of a document by which words are recorded in a manner in
which they are capable of being reproduced in the form of sound or in
which words are contained in the form of shorthand writing or in codified form, by providing the requestor with a written transcript of the
words recorded or contained in the document; or
(e) by giving, in any manner, an excerpt or a summary of the document’s
contents; or
(f) by giving oral information about the document’s contents.
(2) Subject to section 55, the agency must make the information available in the
way preferred by the requestor unless to do so would—
(a) impair the efficient administration of the agency; or
(b) be contrary to any legal duty of the agency in respect of the document;
or
(c) prejudice an interest protected by any of sections 49 to 53.
(3) If the information is not provided in the way preferred by the requestor, the
agency must give to the requestor—
(a) the reason for not providing the information in that way; and
(b) if the requestor so requests, the grounds in support of that reason.
(4) However, subsection (3)(b) does not apply if disclosing the grounds would
prejudice an interest protected by any of sections 49 to 53.
Compare: 1993 No 28 s 42
57 Responsibilities of agency before giving access to personal information
If an agency receives a request to access personal information, the agency—
(a) may give access to the information only if the agency is satisfied of the
identity of the requestor; and
(b) must not give access to the information if the agency has reasonable
grounds to believe that the request is made under the threat of physical
or mental harm; and
(c) must ensure, by the adoption of appropriate procedures, that any information intended for a requestor is received—
(i) only by that requestor; or
(ii) if the request is made by a requestor as the representative of an
individual, only by the requestor or the individual; and
(d) must ensure that, if the request is made by a requestor as agent for an
individual, the requestor has the written authority of the individual to
2020 No 31 Privacy Act 2020 Part 4 s 57
47
obtain the information, or is otherwise properly authorised by the individual to obtain the information.
Compare: 1993 No 28 s 45
Subpart 2—Correction of personal information
58 Interpretation
(1) In this subpart and subpart 3, correction request means—
(a) a request made under IPP 7(1) to correct personal information; or
(b) a request made under IPP 7(3)(b) to attach a statement of correction to
personal information.
(2) In this subpart, requestor, in relation to a correction request, means the person
who made the request.
59 Individuals may make correction requests
A correction request may be made only by the individual concerned or the individual’s representative.
Compare: 1993 No 28 s 34
60 Urgency
(1) A requestor may ask that a correction request be treated as urgent (an urgent
correction request).
(2) A requestor making an urgent correction request must state the reason why the
request should be treated as urgent.
(3) On receiving an urgent correction request, an agency must consider the request
and the reason stated for its urgency when determining the priority to be given
to responding to it.
Compare: 1993 No 28 s 37
61 Assistance
An agency must give reasonable assistance to a person who—
(a) wishes to make a correction request; or
(b) is making a correction request.
Compare: 1993 No 28 s 38
62 Transfer of correction request
(1) This section applies if an agency that receives a correction request—
(a) does not hold the information to which the request relates, but believes
that the information is held by another agency; or
(b) believes that the information to which the request relates is more closely
connected with the functions or activities of another agency.
Part 4 s 58 Privacy Act 2020 2020 No 31
48
(2) The agency must promptly, and in any case not later than 10 working days after
the day on which the correction request is received, transfer the request to the
other agency and inform the requestor accordingly.
(3) However, subsection (2) does not apply if the agency has good cause to believe
that the requestor does not want the request transferred to another agency.
(4) If, in reliance on subsection (3), the agency does not transfer the request, the
agency must promptly, and in any case not later than 10 working days after the
day on which the correction request was received, inform the requestor—
(a) that this section applies in respect of the request; and
(b) that, in reliance on subsection (3), the request has not been transferred;
and
(c) which agency the request could be transferred to.
Compare: 1993 No 28 s 39
63 Decision on request to correct personal information
(1) As soon as is reasonably practicable after receiving a request under IPP 7(1),
and in any case not later than 20 working days after receiving the request, an
agency must—
(a) decide whether to grant the request; and
(b) notify the requestor that—
(i) the agency has corrected, or will correct, the personal information;
or
(ii) the agency will not correct the personal information.
(2) A notice under subsection (1)(b)(i) must inform the requestor of the action the
agency has taken, or will take, to correct the information.
(3) A notice under subsection (1)(b)(ii) must inform the requestor of—
(a) the reason for the agency’s refusal to correct the information; and
(b) the requestor’s entitlement to provide a statement of the correction
sought and to request that it be attached to the information (if the requestor has not done so already); and
(c) the requestor’s right to make a complaint to the Commissioner in respect
of the agency’s refusal to correct the information.
Compare: 1993 No 28 ss 6 (IPP 7(2)), 40(1)
64 Decision on request to attach statement of correction
(1) As soon as is reasonably practicable after receiving a request under IPP
7(3)(b), an agency must—
(a) decide whether to grant the request; and
(b) notify the requestor that—
2020 No 31 Privacy Act 2020 Part 4 s 64
49
(i) the agency has attached the statement of correction to the information; or
(ii) the agency has not attached the statement of correction to the
information.
(2) A notice under subsection (1)(b)(i) must inform the requestor of the action the
agency has taken to attach the statement of correction to the information.
(3) A notice under subsection (1)(b)(ii) must inform the requestor of the requestor’s right to make a complaint to the Commissioner in respect of the agency’s
refusal to attach a statement of correction to the information.
Compare: 1993 No 28 ss 6 (IPP 7(3)), 40
65 Extension of time limits
(1) On receiving a correction request, an agency may extend the time limit set out
in section 62 or 63 in respect of the request if—
(a) the request necessitates a search through a large quantity of information,
and meeting the original time limit would unreasonably interfere with
the operations of the agency; or
(b) consultations necessary to make a decision on the request are such that a
response to the request cannot reasonably be given within the original
time limit; or
(c) the processing of the request raises issues of such complexity that a
response to the request cannot reasonably be given within the original
time limit.
(2) Any extension under subsection (1) must be for a reasonable period of time,
having regard to the circumstances.
(3) The extension is effected by giving notice of the extension to the requestor
within 20 working days after the day on which the request is received.
(4) The notice effecting the extension must—
(a) specify the period of the extension; and
(b) give the reasons for the extension; and
(c) state that the requestor has the right to make a complaint to the Commissioner about the extension; and
(d) contain any other information that may be necessary.
Compare: 1993 No 28 s 41
Subpart 3—Charges
66 Charges
(1) In relation to an IPP 6 request,—
Part 4 s 65 Privacy Act 2020 2020 No 31
50
(a) a public sector agency may, if authorised under section 67, impose a
charge for making information available in compliance, in whole or in
part, with the request:
(b) a private sector agency may, subject to the provisions of any applicable
code of practice, impose a charge for—
(i) providing assistance under section 42, but only if the agency
makes information available in compliance, in whole or in part,
with the request:
(ii) making information available in compliance, in whole or in part,
with the request.
(2) In relation to a correction request,—
(a) a public sector agency may, if authorised under section 67, impose a
charge for attaching a statement of correction to personal information:
(b) a private sector agency may, subject to the provisions of any applicable
code of practice, impose a charge for—
(i) providing assistance under section 61:
(ii) attaching a statement of correction to personal information.
(3) Except as provided in subsections (1) and (2), no public sector agency or private sector agency may impose any charge in relation to an IPP 6 request or a
correction request.
(4) A charge imposed under subsection (1) or (2) must be reasonable and, in the
case of a charge imposed under subsection (1)(a) or (b)(ii), regard may be had
to—
(a) the cost of the labour and materials involved in making the information
available; and
(b) any costs involved in making the information available urgently (in the
case of an urgent IPP 6 request received under section 41).
(5) An agency may require all or part of a charge to be paid in advance.
Compare: 1993 No 28 ss 35, 40(2)
67 Commissioner may authorise public sector agency to impose charge
(1) The Commissioner may authorise a public sector agency to impose a charge
under section 66(1)(a) or (2)(a) if the Commissioner is satisfied that the public
sector agency will be commercially disadvantaged in comparison with any
competitor in the private sector if it were not able to impose a charge.
(2) The Commissioner may impose any conditions on an authorisation that the
Commissioner considers appropriate.
(3) The Commissioner may, at any time, revoke an authorisation, but only after
giving the agency an opportunity to be heard.
Compare: 1993 No 28 s 36
2020 No 31 Privacy Act 2020 Part 4 s 67
51
Part 5
Complaints, investigations, and proceedings
68 Interpretation
In this Part, unless the context otherwise requires,—
access direction means an access direction made by the Commissioner under
section 92
action has the meaning given to it in section 7(1), and includes a decision
aggrieved individual means an individual whose privacy is the subject of—
(a) a complaint under subpart 1; or
(b) an investigation under subpart 2; or
(c) a proceeding under subpart 3
approved information sharing agreement has the meaning given to it in section 138
complainant, in relation to a complaint, means the person who made the complaint
information matching agreement means an agreement entered into under section 178
parties,—
(a) in relation to an investigation conducted by the Commissioner on receiving a complaint under section 72(1), means—
(i) the complainant whose complaint is the subject of the investigation; and
(ii) the aggrieved individual, if the complaint is made on behalf of
that aggrieved individual (and no other aggrieved individual); and
(iii) the respondent:
(b) in relation to an investigation conducted by the Commissioner on the
Commissioner’s own initiative, means—
(i) the aggrieved individual or aggrieved individuals (if known); and
(ii) the respondent
respondent means an agency whose action is the subject of an investigation
under subpart 2.
69 Interference with privacy of individual
(1) In this Act, an action of an agency is an interference with the privacy of an
individual in any of the circumstances set out in subsection (2) or (3).
(2) An action of an agency is an interference with the privacy of an individual if
the action breaches,—
Part 5 s 68 Privacy Act 2020 2020 No 31
52
(a) in relation to the individual,—
(i) 1 or more of the IPPs; or
(ii) the provisions of an approved information sharing agreement; or
(iii) the provisions of an information matching agreement or section
179 or 181; or
(iv) section 115 (which requires an agency to give notice to affected
individuals or the public of a notifiable privacy breach); and
(b) the action—
(i) has caused, or may cause, loss, detriment, damage, or injury to the
individual; or
(ii) has adversely affected, or may adversely affect, the rights, benefits, privileges, obligations, or interests of the individual; or
(iii) has resulted in, or may result in, significant humiliation, significant loss of dignity, or significant injury to the feelings of the individual.
(3) An action of an agency is an interference with the privacy of an individual if, in
relation to a request made by a person under IPP 6 or 7, the agency has, without proper basis, made—
(a) a decision to refuse a request under IPP 6; or
(b) a decision to refuse a request under IPP 7; or
(c) any other decision under Part 4 in relation to the request.
(4) For the purpose of subsection (3)(a), the following must be treated as a decision by an agency to refuse a request under IPP 6:
(a) a failure to comply with the time limits in Part 4 for responding to the
request:
(b) undue delay in making information available after granting the request.
(5) For the purpose of subsection (3)(b), the following must be treated as a decision by an agency to refuse a request under IPP 7:
(a) a failure to comply with the time limits in Part 4 for responding to the
request:
(b) undue delay in correcting information after granting the request:
(c) undue delay in attaching a statement of correction after granting the
request.
Compare: 1993 No 28 s 66
2020 No 31 Privacy Act 2020 Part 5 s 69
53
Subpart 1—Complaints
70 Complaints
(1) A complaint may be made under this Part alleging that an action of an agency
is, or appears to be, an interference with the privacy of an individual.
(2) A complaint may be made together with 1 or more other complaints.
71 Who may make complaint
(1) Any person may make a complaint.
(2) A complaint may be made on behalf of 1 or more aggrieved individuals.
Compare: 1993 No 28 s 67(1)
72 Form of complaint
(1) A complaint must be made to the Commissioner and may be made orally or in
writing.
(2) A complaint made orally must be put in writing as soon as practicable.
(3) If a person wishing to make a complaint to the Commissioner requires assistance to put the complaint in writing, the Commissioner must give that person
any assistance that is reasonably necessary in the circumstances.
Compare: 1993 No 28 ss 67(2), 68
73 Procedure on receipt of complaint
(1) As soon as practicable after receiving a complaint, the Commissioner must
consider the complaint and—
(a) decide, in accordance with section 74, not to investigate the complaint;
or
(b) decide, in accordance with section 75, to refer the complaint to another
person; or
(c) decide, in accordance with section 76, to refer the complaint, or part of
the complaint, to an overseas privacy enforcement authority; or
(d) decide, in accordance with section 77, to explore the possibility of securing a settlement between the complainant and the agency whose action is
the subject of the complaint; or
(e) decide to investigate the complaint in accordance with subpart 2.
(2) As soon as practicable after making a decision under subsection (1), the Commissioner must—
(a) advise the complainant of that decision; and
(b) advise the complainant of the reasons for the decision, if the decision is
made under subsection (1)(a).
Compare: 1993 No 28 ss 70, 71(3), 72(3), 72A(3), 72B(3), 72C(3)
Part 5 s 70 Privacy Act 2020 2020 No 31
54
74 Commissioner may decide not to investigate complaint
(1) The Commissioner may decide not to investigate a complaint if, in the Commissioner’s opinion,—
(a) the complainant has not made reasonable efforts to resolve the complaint
directly with the agency concerned; or
(b) there is an alternative dispute resolution process available to resolve the
complaint because of the agency’s membership of a particular profession
or industry; or
(c) there is an adequate remedy or right of appeal, other than the right to
petition the House of Representatives or to make a complaint to an
Ombudsman, that it would be reasonable for the complainant to pursue;
or
(d) the complaint relates to a matter in respect of which a code of practice
has been issued that includes a complaints procedure, and the complainant has not taken reasonable steps to pursue, or fully pursue, the redress
available under that procedure; or
(e) the aggrieved individual or aggrieved individuals knew about the action
that is the subject of the complaint for 12 months or more before the
complaint was made; or
(f) the time that has elapsed between the date on which the subject of the
complaint arose and the date on which the complaint was made is such
that an investigation of the complaint is no longer practicable or desirable; or
(g) the aggrieved individual or aggrieved individuals do not want the complaint pursued; or
(h) the complainant does not have a sufficient personal interest in the subject
of the complaint; or
(i) the subject of the complaint is trivial; or
(j) the complaint is frivolous, vexatious, or not made in good faith.
(2) Despite anything in subsection (1), the Commissioner may, in the Commissioner’s discretion, decide not to investigate a complaint if it appears to the Commissioner that, having regard to all the circumstances of the case, an investigation is unnecessary.
Compare: 1975 No 9 s 17(1)(f)(i); 1993 No 28 s 71(1)
75 Referral of complaint to another person
(1) This section applies if, after receiving a complaint, the Commissioner considers
that the complaint relates, in whole or in part, to a matter that is more properly
within the jurisdiction of any of the following persons:
(a) an Ombudsman:
2020 No 31 Privacy Act 2020 Part 5 s 75
55
(b) the Health and Disability Commissioner:
(c) the Inspector-General of Intelligence and Security:
(d) the Independent Police Conduct Authority.
(2) The Commissioner must—
(a) consult the person specified in subsection (1) who the Commissioner
considers has jurisdiction to deal with the complaint; and
(b) decide the appropriate means of dealing with the complaint.
(3) If the Commissioner decides that the complaint should be dealt with, in whole
or in part, by a person specified in subsection (1), the Commissioner must, as
soon as practicable, refer the complaint, or the appropriate part of the complaint, to that person.
Compare: 1993 No 28 ss 72, 72A, 72B
76 Referral of complaint to overseas privacy enforcement authority
(1) This section applies if, on receiving a complaint, the Commissioner considers
that the complaint relates, in whole or in part, to a matter that is more properly
within the jurisdiction of an overseas privacy enforcement authority.
(2) As soon as practicable, the Commissioner may—
(a) consult the overseas privacy enforcement authority and the complainant;
and
(b) decide the appropriate means of dealing with the complaint.
(3) If the Commissioner decides that the complaint should be dealt with, in whole
or in part, by the overseas privacy enforcement authority and both the authority
and the complainant agree, the Commissioner may refer the complaint, or the
appropriate part of the complaint, to the authority.
Compare: 1993 No 28 s 72C
77 Exploring possibility of settlement and assurance without investigating
complaint
(1) At any time after receiving a complaint and without commencing an investigation, the Commissioner may decide to use best endeavours to—
(a) secure a settlement of the complaint; and
(b) if appropriate, secure a satisfactory assurance from the agency whose
action is the subject of the complaint that there will not be a repetition of
the action that gave rise to the complaint, or of any similar kind of
action.
(2) If the Commissioner is unable to secure a settlement or a satisfactory assurance, the Commissioner may—
(a) decide not to investigate the complaint if the Commissioner—
(i) is satisfied of any of the matters set out in section 74; or
Part 5 s 76 Privacy Act 2020 2020 No 31
56
(ii) considers that any further action is unnecessary or inappropriate;
or
(b) decide to investigate the complaint under subpart 2.
(3) As soon as practicable after making a decision under subsection (2), the Commissioner must notify the complainant of the decision.
Compare: 1993 No 28 s 74
78 Referral of complaint to Director without conducting investigation
The Commissioner may refer a complaint to the Director without conducting
an investigation if—
(a) the Commissioner is unable to secure a settlement or a satisfactory assurance under section 77; or
(b) it appears that a term of settlement previously secured between the
agency and the aggrieved individual or aggrieved individuals has not
been complied with; or
(c) it appears that the action that is the subject of the complaint was done in
contravention of any term of settlement or an assurance previously
secured under this Act or the Privacy Act 1993.
Compare: 1993 No 28 s 77(2)(a), (c)
Subpart 2—Investigations by Commissioner
79 Application of this subpart
This subpart applies to investigations conducted by the Commissioner—
(a) into complaints received under section 72(1); or
(b) on the Commissioner’s own initiative, into any matter in respect of
which a complaint may be made under this Act.
80 Commencing investigation
(1) As the first step of an investigation, the Commissioner must notify the respondent that the Commissioner is commencing an investigation.
(2) A notice given under subsection (1) must set out—
(a) the details of—
(i) the complaint; or
(ii) the subject of the investigation; and
(b) the right to provide, within a reasonable time, a written response to the
Commissioner.
Compare: 1993 No 28 s 73
81 Conducting investigation
(1) The Commissioner must conduct an investigation in a timely manner.
2020 No 31 Privacy Act 2020 Part 5 s 81
57
(2) During an investigation, the Commissioner may—
(a) hear and obtain information from any person; and
(b) make any inquiries.
(3) At any time during an investigation, the Commissioner may decide to take no
further action on a complaint or matter if the Commissioner—
(a) is satisfied of any of the matters set out in section 74; or
(b) considers that any further action is unnecessary or inappropriate.
(4) As soon as practicable after making a decision under subsection (3), the Commissioner must notify the parties of—
(a) that decision; and
(b) the reason for that decision.
(5) It is not necessary for the Commissioner to hold a hearing, and no person is
entitled as of right to be heard by the Commissioner.
(6) Any investigation held by the Commissioner must be conducted in private.
Compare: 1993 No 28 ss 71(2), 75, 90(1), (2)
82 Commissioner may regulate own procedure
When conducting an investigation, the Commissioner may adopt any procedure
the Commissioner considers appropriate that is not inconsistent with this Act or
any regulations made under section 215(1)(a).
Compare: 1993 No 28 s 90(3)
83 Exploring possibility of settlement and assurance during investigation
(1) At any time during an investigation of a complaint, the Commissioner may
decide to use best endeavours to—
(a) secure a settlement of the complaint; and
(b) if appropriate, secure a satisfactory assurance from the agency whose
action is the subject of the complaint that there will not be a repetition of
the action that gave rise to the complaint, or of any similar kind of
action.
(2) At any time during an investigation being conducted on the Commissioner’s
own initiative, the Commissioner may decide to use best endeavours to secure
a satisfactory assurance from the respondent that there will not be a repetition
of the action that gave rise to the investigation, or of a similar kind of action.
Compare: 1993 No 28 s 74
84 Referral of complaint to Director without completing investigation
The Commissioner may refer the complaint or the matter that is the subject of
the investigation to the Director without conducting any further investigation
if—
Part 5 s 82 Privacy Act 2020 2020 No 31
58
(a) the Commissioner is unable to secure a settlement or a satisfactory assurance under section 83; or
(b) it appears that a term of settlement previously secured between the
agency and the aggrieved individual or aggrieved individuals has not
been complied with; or
(c) it appears that the action that is the subject of the complaint or that gave
rise to the investigation was done in contravention of any term of settlement or an assurance previously secured under this Act or the Privacy
Act 1993.
Compare: 1993 No 28 s 77(2)
85 Compulsory conferences of parties to complaint
(1) At any time during an investigation of a complaint, the Commissioner may call
a conference of the parties—
(a) by sending each of them a notice requesting their attendance at a specified time and place; or
(b) by any other means agreed by the parties.
(2) The objectives of a conference are—
(a) to identify the matters in issue; and
(b) to try to obtain agreement between the parties on the resolution of those
matters in order to settle the complaint.
(3) If a person fails to comply with a request under subsection (1) to attend a conference, the Commissioner may issue a summons requiring the person to attend
a conference at a time and place specified in the summons.
(4) Section 159 of the Criminal Procedure Act 2011 applies to a summons under
this section as if it were a witness summons issued under that section.
Compare: 1993 No 28 s 76
86 Power to summon persons
(1) The Commissioner may summon and examine on oath any person who the
Commissioner considers is able to give information relevant to an investigation, and may for that purpose administer an oath to the person.
(2) Every examination by the Commissioner under subsection (1) is to be treated
as a judicial proceeding within the meaning of section 108 of the Crimes Act
1961 (which relates to perjury).
(3) A person who is summoned by the Commissioner under this section is entitled
to the same fees, allowances, and expenses as if the person were a witness in a
court, and—
(a) the provisions of any regulations prescribing the fees, allowances, and
expenses payable to persons giving evidence under the Criminal Procedure Act 2011 apply; and
2020 No 31 Privacy Act 2020 Part 5 s 86
59
(b) the Commissioner has the powers of a court under those regulations to
fix or disallow, in whole or in part, or to increase, any amounts payable
under the regulations.
Compare: 1993 No 28 s 91(1)–(3), (5)
87 Power to require information and documents
(1) At any time during an investigation, the Commissioner may, by notice, require
any person to provide—
(a) any information in the person’s possession, or under the person’s control,
that the Commissioner considers may be relevant to the investigation:
(b) any documents or things in the person’s possession, or under the person’s control, that the Commissioner considers may be relevant to the
investigation.
(2) A person who receives a notice under subsection (1) must comply with that
notice as soon as practicable, but in no case later than—
(a) the date specified in the notice; or
(b) if no date is specified in the notice, the 20th working day after the date
of receipt of the notice.
(3) However, a person may request an extension of the time limit for complying
with a notice received under subsection (1) if—
(a) the requirement in the notice relates to, or necessitates a search through,
a large quantity of information, documents, or things, and meeting the
original time limit would unreasonably interfere with the operations of
the agency; or
(b) the consultations necessary before the requirement in the notice can be
complied with are such that meeting the original time limit is unreasonable; or
(c) the complexity of the issues raised by the requirement in the notice is
such that meeting the original time limit is unreasonable.
(4) A request under subsection (3) must be made to the Commissioner before the
expiry of the date in subsection (2)(b) and specify—
(a) the period of the extension sought; and
(b) the reasons for the extension; and
(c) any other relevant information.
(5) The Commissioner must grant a request made under subsection (3) if satisfied
that any of the grounds specified in that subsection are established.
Compare: 1993 No 28 ss 91(4), 92(1), (2), 93
Part 5 s 87 Privacy Act 2020 2020 No 31
60
88 Disclosure of information may be required despite obligation of secrecy
(1) A person who is bound by the provisions of an enactment to maintain secrecy
in relation to, or not to disclose, any matter may be required to do the following
even though compliance with that requirement would be in breach of the obligation of secrecy or non-disclosure:
(a) give evidence to, or answer questions put by, the Commissioner:
(b) provide information, documents, or things to the Commissioner.
(2) Compliance with a requirement of this kind is not a breach of the relevant obligation of secrecy or non-disclosure or of the enactment by which that obligation is imposed.
(3) However, the Commissioner may not require information, documents, or things
to be provided if—
(a) the Prime Minister certifies that the giving of any information, document, or thing might prejudice—
(i) the security or defence of New Zealand, or the international relations of the Government of New Zealand; or
(ii) any interest protected by section 7 of the Official Information Act
1982 (which relates to the Cook Islands, Niue, Tokelau, and the
Ross Dependency); or
(b) the Attorney-General certifies that the giving of any information, document, or thing—
(i) might prejudice the prevention, investigation, or detection of
offences; or
(ii) might involve the disclosure of proceedings of Cabinet, or any
committee of Cabinet, relating to matters of a secret or confidential nature, and the disclosure would be injurious to the public
interest.
(4) This section is subject to section 89.
Compare: 1993 No 28 s 95
89 Protection and privileges of persons required to provide information, etc
(1) Every person has the same privileges as witnesses have in a court of law in
relation to—
(a) giving evidence to, or answering questions put by, the Commissioner:
(b) providing information, documents, or things to the Commissioner.
(2) However, if the Commissioner issues a notice under section 87 in relation to a
particular complaint under IPP 6 and the person who receives the notice claims
privilege over any information, document, or thing, that person must nevertheless provide the information, document, or thing that is the subject of the com2020 No 31 Privacy Act 2020 Part 5 s 89
61
plaint to the Commissioner for the purpose of the Commissioner determining
whether it is properly withheld from the aggrieved individual.
(3) When any information, document, or thing is provided under subsection (2),
the Commissioner must not—
(a) use the information, document, or thing other than for the purpose specified in subsection (2); or
(b) take into account the information or any information in the document or
thing in forming an opinion about the release of any other information;
or
(c) give an opinion as to whether the claim of privilege is valid to any person other than—
(i) the complainant (if any):
(ii) an aggrieved individual:
(iii) the respondent:
(iv) the Director:
(v) the Tribunal; or
(d) release the information, document, or thing, or any information derived
from the document or thing, to any person other than—
(i) any lawyer engaged by the Commissioner for the purpose of providing legal advice as to whether the information, document, or
thing would be properly withheld under subsection (1); or
(ii) the Director, if the Commissioner has given an opinion to the
Director under paragraph (c)(iv); or
(iii) the Tribunal, if the Commissioner is required to provide a report
or information under section 108(1).
(4) Subsection (3)(c) does not prevent the Commissioner from giving, either generally or to a particular person, an opinion in a form that does not identify—
(a) the person who provided the information, document, or thing; or
(b) a person who is the subject of the information, document, or thing.
(5) Subsection (3)(d) does not prevent the Commissioner from giving the information, document, or thing, or any information derived from the document or
thing, to a person if—
(a) the person who provided the information, document, or thing consents;
and
(b) the person who is the subject of the information, document, or thing consents.
(6) The privileges protected by this section do not include public interest immunity
(see section 209).
Part 5 s 89 Privacy Act 2020 2020 No 31
62
(7) A person who complies with any requirement of the Commissioner under section 87 or 88 is not liable to prosecution for an offence against any enactment
(other than section 212) in respect of that compliance.
Compare: 1993 No 28 s 94
90 Disclosed information privileged
(1) Any information, document, or thing provided by a person in the course of an
investigation by the Commissioner, or during any hearing before the Commissioner, is privileged in the same manner as if the investigation or hearing were
proceedings in a court.
(2) The following persons may not be required to give evidence in any court, or in
any proceedings of a judicial nature, in respect of anything coming to their
knowledge in performing or exercising their functions, duties, or powers under
this Act:
(a) the Commissioner, or any person who has held the appointment of Commissioner:
(b) a person who is employed or engaged, or who has been employed or
engaged, by the Commissioner:
(c) the Director.
(3) Subsection (2) does not apply in respect of proceedings for—
(a) an offence against section 78, 78AA(1), 78A(1), 105, 105A, or 105B of
the Crimes Act 1961; or
(b) the offence of conspiring to commit an offence against any of the provisions listed in paragraph (a); or
(c) the offence of attempting to commit an offence against any of the provisions listed in paragraph (a).
(4) For the purposes of clause 3 of Part 2 of Schedule 1 of the Defamation Act
1992, any report of the Commissioner under this Act is taken to be an official
report.
Compare: 1993 No 28 s 96
91 Procedure after completion of investigation relating to access to personal
information
(1) This section applies after the Commissioner has completed an investigation of
an action of an agency under subpart 1 of Part 4 that appears to be an interference with the privacy of an individual.
(2) The Commissioner may,—
(a) in the case of an investigation conducted on a complaint, make a determination that the complaint—
(i) has substance; or
(ii) does not have substance; or
2020 No 31 Privacy Act 2020 Part 5 s 91
63
(b) in the case of an investigation conducted on the Commissioner’s own
initiative, make a determination that the matter that is the subject of the
investigation—
(i) should be proceeded with; or
(ii) should not be proceeded with.
(3) If the Commissioner determines that a complaint has substance, the Commissioner must use best endeavours to secure a settlement of the complaint and an
assurance of the kind specified in section 83(1).
(4) If the Commissioner determines that the matter that is the subject of an investigation should be proceeded with, the Commissioner must use best endeavours
to secure an assurance of the kind specified in section 83(2).
(5) If the complaint or matter has not been resolved despite the Commissioner
using best endeavours under subsection (3) or (4), the Commissioner may do 1
or more of the following:
(a) make any access direction under section 92 that the Commissioner considers appropriate:
(b) refer the complaint or matter, as the case may be, to the Director:
(c) take any other action that the Commissioner considers appropriate.
(6) Without limiting subsection (5)(b), the Commissioner may refer the complaint
or matter, as the case may be, to the Director if the action that is the subject of
the complaint or investigation was done in contravention of any term of settlement or assurance previously secured under this Act or the Privacy Act 1993.
(7) As soon as practicable, the Commissioner must give notice to the parties of—
(a) any determination made, or not made, under subsection (2) and the reasons for making or not making that determination; and
(b) any access direction that is made referred to in subsection (5)(a); and
(c) any referral made under subsection (5)(b) or (6); and
(d) any other action taken under subsection (5)(c).
92 Access direction
(1) The Commissioner may direct an agency to provide an individual access to the
individual’s personal information in any manner that the Commissioner considers appropriate.
(2) Without limiting subsection (1), the Commissioner may direct an agency to do
any of the following before a specified date:
(a) confirm whether the agency holds any specified personal information:
(b) permit the individual access to any specified personal information:
(c) make any specified information available to the individual in a particular
way.
Part 5 s 92 Privacy Act 2020 2020 No 31
64
(3) The Commissioner may, at any time, on the request of the individual or on the
Commissioner’s own initiative,—
(a) amend an access direction; or
(b) cancel an access direction.
93 Procedure after completion of investigation relating to charging
(1) This section applies after the Commissioner has completed an investigation of
an action of an agency under subpart 3 of Part 4 that appears to be an interference with the privacy of an individual because, in relation to a request made by
the individual under subpart 1 or 2 of Part 4, the agency has imposed a charge
that is—
(a) contrary to section 66; or
(b) unreasonable.
(2) If it has not been possible to secure a settlement, the Commissioner may make
a determination that the charge imposed by the agency is—
(a) properly imposed:
(b) improperly imposed:
(c) reasonable:
(d) unreasonable.
(3) If the Commissioner makes a determination under subsection (2)(d), the Commissioner may also determine the appropriate charge for the agency to impose.
(4) As soon as practicable, the Commissioner must notify the parties to any determination made, or not made, under subsection (2) or (3).
(5) A determination made by the Commissioner under subsection (2) is final and
binding and no proceedings may be commenced in the Tribunal by the parties
in respect of that determination.
(6) If the Commissioner makes a determination under subsection (3) and the
agency does not agree to reduce the charge it has imposed to the amount determined by the Commissioner to be appropriate (or less),—
(a) the imposition of the charge is treated as an interference with the privacy
of an individual for the purposes of section 69(3); and
(b) the Commissioner may take 1 or more of the actions specified in section
91(5).
Compare: 1993 No 28 ss 75, 78
94 Procedure after completion of other investigations
(1) After the Commissioner has completed an investigation under this subpart,
other than an investigation to which section 91 or 93 applies, the Commissioner may,—
2020 No 31 Privacy Act 2020 Part 5 s 94
65
(a) in the case of an investigation conducted in respect of a complaint, make
a determination that the complaint—
(i) has substance; or
(ii) does not have substance; or
(b) in the case of an investigation conducted on the Commissioner’s own
initiative, make a determination that the subject of the investigation—
(i) should be proceeded with; or
(ii) should not be proceeded with.
(2) If the Commissioner determines that a complaint has substance, the Commissioner must use best endeavours to secure a settlement of the complaint and an
assurance of the kind specified in section 83(1).
(3) If the Commissioner determines that a matter that is the subject of an investigation should be proceeded with, the Commissioner must use best endeavours to
secure an assurance of the kind specified in section 83(2).
(4) If the complaint or matter has not been resolved despite the Commissioner
using best endeavours, the Commissioner may do either or both of the following:
(a) refer the complaint or the matter, as the case may be, to the Director:
(b) take any other action the Commissioner considers appropriate.
(5) Without limiting subsection (4)(a), the Commissioner may refer the complaint
or matter, as the case may be, to the Director if the action that is the subject of
the complaint or investigation was done in contravention of any term of settlement or assurance previously secured under this Act or the Privacy Act 1993.
(6) As soon as practicable, the Commissioner must notify the parties to the investigation of—
(a) any determination made, or not made, under subsection (1); and
(b) any referral made under subsection (4)(a); and
(c) any other action taken under subsection (4)(b).
Compare: 1993 No 28 ss 75, 77(1), (2)
95 Special procedure relating to intelligence and security agency
(1) Nothing in section 85, 91, 93, 94, or subpart 3 applies to—
(a) any complaint made under this Part in relation to an action of an intelligence and security agency; or
(b) any investigation conducted under this Part in relation to an action of an
intelligence and security agency.
(2) If, after completing an investigation, the Commissioner is of the opinion that an
action of an intelligence and security agency is an interference with the privacy
Part 5 s 95 Privacy Act 2020 2020 No 31
66
of an individual, the Commissioner must provide to the intelligence and security agency a report setting out—
(a) that opinion; and
(b) the reasons for that opinion.
(3) A report provided under subsection (2) may include any recommendations that
the Commissioner considers appropriate.
(4) When making a report under subsection (2), the Commissioner may request the
intelligence and security agency to notify the Commissioner within a specified
time of any steps the agency proposes to take in response to the report and to
any recommendations included in the report.
(5) If, within a reasonable time after any report is made, the intelligence and security agency has taken no steps in response to the report that the Commissioner
considers to be adequate and appropriate, the Commissioner may send a copy
of the report to the Prime Minister.
(6) As soon as practicable after receiving a report under subsection (5), the Prime
Minister may present the report, or any part of the report, to the House of Representatives.
Compare: 1993 No 28 s 81
96 Commissioner to report breach of duty or misconduct
If, during or after an investigation, the Commissioner is of the opinion that
there is evidence of any significant breach of duty or misconduct on the part of
an agency, or an officer, an employee, or a member of an agency, the Commissioner must refer the matter to the appropriate authority.
Compare: 1993 No 28 s 80
Subpart 3—Proceedings before Human Rights Review Tribunal
Proceedings in relation to complaints or investigations
97 Director may commence proceedings in Tribunal
(1) This section applies if a complaint or matter is referred by the Commissioner to
the Director under section 78, 84, 91(5)(b) or (6), or 94(4)(a) or (5).
(2) The Director must—
(a) decide whether to commence proceedings in the Tribunal in respect of
the complaint or matter; and
(b) give written notice to the following persons of that decision:
(i) the complainant; and
(ii) the agency whose action was the subject of the complaint or
matter.
2020 No 31 Privacy Act 2020 Part 5 s 97
67
(3) Before commencing any proceedings in the Tribunal, the Director must give
the agency an opportunity to be heard.
(4) The parties to proceedings commenced under this section are—
(a) the Director, as the plaintiff; and
(b) the agency, as the defendant.
(5) An aggrieved individual may join, or be joined in, the proceedings only if the
Tribunal so orders.
(6) The Director may bring proceedings on behalf of a class of aggrieved individuals, and may seek on behalf of the individuals who belong to the class any of
the remedies described in section 102, if the Director considers that a respondent is acting or has acted in a way that affects or has affected that class and that
is an interference with the privacy of an individual.
Compare: 1993 No 28 s 82
98 Aggrieved individuals may commence proceedings in Tribunal
(1) An aggrieved individual, a representative on behalf of an aggrieved individual,
or a representative lawfully acting on behalf of a class of aggrieved individuals
may commence proceedings in the Tribunal in respect of a complaint received
by the Commissioner, or a matter investigated under subpart 2, in any case
where—
(a) the Commissioner decides, under section 77(2)(a), not to investigate the
complaint; or
(b) the Commissioner, having commenced an investigation, decides not to
further investigate the complaint or matter; or
(c) the Commissioner does not make a determination under section 91(2),
93(2), or 94(1) in respect of the complaint or matter; or
(d) the Commissioner determines that the complaint does not have substance, or that the matter should not be proceeded with; or
(e) the Commissioner determines that the complaint has substance, or the
matter should be proceeded with, but does not refer the complaint or
matter to the Director; or
(f) the Commissioner makes an access direction under section 92, but an
aggrieved individual is not satisfied with the terms of the access direction; or
(g) the Commissioner makes an access direction under section 92, but the
aggrieved individual or aggrieved individuals seek 1 or more remedies
under section 102 (whether or not the individual or individuals are satisfied with the terms of the access direction); or
(h) the Director decides not to commence proceedings in respect of the complaint or matter referred to the Director by the Commissioner; or
Part 5 s 98 Privacy Act 2020 2020 No 31
68
(i) the Director notifies the aggrieved individual or individuals that the
Director agrees to the aggrieved individual or individuals commencing
proceedings in respect of the complaint or matter referred to the Director
by the Commissioner.
(2) A person commencing proceedings under subsection (1)(a) must do so within 6
months after the Commissioner has given notice to the complainant under section 77(3).
(3) A person commencing proceedings under subsection (1)(b) must do so within 6
months after the Commissioner has given notice to the parties under section
81(4).
(4) A person commencing proceedings under subsection (1)(c), (d), (e), or (f) must
do so within 6 months after the Commissioner has given notice to the parties
under section 91(7), 93(4), or 94(6).
(5) A person commencing proceedings under subsection (1)(g) must do so within 6
months after the expiry of the period specified in section 106 for lodging an
appeal against the access direction.
(6) A person commencing proceedings under subsection (1)(h) must do so within 6
months after the Director has given notice of the Director’s decision under section 97(2)(b).
(7) A person commencing proceedings under subsection (1)(i) must do so within 6
months after the Director has given notice to the aggrieved individual or individuals under subsection (1)(i).
(8) The Chairperson may agree to extend any period specified in subsections (2) to
(7) for commencing proceedings if, on an application made for the purpose by
the person proposing to commence proceedings, the Chairperson is satisfied
that exceptional circumstances prevented proceedings from being commenced
within the specified period.
Compare: 1993 No 28 s 83
99 Right of Director to appear in proceedings commenced under section 98
(1) The Director may appear and be heard in person or by a lawyer—
(a) in any proceedings commenced in the Tribunal under section 98; and
(b) in proceedings commenced in any court relating to the proceedings commenced in the Tribunal under this Part.
(2) If the Director appears in any proceedings,—
(a) the Director has the same rights as the parties to the proceedings to—
(i) call evidence on any matter; and
(ii) examine, cross-examine, and re-examine witnesses; and
(b) the Tribunal or court may order—
2020 No 31 Privacy Act 2020 Part 5 s 99
69
(i) any party to pay the costs incurred by the Director by reason of
the Director’s appearance; or
(ii) the Director to pay the costs incurred by any or all of the parties
by reason of the Director’s appearance.
(3) If the Director declines to appear and be heard in any proceedings,—
(a) the Commissioner may instead appear and be heard in the proceedings;
and
(b) subsection (2) applies to the Commissioner in the same way as it applies
to the Director.
(4) Nothing in this section limits or affects—
(a) section 110(1); or
(b) any power of a court to award costs in any proceedings to which the
Director is a party.
Compare: 1993 No 28 s 86(1)–(3), (5), (6)
100 Apology not admissible except for assessment of remedies
(1) If an apology is given by an agency in connection with an action alleged to be
an interference with the privacy of an individual, it is not admissible as evidence in any civil proceedings against the agency under this Part except as provided in subsection (2).
(2) An agency may bring evidence of the apology for the purpose of the Tribunal’s
assessing of remedies to be awarded against the agency.
101 Onus of proof
If any provision of this Act, or any code of practice, excepts or exempts any
action from being an interference with the privacy of an individual, the defendant has the onus of proving that exception or exemption in any proceedings
under this Part.
Compare: 1993 No 28 s 87
102 Remedies in respect of interference with privacy
(1) This section applies if proceedings are commenced in the Tribunal in respect of
an action that is alleged to be an interference with the privacy of an individual.
(2) If, in the proceedings, the Tribunal is satisfied on the balance of probabilities
that any action of the defendant is an interference with the privacy of 1 or more
individuals, the Tribunal may grant 1 or more of the following remedies:
(a) a declaration that the action of the defendant is an interference with the
privacy of 1 or more individuals:
(b) an order restraining the defendant from continuing or repeating the interference, or from engaging in, or causing or permitting others to engage
Part 5 s 100 Privacy Act 2020 2020 No 31
70
in, conduct of the same kind as that constituting the interference, or conduct of any similar kind specified in the order:
(c) damages in accordance with section 103:
(d) an order that the defendant perform any acts specified in the order with a
view to remedying the interference, or redressing any loss or damage
suffered by the aggrieved individual or aggrieved individuals as a result
of the interference, or both:
(e) any other relief that the Tribunal considers appropriate.
(3) It is not a defence to proceedings that the interference was unintentional or
without negligence on the part of the defendant, but the Tribunal must take the
conduct of the defendant into account in deciding what, if any, remedy to grant.
Compare: 1993 No 28 s 85(1), (4)
103 Damages
(1) In any proceedings, the Tribunal may award damages against the defendant for
an interference with the privacy of an individual in respect of 1 or more of the
following:
(a) pecuniary loss suffered as a result of the transaction or activity out of
which the interference arose:
(b) expenses reasonably incurred by the aggrieved individual for the purpose of the transaction or activity out of which the interference arose:
(c) loss of any benefit, whether or not of a monetary kind, that the aggrieved
individual might reasonably have been expected to obtain but for the
interference:
(d) humiliation, loss of dignity, and injury to the feelings of the aggrieved
individual.
(2) If the proceedings are brought on behalf of more than 1 aggrieved individual,
the Tribunal may award damages under subsection (1) to each aggrieved individual.
(3) Subsection (1) is subject to subpart 1 of Part 2 of the Prisoners’ and Victims’
Claims Act 2005.
(4) The Director must pay damages recovered under this section to the aggrieved
individual on whose behalf the proceedings were brought.
(5) Subsection (4) is subject to subsections (6) to (8).
(6) If the aggrieved individual is a minor who is not married or not in a civil union,
the Director may decide to pay the damages to Public Trust or to any person or
trustee corporation acting as the manager of any property of the aggrieved individual.
(7) If the aggrieved individual is a mentally disordered person within the meaning
of section 2 of the Mental Health (Compulsory Assessment and Treatment) Act
2020 No 31 Privacy Act 2020 Part 5 s 103
71
1992 whose property is not being managed under the Protection of Personal
and Property Rights Act 1988, the Director may decide to pay the damages to
Public Trust.
(8) If the aggrieved individual is a person whose property is being managed under
the Protection of Personal and Property Rights Act 1988, the Director must
ascertain whether the terms of the property order cover management of money
received as damages and,—
(a) if damages fall within the terms of the property order, the Director must
pay the damages to the person or trustee corporation acting as the property manager; or
(b) if damages do not fall within the terms of the property order, the Director
may decide to pay the damages to Public Trust.
(9) If money is paid to Public Trust under subsection (6), (7), or (8),—
(a) sections 103 to 110 of the Contract and Commercial Law Act 2017 apply
in the case of a minor who is not married or not in a civil union; and
(b) sections 108D, 108F, and 108G of the Protection of Personal and Property Rights Act 1988 apply, with any necessary modifications, in the
case of a person referred to in subsection (7) or (8)(b); and
(c) section 108E of the Protection of Personal and Property Rights Act 1988
applies, with any necessary modifications, in the case of an individual
referred to in subsection (8)(a).
Compare: 1993 No 28 s 88; 1994 No 88 s 57
Access order
104 Enforcement of access direction
(1) If an agency has not complied with an access direction, or lodged an appeal
under section 105, an aggrieved individual may apply to the Tribunal for an
access order requiring the agency to comply with the access direction.
(2) If the Tribunal grants an application, the Tribunal must specify in the access
order the date by which the agency must comply with the access direction.
(3) An application under this section may be heard by the Chairperson sitting alone
unless the Chairperson considers that, because of the issues involved, it would
be more appropriate for the application to be heard by the Tribunal.
(4) An agency that, without reasonable excuse, fails to comply with an access
order commits an offence and is liable on conviction to a fine not exceeding
$10,000.
Part 5 s 104 Privacy Act 2020 2020 No 31
72
Appeal against access direction
105 Appeal to Tribunal against access direction
(1) An agency against which an access direction has been made may appeal to the
Tribunal against the direction.
(2) The parties to the appeal are the parties to the investigation.
106 Time for lodging appeal
(1) An appeal under section 105 must be lodged with the Tribunal within 20 working days from the date of the notice given to the parties under section 91(7)
(the appeal period).
(2) The Chairperson may accept an appeal lodged not later than 3 months after the
appeal period if, on an application made for that purpose by the party lodging
the appeal, the Chairperson is satisfied that exceptional circumstances prevented the appeal from being lodged within the appeal period.
107 Interim order suspending Commissioner’s direction pending appeal
(1) The Chairperson of the Tribunal may make an interim order suspending an
access direction until an appeal is determined if the Chairperson is satisfied that
it is necessary and in the interests of justice to make the order.
(2) If an interim order is made, a party may apply to the High Court to vary or
rescind the order, unless the order was made with that party’s consent.
(3) An application under subsection (2) may be—
(a) made only with the leave of the Chairperson:
(b) made instead of, but not as well as, an appeal against the interim order
under section 123(1) of the Human Rights Act 1993.
108 Determination of appeal
(1) The Tribunal may require the Commissioner to provide either or both of the
following:
(a) a written report setting out the considerations to which the Commissioner had regard in making the access direction:
(b) any information held by the Commissioner relating to the making of the
access direction that is required to determine the appeal.
(2) At the hearing of an appeal (other than an appeal determined on the papers),
the Commissioner is entitled to appear in person, or by a representative, and be
heard.
(3) The Tribunal may determine an appeal by—
(a) confirming the direction appealed against:
(b) modifying the direction appealed against:
(c) reversing the direction appealed against.
2020 No 31 Privacy Act 2020 Part 5 s 108
73
(4) The Tribunal may award damages in accordance with section 103.
Miscellaneous
109 Proceedings involving access to personal information
(1) This section applies if—
(a) proceedings are commenced in the Tribunal under section 97 or 98 in
respect of a complaint about a decision made by an agency under subpart
1 of Part 4 to refuse access to personal information; or
(b) an appeal is lodged in the Tribunal under section 105 against an access
direction directing an agency to provide access to personal information.
(2) During the proceedings the Tribunal may, for the purpose of determining
whether the agency may properly refuse access to personal information, do
either or both of the following:
(a) require the agency to produce the personal information to the members
of the Tribunal, but to no other person:
(b) allow the agency to give evidence and make submissions in the absence
of—
(i) other parties; and
(ii) all lawyers (if any) representing those other parties; and
(iii) all members of the public.
(3) However, the Tribunal may only exercise the powers in subsection (2) if it is
necessary to do so to avoid compromising the matters that the agency considers
justify refusing access to the personal information.
110 Costs
(1) In any proceedings under section 97, 98, 104, or 105, the Tribunal may award
costs against either party whether or not it makes any other order.
(2) If, in any proceedings before the Tribunal or a court, costs are ordered to be
paid by the Director, those costs must be paid by the Commissioner.
(3) The Commissioner is not entitled to be indemnified by an aggrieved individual
in respect of any costs the Commissioner is required to pay under subsection
(2).
Compare: 1993 No 28 ss 85(2), (3), 86(4)
111 Certain provisions of Human Rights Act 1993 to apply
(1) Except to the extent modified by this subpart, the provisions of the Human
Rights Act 1993 specified in subsection (2) apply to proceedings under section
97, 98, 104, or 105 of this Act as if they were proceedings under the Human
Rights Act 1993.
Part 5 s 109 Privacy Act 2020 2020 No 31
74
(2) The provisions of the Human Rights Act 1993 referred to in subsection (1)
are—
(a) sections 92Q to 92W; and
(b) Part 4, except—
(i) sections 97, 108A, and 108B, in relation to proceedings commenced under section 97, 98, or 104 of this Act; and
(ii) sections 95, 96, 97, 108A, and 108B in relation to proceedings
commenced under section 105 of this Act.
Compare: 1993 No 28 s 89
Part 6
Notifiable privacy breaches and compliance notices
Subpart 1—Notifiable privacy breaches
112 Interpretation
(1) In this subpart,—
affected individual, in relation to personal information that is the subject of a
privacy breach,—
(a) means the individual to whom the information relates; and
(b) includes an individual inside or outside New Zealand; and
(c) despite the definition of individual in section 7(1), includes a deceased
person—
(i) if a sector-specific code of practice issued under section 32 specifies that the code applies to information about deceased persons;
and
(ii) to the extent that the code of practice applies 1 or more IPPs to
that information
notifiable privacy breach—
(a) means a privacy breach that it is reasonable to believe has caused serious
harm to an affected individual or individuals or is likely to do so (see
section 113 for factors that must be considered by an agency when
assessing whether a privacy breach is likely to cause serious harm); but
(b) does not include a privacy breach if the personal information that is the
subject of the breach is held by an agency who is an individual and the
information is held solely for the purposes of, or in connection with, the
individual’s personal or domestic affairs
privacy breach, in relation to personal information held by an agency,—
(a) means—
2020 No 31 Privacy Act 2020 Part 6 s 112
75
(i) unauthorised or accidental access to, or disclosure, alteration, loss,
or destruction of, the personal information; or
(ii) an action that prevents the agency from accessing the information
on either a temporary or permanent basis; and
(b) includes any of the things listed in paragraph (a)(i) or an action under
paragraph (a)(ii), whether or not it—
(i) was caused by a person inside or outside the agency; or
(ii) is attributable in whole or in part to any action by the agency; or
(iii) is ongoing.
(2) For the purposes of this subpart, the meanings of access, disclosure, and loss
are not limited by the use of those words or the meanings ascribed to them
elsewhere in this Act.
113 Assessment of likelihood of serious harm being caused by privacy breach
When an agency is assessing whether a privacy breach is likely to cause serious harm in order to decide whether the breach is a notifiable privacy breach,
the agency must consider the following:
(a) any action taken by the agency to reduce the risk of harm following the
breach:
(b) whether the personal information is sensitive in nature:
(c) the nature of the harm that may be caused to affected individuals:
(d) the person or body that has obtained or may obtain personal information
as a result of the breach (if known):
(e) whether the personal information is protected by a security measure:
(f) any other relevant matters.
114 Agency to notify Commissioner of notifiable privacy breach
An agency must notify the Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred.
115 Agency to notify affected individual or give public notice of notifiable
privacy breach
(1) An agency must notify an affected individual as soon as practicable after
becoming aware that a notifiable privacy breach has occurred, unless subsection (2) or an exception in section 116 applies or a delay is permitted under
section 116(4).
(2) If it is not reasonably practicable to notify an affected individual or each member of a group of affected individuals, the agency must instead give public
notice of the privacy breach, unless an exception in section 116 applies or a
delay is permitted under section 116(4).
Part 6 s 113 Privacy Act 2020 2020 No 31
76
(3) Public notice must be given—
(a) in a form in which no affected individual is identified; and
(b) in accordance with any regulations made under section 215(1)(a).
(4) If subsection (2) or an exception in section 116 is relied on, the agency must
notify the affected individual or individuals at a later time if—
(a) circumstances change so that subsection (2) or the exception no longer
applies; and
(b) at that later time, there is or remains a risk that the privacy breach will
cause serious harm to the affected individual or individuals.
(5) A failure to notify an affected individual or give public notice under this section may be an interference with privacy under this Act (see section
69(2)(a)(iv)).
116 Exceptions to or delay in complying with requirement to notify affected
individuals or give public notice of notifiable privacy breach
(1) An agency is not required to notify an affected individual or give public notice
of a notifiable privacy breach if the agency believes that the notification or
notice would be likely to—
(a) prejudice the security or defence of New Zealand or the international
relations of the Government of New Zealand; or
(b) prejudice the maintenance of the law by any public sector agency,
including the prevention, investigation, and detection of offences, and
the right to a fair trial; or
(c) endanger the safety of any person; or
(d) reveal a trade secret.
(2) An agency is not required to notify an affected individual or give public notice
(relating to a particular individual) of a notifiable privacy breach—
(a) if the individual is under the age of 16 and the agency believes that the
notification or notice would be contrary to that individual’s interests; or
(b) if, after consultation is undertaken by the agency with the individual’s
health practitioner (where practicable), the agency believes that the notification or notice would be likely to prejudice the health of the individual.
(3) If subsection (2) applies, the agency must—
(a) consider whether it would be appropriate to notify a representative
instead of the individual (if a representative is known or can be readily
identified); and
(b) before deciding whether to notify a representative, take into account the
circumstances of both the individual and the privacy breach; and
2020 No 31 Privacy Act 2020 Part 6 s 116
77
(c) if the agency decides it is appropriate to notify a representative and has
identified a representative, notify that person.
(4) An agency may delay notifying an affected individual (or a representative) or
giving public notice of a notifiable privacy breach (but not delay notifying the
Commissioner) only—
(a) if the agency believes that a delay is necessary because notification or
public notice may have risks for the security of personal information
held by the agency and those risks outweigh the benefits of informing
affected individuals; and
(b) for a period during which those risks continue to outweigh those benefits.
(5) An agency may rely on an exception, or delay in notifying affected individuals
or giving public notice, under this section and, in relation to a delay, do so for
the period referred to in subsection (4)(b), only if the agency believes on
reasonable grounds that the exception applies, the ground for delay exists, or
the circumstances referred to in subsection (4)(b) (relating to the period of
delay) continue to exist.
(6) In this section,—
health practitioner has the meaning given to it in section 49(2)
representative,—
(a) of an affected individual under the age of 16, means that individual’s
parent or guardian:
(b) of an affected individual aged 16 or over, means an individual appearing
to be lawfully acting on that individual’s behalf or in that individual’s
interests.
Compare: 1956 No 65 s 22B; 1982 No 156 s 6
117 Requirements for notification
(1) A notification to the Commissioner under section 114 must—
(a) describe the notifiable privacy breach, including—
(i) the number of affected individuals (if known); and
(ii) the identity of any person or body that the agency suspects may be
in possession of personal information as a result of the privacy
breach (if known); and
(b) explain the steps that the agency has taken or intends to take in response
to the privacy breach, including whether any affected individual has
been or will be contacted; and
(c) if the agency is relying on section 115(2) to give public notice of the
breach, set out the reasons for relying on that section; and
Part 6 s 117 Privacy Act 2020 2020 No 31
78
(d) if the agency is relying on an exception, or is delaying notifying an
affected individual or giving public notice, under section 116, state the
exception relied on and set out the reasons for relying on it or state the
reasons why a delay is needed and the expected period of delay; and
(e) state the names or give a general description of any other agencies that
the agency has contacted about the privacy breach and the reasons for
having done so; and
(f) give details of a contact person within the agency for inquiries.
(2) A notification to an affected individual under section 115 or a representative
under section 116(3) must—
(a) describe the notifiable privacy breach and state whether the agency has
or has not identified any person or body that the agency suspects may be
in possession of the affected individual’s personal information (but,
except as provided in subsection (3), must not include any particulars
that could identify that person or body); and
(b) explain the steps taken or intended to be taken by the agency in response
to the privacy breach; and
(c) where practicable, set out the steps the affected individual may wish to
take to mitigate or avoid potential loss or harm (if any); and
(d) confirm that the Commissioner has been notified under section 114; and
(e) state that the individual has the right to make a complaint to the Commissioner; and
(f) give details of a contact person within the agency for inquiries.
(3) A notification to an affected individual or their representative may identify a
person or body that has obtained or may obtain that affected individual’s personal information (where the identity is known) if the agency believes on
reasonable grounds that identification is necessary to prevent or lessen a serious threat to the life or health of the affected individual or another individual.
(4) A notification to an affected individual must not include any particulars about
any other affected individuals.
(5) In order to comply with the requirement under sections 114 and 115 that notification must be made as soon as practicable, an agency may provide the information required by this section incrementally. However, any information that is
available at any point in time must be provided as soon as practicable after that
point in time.
118 Offence to fail to notify Commissioner
(1) An agency that, without reasonable excuse, fails to notify the Commissioner of
a notifiable privacy breach under section 114 commits an offence and is liable
on conviction to a fine not exceeding $10,000.
2020 No 31 Privacy Act 2020 Part 6 s 118
79
(2) It is not a defence to a charge under this section that the agency has taken steps
to address the privacy breach.
(3) It is a defence to a charge under this section that the agency did not consider
the privacy breach to be a notifiable privacy breach, but only if it was reasonable to do so in the circumstances.
119 Section 211 does not apply to processes and proceedings relating to failure
to notify notifiable privacy breach
Section 211 (which refers to the liability of employers, principals, and agencies) does not apply to processes or proceedings under this Act relating to the
obligations under section 114 or 115.
120 Liability for actions of employees, agents, and members of agencies
(1) This section applies to processes and proceedings under this Act relating to the
obligations under section 114 or 115.
(2) An employee or a member of an agency is not liable in those processes or proceedings if anything done or omitted by them results in the employer or agency
failing to notify the Commissioner or an affected person (or their representative) or give public notice of a notifiable privacy breach.
(3) For the purpose of those processes and proceedings, anything done or omitted
by an employee or a member of an agency is to be treated as being done or
omitted by the employer or agency.
(4) For the purpose of those processes and proceedings, anything done or omitted
by an agent of another agency is to be treated as being done or omitted by both
the agent and the principal agency.
(5) However, the extent of liability of an agent is affected by whether they hold
personal information that is the subject of a notifiable privacy breach. See the
definition of privacy breach in section 112 and see section 11, which applies
and which provides that information held by an agent is to be treated as being
held by the principal agency unless section 11(3) applies.
121 Knowledge of employees, agents, and members of agencies to be treated as
knowledge of employers, principal agencies, and agencies
(1) Subsection (2) applies to processes and proceedings under this Act relating to
the obligations under section 114 or 115.
(2) Anything relating to a notifiable privacy breach that is known by an employee
or a member of an agency is to be treated as being known by the employer or
agency.
(3) Subsection (4) applies to processes and proceedings under this Act relating to
the obligations under section 114 or 115 except a proceeding under section 118.
(4) Anything relating to a notifiable privacy breach that is known by an agent is to
be treated as being known by the principal agency.
Part 6 s 119 Privacy Act 2020 2020 No 31
80
122 Publication of identity of agencies in certain circumstances
(1) The Commissioner may publish the identity of an agency that has notified the
Commissioner of a notifiable privacy breach if—
(a) the agency consents to publication; or
(b) the Commissioner is satisfied that it is in the public interest to do so.
(2) This section does not prevent the publication of details of any notifiable privacy breach in a form in which the agency or any affected individual is not
identified and for the purpose of informing the public about the extent and
nature of privacy breaches.
Subpart 2—Compliance notices
123 Compliance notices
(1) The Commissioner may issue a compliance notice to an agency if the Commissioner considers that 1 or more of the following may have occurred:
(a) a breach of this Act, including an action listed in section 69(2)(a):
(b) an action that is to be treated as a breach of an IPP or an interference
with the privacy of an individual under another Act:
(c) a breach of a code of practice issued under this Act or a code of conduct
(or similar) issued under another Act (if a complaint about a breach of
the code can be the subject of a complaint under Part 5 of this Act).
(2) Before issuing a compliance notice, the Commissioner may, but is not required
to,—
(a) assess whether any person has suffered harm (for example, the types of
harm listed in section 69(2)(b)):
(b) use other means under this Act or another Act for dealing with the
breach.
(3) A compliance notice may be issued at any time, including concurrently with
the use of any other means for dealing with the breach.
Example
The Commissioner issues a compliance notice while dealing with the same breach
as a complaint under Part 5.
124 Issuing compliance notice
(1) The Commissioner must consider the following factors before issuing a compliance notice:
(a) whether there is another means under this Act or another Act for dealing
with the breach:
(b) the seriousness of the breach:
(c) the likelihood of a repeat of the breach:
2020 No 31 Privacy Act 2020 Part 6 s 124
81
(d) the number of people who may be or are affected by the breach:
(e) whether the agency has been co-operative in all dealings with the Commissioner:
(f) the likely costs to the agency of complying with the notice.
(2) However, each of those factors need be considered only to the extent that—
(a) it is relevant in the Commissioner’s view:
(b) information about the factor is readily available to the Commissioner.
(3) Before issuing a compliance notice, the Commissioner must provide the
agency concerned with a reasonable opportunity to comment on a written
notice that—
(a) describes the breach, citing the relevant statutory provision or provisions; and
(b) summarises the conclusions reached about the factors in subsection (1)
that have been considered by the Commissioner; and
(c) describes particular steps that the Commissioner considers need to be
taken to remedy the breach (if any) and any conditions the Commissioner considers appropriate (if any); and
(d) states the date or dates by which the Commissioner proposes that the
agency must remedy the breach and report to the Commissioner (if any).
(4) In each case, the Commissioner must determine the period of time that will
give the agency a reasonable opportunity to comment, taking into account the
circumstances of the case.
(5) For the purpose of this subpart,—
breach means any of the things described in section 123(1)(a) to (c)
remedy the breach means to comply with the relevant statutory provision or
provisions.
125 Form of compliance notice
(1) A compliance notice issued to an agency must—
(a) state the name of the agency; and
(b) describe the breach, citing the relevant statutory provision or provisions;
and
(c) require the agency to remedy the breach; and
(d) inform the agency of the right of appeal under section 131; and
(e) contain any other information required by any regulations made under
section 215(1)(c).
(2) A compliance notice issued to an agency may—
Part 6 s 125 Privacy Act 2020 2020 No 31
82
(a) identify particular steps that the Commissioner considers need to be
taken by the agency to remedy the breach:
(b) include conditions that the Commissioner considers are appropriate:
(c) state the date or dates by which the agency must—
(i) remedy the breach; and
(ii) report to the Commissioner on the steps taken to do so:
(d) include other information that the Commissioner considers would be
useful.
Compare: 1993 No 28 s 114D
126 Agency response to compliance notice
(1) An agency that is issued with a compliance notice must take steps to comply
with the notice, including taking any particular steps specified in the notice.
(2) The agency must—
(a) comply with the notice as soon as practicable after receiving it unless it
is cancelled or suspended; and
(b) if applicable, remedy the breach by the date stated in the notice unless
that date is varied or modified.
127 Commissioner may vary or cancel compliance notice
(1) The Commissioner may vary or cancel a compliance notice at any time if the
Commissioner considers that—
(a) any of the information listed in section 125 needs to be added to or
amended in the notice; or
(b) all or part of the notice has been complied with; or
(c) all or part of the notice is no longer needed.
(2) The Commissioner must give written notice to the agency concerned of a decision under this section.
(3) The notice must inform the agency of the right to appeal under section 131.
(4) A variation or cancellation of a compliance notice takes effect on the first
working day after the day on which the notice of the decision is given to the
agency.
Compare: 1993 No 28 s 114E
128 Commissioner’s power to obtain information
(1) Before deciding whether to issue a compliance notice or to vary or cancel a
compliance notice, the Commissioner may hear or obtain information from any
person who the Commissioner considers may have relevant information.
(2) Sections 86 to 90 apply as if the Commissioner were carrying out an investigation under Part 5.
2020 No 31 Privacy Act 2020 Part 6 s 128
83
(3) Except as provided for in sections 86 to 90, the Commissioner may regulate the
Commissioner’s procedure as the Commissioner considers appropriate.
Compare: 1993 No 28 ss 90, 114C
129 Publication of details of compliance notice
The Commissioner may publish or delay publication of any of the following
information if the Commissioner believes it is desirable to do so in the public
interest:
(a) the identity of an agency to whom or which a compliance notice has
been issued:
(b) other details about the compliance notice or the breach that is the subject
of the notice, that the Commissioner considers should be published:
(c) a statement or comment about the breach, that the Commissioner considers is appropriate in the circumstances.
Proceedings
130 Enforcement of compliance notice
(1) The Commissioner may take enforcement proceedings in the Tribunal—
(a) if the time for an appeal under section 131 has passed and no appeal has
been lodged against a compliance notice; and
(b) if—
(i) the Commissioner has reason to believe that the agency has not
remedied or will not remedy the breach (if applicable, by the date
stated in the notice); or
(ii) the agency has failed to report to the Commissioner on the steps
taken to remedy the breach by the date stated in the notice.
(2) An agency may object to enforcement of a compliance notice only on the
ground that the agency believes that the notice has been fully complied with.
(3) In proceedings under this section, the Tribunal—
(a) must not examine or make any determination about the issuing or merits
of a compliance notice:
(b) may examine and make a determination about whether a compliance
notice has been fully complied with:
(c) may order a remedy under section 133(1)(a).
(4) Proceedings under this section may be heard by the Chairperson sitting alone
unless the Chairperson considers that, because of the issues involved, it would
be more appropriate for the proceedings to be heard by the Tribunal.
Compare: 1988 No 110 s 45
Part 6 s 129 Privacy Act 2020 2020 No 31
84
131 Appeal against compliance notice or Commissioner’s decision to vary or
cancel notice
(1) An agency that has been issued with a compliance notice may appeal to the Tribunal—
(a) against all or part of the notice; or
(b) against a decision by the Commissioner to vary or cancel the notice.
(2) An appeal must be lodged within 15 working days from the day on which the
compliance notice is issued or the notice of the decision is given to the agency.
(3) The Tribunal may allow an appeal and order a remedy under section 133(1)(b)
if it considers that—
(a) the compliance notice or decision against which the appeal is brought is
not in accordance with the law; or
(b) to the extent that the compliance notice or decision involved an exercise
of discretion by the Commissioner, the Commissioner ought to have
exercised that discretion differently; or
(c) the agency has fully complied with the compliance notice.
(4) The Tribunal may review any determination of fact on which the compliance
notice or decision was based.
(5) The Tribunal must not cancel or modify a compliance notice for the reason
that—
(a) the breach was unintentional or without negligence on the part of the
agency; or
(b) the agency has taken steps to remedy the breach, unless there is no further reasonable step that the agency can take to do so.
Compare: 1993 No 28 s 114G
132 Interim order suspending compliance notice pending appeal
(1) The Chairperson may make an interim order suspending all or part of a compliance notice until an appeal is determined if satisfied that it is necessary and in
the interests of justice to make the order.
(2) If an interim order is made, a party may apply to the High Court to vary or
rescind the order, unless the order was made with that party’s consent.
(3) An application under subsection (2) may be—
(a) made only with the leave of the Tribunal:
(b) made instead of, but not as well as, an appeal against the interim order
under section 123(1) of the Human Rights Act 1993.
Compare: 1993 No 82 ss 95, 96
133 Remedies, costs, and enforcement
(1) The Tribunal may,—
2020 No 31 Privacy Act 2020 Part 6 s 133
85
(a) in enforcement proceedings under section 130, grant 1 or both of the following remedies:
(i) an order that the agency comply with a compliance notice by a
date specified in the order (which may vary from the date originally stated in the notice):
(ii) an order that the agency perform any act specified in the order by
a date specified in the order (for example, reporting to the Commissioner on progress in complying with the compliance notice):
(b) in an appeal under section 131, grant 1 or both of the following remedies:
(i) an order that confirms, cancels, or modifies the compliance
notice; or
(ii) an order that confirms, overturns, or modifies the decision:
(c) in either type of proceeding, award costs as the Tribunal considers
appropriate.
(2) An award of costs may, on registration of a certified copy of the Tribunal’s
decision, be enforced in the District Court as if it were an order of that court.
(3) An agency that, without reasonable excuse, fails to comply with an order under
subsection (1)(a) or with a compliance notice that is confirmed or modified
under subsection (1)(b)(i) commits an offence and is liable on conviction to a
fine not exceeding $10,000.
Compare: 1993 No 28 s 85; 1993 No 82 s 121
134 Application of Human Rights Act 1993
Except to the extent modified by this subpart, Part 4 of the Human Rights Act
1993 (except sections 95, 96, 97, 108A, and 108B) applies to proceedings
under this subpart with any necessary modifications.
Compare: 1993 No 28 s 114H
135 Commissioner may be represented in proceedings
In proceedings under this subpart, the Commissioner is entitled to appear in
person or to be represented by a lawyer or an agent.
Part 6 s 134 Privacy Act 2020 2020 No 31
86
Part 7
Sharing, accessing, and matching personal information
Subpart 1—Information sharing
136 Purpose of this subpart
The purpose of this subpart is to authorise agencies to share personal information in accordance with an approved information sharing agreement to facilitate
the provision of public services.
Compare: 1993 No 28 s 96A
137 Relationship between subpart 1 and other law relating to information
disclosure
(1) To avoid doubt, nothing in this subpart—
(a) limits the collection, use, or disclosure of personal information that is
authorised or required by or under any enactment; or
(b) compels agencies to enter into an information sharing agreement if those
agencies are already allowed to share personal information—
(i) by or under any other enactment; or
(ii) because an exemption from or a modification to 1 or more of the
IPPs or any code of practice is not required to make the sharing of
the information lawful.
(2) This subpart and subparts 2 to 4 do not limit one another.
(3) An information sharing agreement may—
(a) duplicate an information sharing provision by providing for an agency to
share the same personal information specified in the information sharing
provision—
(i) with the same agencies specified in the information sharing provision; and
(ii) for the same purposes specified in the information sharing provision; or
(b) extend an information sharing provision that is not a restricted information sharing provision by providing for an agency to share the same personal information specified in the information sharing provision—
(i) with the same agencies specified in the information sharing provision for a purpose not specified in the information sharing provision; or
(ii) with an agency not specified in the information sharing provision
for a purpose specified in the information sharing provision; or
2020 No 31 Privacy Act 2020 Part 7 s 137
87
(iii) with an agency not specified in the information sharing provision
and for a purpose not specified in the information sharing provision; or
(c) duplicate a restricted information sharing provision by providing for an
agency to share the same personal information as specified in the restricted information sharing provision—
(i) with the same agencies specified in the restricted information
sharing provision; and
(ii) for the same purposes specified in the restricted information sharing provision; or
(d) extend in any manner specified in paragraph (b) a restricted information
sharing provision, but only if—
(i) the restricted information sharing provision is an information
matching provision (as defined in section 177); or
(ii) there is express statutory authorisation to do so.
(4) In subsection (3),—
information sharing provision means a provision in any enactment other than
this Act that authorises or requires the sharing of personal information by an
agency with 1 or more other agencies for 1 or more specified purposes
restricted information sharing provision means an information sharing provision that expressly restricts the purposes for which the personal information
may be shared to those purposes specified.
Compare: 1993 No 28 s 96B
138 Interpretation
In this subpart, unless the context otherwise requires,—
adverse action has the meaning given to it in section 177
agency means a New Zealand agency that is—
(a) a public sector agency; or
(b) a New Zealand private sector agency
approved information sharing agreement means an information sharing
agreement approved by an Order in Council that is for the time being in force
department has the meaning given to it in section 7 and also includes—
(a) the New Zealand Police:
(b) the New Zealand Transport Agency
information sharing agreement or agreement means an agreement between
or within agencies that enables the sharing of personal information (whether or
not the sharing also includes information that is not personal information) to
facilitate the provision of a public service
Part 7 s 138 Privacy Act 2020 2020 No 31
88
lead agency means a department, part of a public sector agency that is a
department, or specified organisation that enters into an information sharing
agreement and is designated as the lead agency in—
(a) the agreement; and
(b) the Order in Council approving the agreement
local authority means a local authority or public body named or specified in
Schedule 1 of the Local Government Official Information and Meetings Act
1987
New Zealand private sector agency has the meaning given to it in section
7(1)
Order in Council, except in section 161, means an Order in Council made
under section 145(1)
organisation means—
(a) an organisation named in Part 2 of Schedule 1 of the Ombudsmen Act
1975; and
(b) an organisation named in Schedule 1 of the Official Information Act
1982
overseas agency means an agency that is not a New Zealand agency
public sector agency means a department, an organisation, or a local authority
public service means a public function or duty that is conferred or imposed on
a public sector agency—
(a) by or under law; or
(b) by a policy of the Government
relevant Minister means the Minister who, under the authority of any warrant
or with the authority of the Prime Minister, is for the time being responsible for
a lead agency
sharing, in relation to any information referred to in an approved information
sharing agreement, means all or any of the following activities if authorised by
an approved information sharing agreement:
(a) collecting the information:
(b) storing the information:
(c) checking the information:
(d) using the information:
(e) disclosing the information:
(f) exchanging the information:
(g) if necessary, assigning a unique identifier to an individual
specified organisation means any of the following organisations:
(a) the Accident Compensation Corporation:
2020 No 31 Privacy Act 2020 Part 7 s 138
89
(b) the Civil Aviation Authority of New Zealand:
(c) a district health board:
(d) the Earthquake Commission:
(e) Education New Zealand:
(f) Fire and Emergency New Zealand:
(g) Housing New Zealand Corporation:
(h) the New Zealand Qualifications Authority:
(i) the Tertiary Education Commission:
(j) WorkSafe New Zealand.
Compare: 1993 No 28 s 96C
139 Information sharing between agencies
An approved information sharing agreement may authorise an agency to share
any personal information with 1 or more other agencies in accordance with the
terms of the agreement.
Compare: 1993 No 28 s 96D
140 Information sharing within agencies
An approved information sharing agreement may authorise a part of an agency
to share any personal information with 1 or more parts of the same agency in
accordance with the terms of the agreement.
Compare: 1993 No 28 s 96E
141 Parties to information sharing agreement
(1) Two or more of the following agencies may enter into an information sharing
agreement:
(a) a public sector agency:
(b) a New Zealand private sector agency:
(c) a part of a public sector agency:
(d) a part of a New Zealand private sector agency.
(2) An agency of the kind specified in subsection (1) that enters into an information sharing agreement must be named as a party to the agreement.
(3) Subsection (1) is subject to subsections (4) and (5).
(4) An overseas agency may not enter into an information sharing agreement.
(5) At least 1 of the agencies that enters into an information sharing agreement
must be—
(a) a public sector agency that is a department; or
(b) part of a public sector agency that is a department; or
(c) a specified organisation; or
Part 7 s 139 Privacy Act 2020 2020 No 31
90
(d) part of a specified organisation.
Compare: 1993 No 28 s 96F
142 Agreement may apply to classes of agencies
(1) For the purposes of this section,—
class of agencies excludes—
(a) a class of departments:
(b) a class of specified organisations
member of a class of agencies excludes—
(a) a department:
(b) a specified organisation:
(c) a part of a department:
(d) a part of a specified organisation.
(2) An information sharing agreement may specify 1 or more classes of agencies to
which the agreement may apply.
(3) At any time after an agreement has been entered into, the lead agency may—
(a) agree to an agency that is a member of a class of agencies specified in
the agreement becoming a party to the agreement; and
(b) name that agency as a party in a schedule to the agreement (the Schedule of Parties).
(4) If at any time an agency named in the Schedule of Parties no longer wishes to
be a party to the agreement, the lead agency must, on the request of that
agency, remove the agency’s name from the Schedule of Parties.
(5) A lead agency need not obtain the consent of any other party to the agreement
before—
(a) naming an agency in the Schedule of Parties; or
(b) removing the name of an agency from the Schedule of Parties.
(6) A lead agency must, after doing either of the things referred to in subsection
(5), provide the other parties to the information sharing agreement (including
the agency whose name has been added to, or removed from, the Schedule of
Parties) with a copy of the Schedule of Parties or amended Schedule of Parties,
as the case may be.
(7) An agency that becomes a party to the agreement under subsection (3) may, but
need not, share or participate in the sharing of any personal information with 1
or more other agencies in accordance with the terms of the agreement.
(8) Unless the context otherwise requires, every reference in this Part to a party to
an information sharing agreement includes an agency named as a party in a
Schedule of Parties.
Compare: 1993 No 28 s 96G
2020 No 31 Privacy Act 2020 Part 7 s 142
91
143 Lead agency
(1) In this section, specified agency means—
(a) a public sector agency that is a department; or
(b) part of a public sector agency that is a department; or
(c) a specified organisation.
(2) If only 1 specified agency is a party to an information sharing agreement, that
agency must be designated as the lead agency for the agreement.
(3) If 2 or more specified agencies are parties to an information sharing agreement,
the parties to the agreement may agree between themselves which of the specified agencies is to be designated as the lead agency.
Compare: 1993 No 28 s 96H
144 Form and content of information sharing agreement
(1) An information sharing agreement must be in writing.
(2) An information sharing agreement must—
(a) specify with due particularity the purpose of the information sharing
agreement:
(b) set out the information referred to in section 146:
(c) contain an overview of the operational details about the sharing of information under the agreement:
(d) specify the safeguards that will apply to protect the privacy of individuals and ensure that any interference with their privacy is minimised:
(e) if a party to the agreement is a New Zealand private sector agency, state
which public sector agency will be responsible for dealing with complaints about an alleged interference with privacy if the New Zealand
private sector agency is unable to be held accountable for those complaints:
(f) state that every party to the agreement must give any reasonable assistance that is necessary in the circumstances to allow the Commissioner or
an individual who wishes to make a complaint about an interference
with privacy to determine the agency against which the complaint should
be made:
(g) if entered into under section 142,—
(i) designate an agency as the lead agency; and
(ii) specify with due particularity the class of agencies to which the
agreement may apply; and
(iii) include a schedule that sufficiently identifies the agencies within
that class that are parties to the agreement.
Part 7 s 143 Privacy Act 2020 2020 No 31
92
(3) An information sharing agreement may specify any other terms or conditions
that the parties may agree to, including—
(a) the fees and charges that are payable under the agreement; and
(b) any other business processes relating to the sharing of information under
the agreement.
Compare: 1993 No 28 s 96I
145 Governor-General may approve information sharing agreement by Order
in Council
(1) The Governor-General may, by Order in Council made on the recommendation
of the relevant Minister, approve an information sharing agreement.
(2) An Order in Council may grant an exemption from or modify the application
of—
(a) 1 or more of the IPPs (except IPPs 6 and 7):
(b) any code of practice (except a code of practice that modifies IPPs 6 and
7).
(3) An Order in Council that, under subsection (2), grants an exemption from 1 or
more of the IPPs or a code of practice may provide that the exemption is
unconditional or is subject to any conditions that are prescribed in the Order in
Council.
(4) An Order in Council that, under subsection (2), modifies the application of 1 or
more of the IPPs or any code of practice may do so by prescribing standards
that are more stringent or less stringent than the standards that are prescribed
by the IPP or, as the case may be, the code of practice.
Compare: 1993 No 28 s 96J
146 Requirements for Order in Council
An Order in Council made under section 145(1) must—
(a) state, if applicable,—
(i) the nature of the exemption granted under section 145(2) and the
conditions of the exemption (if any):
(ii) how any IPPs or codes of practice will be modified under section
145(2):
(b) state the public service or public services the provision of which the
information sharing agreement is intended to facilitate:
(c) specify with due particularity the personal information or the type of personal information to be shared under the agreement:
(d) set out the parties, or classes of parties, to the agreement and designate
one of the parties as the lead agency:
(e) for every party to the agreement,—
2020 No 31 Privacy Act 2020 Part 7 s 146
93
(i) describe the personal information or type of personal information
that the party may share with each of the other parties; and
(ii) state how the party may use the personal information; and
(iii) state the adverse actions that the party can reasonably be expected
to take as a result of the sharing of personal information under the
agreement; and
(iv) specify the procedure that the party must follow before taking
adverse action against an individual as a result of the sharing of
personal information received under the agreement if the requirement in section 152(1) does not apply because of section
153(a)(ii):
(f) for every class of agency to which the agreement may apply (if any),—
(i) describe the personal information or type of personal information
that a member of that class of agency that becomes a party to the
agreement (a prospective party) may share with each of the other
parties; and
(ii) state how a prospective party may use the personal information;
and
(iii) state the adverse actions that a prospective party can reasonably
be expected to take as a result of sharing personal information
under the agreement; and
(iv) specify the procedure that a prospective party must follow before
taking adverse action against an individual as a result of sharing
personal information under the agreement if the requirement in
section 152(1) does not apply because of section 153(a)(ii):
(g) state the Internet site address where a copy of the agreement can be
accessed.
Compare: 1993 No 28 s 96K
147 Further provisions about Order in Council
(1) An Order in Council made under section 145(1) must provide that it comes into
force on a date specified in the Order in Council (which must not be earlier
than the date on which it is made).
(2) An Order in Council made under section 145(1) must insert into Schedule 2—
(a) a description of each of the following:
(i) the public service or the public services the provision of which the
agreement is intended to facilitate:
(ii) the personal information or type of personal information that may
be shared between or within the agencies that are party to the
agreement; and
Part 7 s 147 Privacy Act 2020 2020 No 31
94
(b) the name of the agreement; and
(c) the name of the lead agency for the agreement; and
(d) the Internet site address where a copy of the agreement can be accessed.
Compare: 1993 No 28 s 96L
148 Status of Order in Council
For the purposes of the Legislation Act 2012, an Order in Council made under
section 145(1) is a legislative instrument and a disallowable instrument and
must be presented to the House of Representatives under section 41 of that Act.
Compare: 1993 No 28 s 96M
149 Matters to which relevant Minister must have regard before
recommending Order in Council
(1) Before recommending the making of an Order in Council under section 145(1),
the relevant Minister must—
(a) be satisfied of the matters set out in subsection (2); and
(b) have regard to any submissions made under section 150(1)(a) in relation
to the information sharing agreement that is proposed for approval by
the Order in Council.
(2) The matters referred to in subsection (1)(a) are as follows:
(a) that the information sharing agreement will facilitate the provision of a
particular public service or particular public services:
(b) that the type and quantity of personal information to be shared under the
agreement are no more than is necessary to facilitate the provision of
that public service or those public services:
(c) that the agreement does not unreasonably impinge on the privacy of
individuals and contains adequate safeguards to protect their privacy:
(d) that the benefits of sharing personal information under the agreement are
likely to outweigh the financial and other costs of sharing it:
(e) that any potential conflicts or inconsistencies between the sharing of personal information under the agreement and any other enactment have
been identified and appropriately addressed.
Compare: 1993 No 28 s 96N
150 Consultation on proposed information sharing agreement
(1) The parties proposing to enter into an information sharing agreement must,
before the proposed agreement is concluded,—
(a) consult and invite submissions on the proposed agreement from—
(i) the Commissioner; and
2020 No 31 Privacy Act 2020 Part 7 s 150
95
(ii) any person or organisation that the agencies consider represents
the interests of the classes of individuals whose personal information will be shared under the proposed agreement; and
(iii) any person or organisation that the parties consider represents the
interests of any specified class of agency to which the agreement
may apply; and
(iv) any other person or organisation that the agencies consider should
be consulted; and
(b) have regard to any submissions made under paragraph (a).
(2) The Commissioner—
(a) must consider the privacy implications of the proposed agreement; and
(b) may make any submissions under subsection (1)(a)(i) that the Commissioner considers appropriate.
(3) The agencies must give the relevant Minister a copy of the submissions made
under subsection (1)(a) (if any).
Compare: 1993 No 28 s 96O
151 Commissioner may prepare and publish report on approved information
sharing agreement
(1) If an information sharing agreement is approved by Order in Council, the Commissioner may prepare a report for the relevant Minister on any matter relating
to privacy that arises or is likely to arise in respect of the agreement.
(2) Without limiting subsection (1), the Commissioner may include in the report—
(a) any comment that the Commissioner wishes to make about the consultation that the agencies carried out under section 150(1)(a); and
(b) any submissions that the Commissioner made to the agencies under section 150(1)(a)(i).
(3) The Commissioner—
(a) may publish a report under subsection (1); but
(b) must consult the relevant Minister before doing so.
Compare: 1993 No 28 s 96P
152 Requirement to give notice of adverse action
(1) A party to an approved information sharing agreement must give written notice
to an individual before it takes any adverse action against the individual on the
basis (whether in whole or in part) of personal information about the individual
that was shared under the agreement.
(2) The notice must—
Part 7 s 151 Privacy Act 2020 2020 No 31
96
(a) give details of the adverse action that the party proposes to take and the
personal information about the individual on which the action is based;
and
(b) state that the individual has 10 working days from the receipt of the
notice within which to dispute the correctness of that personal information.
(3) To avoid doubt, the individual who is given the notice may take any steps that
are available under any enactment to dispute any proposed adverse action
against them, but the only basis on which the individual may show cause under
this section as to why the proposed adverse action should not be taken is that it
is based on incorrect personal information.
Compare: 1993 No 28 s 96Q
153 When requirement to give notice of adverse action applies
The requirement to give notice under section 152 applies unless—
(a) an approved information sharing agreement provides that a party to the
agreement may—
(i) give a shorter period of notice than the 10-working-day period
referred to in section 152(2)(b); or
(ii) dispense with the giving of the notice; or
(b) if an approved information sharing agreement does not include a provision of the kind specified in paragraph (a), the Commissioner, on the
application of a party to an approved information sharing agreement,
allows the party in the circumstances of a particular case to—
(i) give a shorter period of notice than the 10-working-day period
referred to in section 152(2)(b); or
(ii) dispense with the giving of the notice.
Compare: 1993 No 28 s 96R
154 Responsibilities of lead agency
(1) A lead agency for an information sharing agreement must, if the agreement is
approved by Order in Council under section 145(1),—
(a) make a copy of the agreement—
(i) available for inspection, free of charge, at the lead agency’s head
office on any working day; and
(ii) accessible, free of charge, on an Internet site maintained by or on
behalf of the lead agency; and
(b) prepare a report on the operation of the agreement at the intervals
required by the Commissioner under section 156; and
(c) carry out any other responsibilities imposed by this Part.
2020 No 31 Privacy Act 2020 Part 7 s 154
97
(2) A lead agency does not need to comply with subsection (1)(a)(ii) if the relevant
Minister designates an Internet site maintained by or on behalf of another public sector agency as the Internet site where a copy of the agreement is to be
made accessible free of charge.
(3) To avoid doubt, nothing in this section applies to a party to an information
sharing agreement that is not the lead agency except as provided in subsection
(2).
Compare: 1993 No 28 s 96S
155 Report of lead agency
(1) A report prepared by a lead agency under section 154(1)(b) must include the
matters prescribed in regulations made under section 215(1)(d) that the Commissioner specifies after having regard to—
(a) the costs of reporting:
(b) the degree of public interest in information about the matters prescribed
in those regulations:
(c) the significance of the privacy implications of the approved information
sharing agreement.
(2) A report must be included—
(a) in the lead agency’s annual report under the Public Finance Act 1989, if
it is required annually; or
(b) in the lead agency’s annual report under the Public Finance Act 1989
that immediately follows the end of each interval specified under section
156(1)(b).
Compare: 1993 No 28 s 96T
156 Commissioner may specify frequency of reporting by lead agency
(1) The Commissioner may require a lead agency to prepare a report under section
154(1)(b)—
(a) annually; or
(b) at less frequent intervals that the Commissioner may specify.
(2) In determining the appropriate frequency in subsection (1) of a report under
section 154(1)(b), the Commissioner must have regard to—
(a) the costs of reporting:
(b) the degree of public interest in the matters to be included in the report:
(c) the significance of the privacy implications of the approved information
sharing agreement.
Compare: 1993 No 28 s 96U
Part 7 s 155 Privacy Act 2020 2020 No 31
98
157 Amendment of approved information sharing agreement
(1) This section applies if an approved information sharing agreement is amended
(whether in accordance with the Commissioner’s recommendation in a report
under section 159 or otherwise).
(2) As soon as practicable after the amendment is made, the lead agency must—
(a) give written notice of the amendment to—
(i) the Commissioner; and
(ii) the relevant Minister; and
(b) make a copy of the amendment—
(i) available for inspection, free of charge, at the lead agency’s head
office on any working day; and
(ii) accessible, free of charge, on the Internet site where a copy of the
agreement is accessible.
(3) The information sharing agreement approved by Order in Council continues to
have effect as if the amendment notified under subsection (2) had not been
made, unless the Governor-General, by a further Order in Council made on the
recommendation of the relevant Minister, approves the agreement as amended
by the parties.
(4) Sections 145 to 151 apply, with any necessary modifications, to the approval of
the agreement as amended.
(5) Subsection (2)(a), (3), or (4) does not apply if the amendment to an approved
information sharing agreement relates only to—
(a) the fees and charges payable under the agreement; or
(b) a name or description of a party to the agreement; or
(c) naming an agency as a party to the agreement under section 142(3); or
(d) removing an agency as a party to the agreement under section 142(4); or
(e) any terms or conditions of the agreement that the lead agency, after consulting the Commissioner, considers do not, or are unlikely to, have any
effect on the privacy implications of the agreement.
Compare: 1993 No 28 s 96V
158 Review of operation of approved information sharing agreement
(1) The Commissioner may at any time, on the Commissioner’s own initiative,
conduct a review of the operation of an approved information sharing agreement.
(2) However, except with the consent of the relevant Minister, no review may be
conducted under subsection (1) before the end of the period of 12 months after
the Order in Council approving the agreement is made.
(3) In conducting a review, the Commissioner must—
2020 No 31 Privacy Act 2020 Part 7 s 158
99
(a) consult the following persons and organisations about the review:
(i) the parties to the agreement:
(ii) any person or organisation that the Commissioner considers represents the interests of the classes of individuals whose personal
information is being shared under the agreement; and
(b) consider any submissions made on the review.
(4) The parties to the agreement must take all reasonable steps to co-operate with
the review.
Compare: 1993 No 28 s 96W
159 Report on findings of review
(1) After completing a review under section 158, the Commissioner may provide a
report to the relevant Minister if the Commissioner has reasonable grounds to
suspect that an approved information sharing agreement is—
(a) operating in an unusual or unexpected way (that is, in a way that was not
foreseen by the Commissioner or the parties to the agreement at the time
the agreement was entered into):
(b) failing to facilitate the provision of the public service or public services
to which it relates:
(c) unreasonably impinging on the privacy of individuals:
(d) operating in such a way that the financial and other costs of sharing personal information under the agreement outweigh the benefits of sharing
it.
(2) The Commissioner may recommend in the report that—
(a) the agreement should be amended in 1 or more material respects; or
(b) the Order in Council by which the agreement was approved should be
revoked.
Compare: 1993 No 28 s 96X
160 Relevant Minister must present copy of report under section 159(1) and
report setting out Government’s response to House of Representatives
The relevant Minister must—
(a) present a copy of a report under section 159(1) to the House of Representatives within 5 working days after receiving it from the Commissioner or, if Parliament is not in session, as soon as practicable after the
commencement of the next session of Parliament; and
(b) as soon as practicable after complying with paragraph (a), present a
report to the House of Representatives setting out the Government’s
response to the report under section 159(1).
Compare: 1993 No 28 s 96Y
Part 7 s 159 Privacy Act 2020 2020 No 31
100
161 Power to amend Schedule 2 by Order in Council
(1) Without limiting the matters that an Order in Council made under section 145
must insert into Schedule 2 in accordance with section 147(2), the GovernorGeneral may, by Order in Council,—
(a) make any amendments to Schedule 2 that are required—
(i) to recognise the abolition or dissolution of any agency that is
party to an approved information sharing agreement or any
change in the name of such an agency; or
(ii) to reflect any change in the Internet site address where a copy of
an approved information sharing agreement can be accessed; or
(iii) to reflect any amendments to an approved information sharing
agreement that are approved under section 157; or
(iv) to correct any error or omission in any description in that schedule:
(b) repeal any description or matter in Schedule 2, including all of the
descriptions or matters relating to an approved information sharing
agreement if the Order in Council by which it was approved has expired
or has been revoked:
(c) otherwise amend or replace Schedule 2.
(2) To avoid doubt, any of the matters set out in this section may be included in an
Order in Council made under section 145 or in a separate Order in Council
made under this section.
Compare: 1993 No 28 s 96Z
Subpart 2—Identity information
162 Purpose of this subpart
The purpose of this subpart is to authorise accessing agencies, when carrying
out specified functions, to verify the identity of an individual by accessing
identity information held about that individual by a holder agency.
Compare: 1993 No 28 s 109A
163 Relationship between this subpart and other law relating to information
disclosure
This subpart does not—
(a) limit the collection, use, or disclosure of personal information that—
(i) is authorised or required by or under any enactment; or
(ii) is permitted by the information privacy principles; or
(b) limit subpart 1, 3, or 4.
Compare: 1993 No 28 s 109B
2020 No 31 Privacy Act 2020 Part 7 s 163
101
164 Interpretation
In this subpart,—
access, in relation to a database, includes remote access to that database
accessing agency means an agency specified in the first column of Schedule 3
biometric information, in relation to a person, means information that comprises—
(a) 1 or more of the following kinds of personal information:
(i) a photograph of all or any part of the person’s head and shoulders:
(ii) impressions of the person’s fingerprints:
(iii) a scan of the person’s irises; and
(b) an electronic record of the personal information that is capable of being
used for biometric matching
database means any information recording system or facility used by an
agency to store information
holder agency means an agency specified in the third column of Schedule 3
identity information, in relation to an individual, means any information that
identifies, or relates to the identity of, the individual, and includes (without
limitation) the following information:
(a) the individual’s biographical details (for example, the individual’s name,
address, date of birth, place of birth, and gender):
(b) the individual’s biometric information:
(c) a photograph or visual image of the individual:
(d) details of the individual’s—
(i) New Zealand travel document; or
(ii) certificate of identity:
(e) details of any distinguishing features (including tattoos and birthmarks).
Compare: 1993 No 28 s 109C
165 Access by agencies to identity information
An accessing agency may, for the purpose specified in the second column of
Schedule 3 opposite the name of the accessing agency, have access to an individual’s identity information held by a holder agency specified in the third column of that schedule opposite the name of the accessing agency.
Compare: 1993 No 28 s 109D
166 Manner and form of access
(1) Access to identity information permitted under section 165 may be facilitated
between a holder agency and an accessing agency in the manner agreed by the
Part 7 s 164 Privacy Act 2020 2020 No 31
102
agencies (for example, by direct access to information stored in a holder agency’s database, or by exchange of information between the agencies).
(2) Identity information that is held by a holder agency and accessed by an accessing agency under section 165 may be made available to the accessing agency in
the form agreed by the agencies.
Compare: 1993 No 28 s 109E
167 Annual reporting requirement
The chief executive of an accessing agency must include in every annual report
prepared by the chief executive for the purposes of section 43 of the Public
Finance Act 1989, or any other applicable enactment requiring an annual report
to Parliament, details of the operation of this Part and Schedule 3.
Compare: 1993 No 28 s 109F
168 Power to amend Schedule 3 by Order in Council
(1) The Governor-General may, by Order in Council made on the recommendation
of the responsible Minister given after consultation with the Privacy Commissioner, amend Schedule 3 by—
(a) inserting, repealing, amending, or replacing any item in Schedule 3; or
(b) repealing Schedule 3 and substituting a new schedule.
(2) Before recommending the making of an Order in Council facilitating access by
an accessing agency to identity information held by a holder agency, the
responsible Minister must be satisfied that—
(a) the purpose for which the identity information is to be accessed relates to
a specified function of the accessing agency; and
(b) the identity information to be accessed is no more than is reasonably
necessary to enable the accessing agency to achieve that purpose; and
(c) any potential conflicts or inconsistencies between the sharing of personal
information under Schedule 3 and any other enactment have been identified and appropriately addressed.
Compare: 1993 No 28 s 109G
Subpart 3—Law enforcement information
169 Purpose of this subpart
The purpose of this subpart is to authorise specified public sector agencies to
have access to law enforcement information held by other specified agencies
about identifiable individuals.
170 Relationship between this subpart and other law relating to information
disclosure
This subpart does not—
2020 No 31 Privacy Act 2020 Part 7 s 170
103
(a) limit the collection, use, or disclosure of personal information that—
(i) is authorised or required by or under any enactment; or
(ii) is permitted by the information privacy principles; or
(b) limit subpart 1, 2, or 4.
171 Interpretation
In this subpart, unless the context otherwise requires,—
accessing agency means any public sector agency for the time being specified
in Schedule 4 as an agency to which law enforcement information held by a
holder agency is available
agency includes a court in relation to its judicial functions
holder agency means—
(a) a court holding law enforcement information described in Schedule 4 as
court records; and
(b) a public sector agency specified in Schedule 4 holding law enforcement
information otherwise described in that schedule
law enforcement information means any information that—
(a) is about an identifiable individual; and
(b) is specified in Schedule 4.
Compare: 1993 No 28 s 110
172 Access by accessing agencies to law enforcement information
(1) An accessing agency may have access to law enforcement information held by
a holder agency if such access is authorised by the provisions of Schedule 4.
(2) Subsection (1) overrides—
(a) section 237 and Schedule 1 of the District Court Act 2016; and
(b) section 174 and Schedule 2 of the Senior Courts Act 2016.
Compare: 1993 No 28 s 111
173 Power to amend Schedule 4 by Order in Council
(1) The Governor-General may, by Order in Council made on the recommendation
of the responsible Minister given after consultation with the Privacy Commissioner, amend Schedule 4 by—
(a) inserting, repealing, amending, or replacing any item in Schedule 4; or
(b) repealing Schedule 4 and substituting a new schedule.
(2) However, no Order in Council may be made under subsection (1) that amends
law enforcement information in Schedule 4 that is described in that schedule as
court records.
Part 7 s 171 Privacy Act 2020 2020 No 31
104
Subpart 4—Authorised information matching programmes
174 Purpose of this subpart
The purpose of this subpart is to authorise agencies to compare personal information in accordance with an authorised information matching programme.
175 Application of this subpart
This subpart applies to the disclosure of personal information under an information matching programme authorised by an information matching provision.
176 Relationship between this subpart and other law relating to information
disclosure
This subpart does not—
(a) limit the collection, use, or disclosure of personal information that—
(i) is authorised or required by or under any enactment; or
(ii) is permitted by the information privacy principles; or
(b) limit subparts 1 to 3.
177 Interpretation
In this subpart and Schedule 6, unless the context otherwise requires,—
adverse action means any lawful action of an agency that may adversely affect
the rights, benefits, privileges, obligations, or interests of any specific individual, including any decision—
(a) to cancel or suspend any monetary payment:
(b) to refuse an application for a monetary payment:
(c) to alter the rate or amount of a monetary payment:
(d) to recover an overpayment of a monetary payment:
(e) to impose a penalty:
(f) to recover a penalty or fine:
(g) to make an assessment of the amount of any tax, levy, or other charge, or
of any contribution, that is payable by an individual, or to alter an
assessment of that kind:
(h) to investigate the possible commission of an offence:
(i) to make a deportation order in relation to the individual, to serve the
individual with a deportation liability notice, or to deport the individual
from New Zealand
authorised information matching programme means an information matching programme that is authorised by an information matching provision
2020 No 31 Privacy Act 2020 Part 7 s 177
105
discrepancy, in relation to an authorised information matching programme,
means a result of that programme that warrants the taking of further action by
an agency for the purpose of giving effect to the objective of the programme
information matching programme means the comparison (whether manually
or by means of any electronic or other device) of any document that contains
personal information about 10 or more individuals with 1 or more other documents that contain personal information about 10 or more individuals, for the
purpose of producing or verifying information that may be used for the purpose
of taking adverse action against an identifiable individual
information matching provision means any provision specified in the second
column of Schedule 5 as an information matching provision of an enactment
specified in the first column of that schedule
information matching rules means the rules for the time being set out in
Schedule 6
monetary payment includes—
(a) a benefit as defined in Schedule 2 of the Social Security Act 2018:
(b) a lump sum payable under section 90 of that Act:
(c) any special assistance granted out of a Crown Bank Account from
money appropriated by Parliament under section 101 of that Act:
(d) any monetary entitlement payable under Part 4, 10, or 11 of the Accident
Compensation Act 2001.
Compare: 1993 No 28 s 97
178 Information matching agreements
(1) Personal information held by an agency may be disclosed to another agency
under an authorised information matching programme only in accordance with
a written agreement that—
(a) is entered into between the agencies; and
(b) includes provisions that reflect the information matching rules, or provisions that are no less onerous than those rules.
(2) An agreement may provide that the agencies involved in the authorised information matching programme may charge each other fees for the services provided for the purposes of the programme.
(3) The parties to an agreement entered into under this section must ensure that a
copy of the agreement, and of any amendments subsequently made to the
agreement, are immediately forwarded to the Commissioner.
Compare: 1993 No 28 s 99
179 Use of results of authorised information matching programme
(1) Subject to any other enactment or rule of law that limits or restricts the information that may be taken into account in taking adverse action against an indiPart 7 s 178 Privacy Act 2020 2020 No 31
106
vidual, an agency that is involved in an authorised information matching programme may take adverse action against an individual on the basis of any discrepancy produced by that programme.
(2) If an agency decides to take adverse action against an individual on the basis of
a discrepancy produced by an authorised information matching programme, the
adverse action must be commenced not later than 12 months after the date on
which the agency received or derived information from the programme that
gave rise to the discrepancy (or any extended time limit granted by the Commissioner under section 180).
(3) Subsection (1) does not limit or restrict the use that may lawfully be made, by
an agency, of any information produced by an authorised information matching
programme.
Compare: 1993 No 28 s 100
180 Extension of time limit
If an agency derives or receives information produced by an authorised information matching programme, the Commissioner may, either generally or in
respect of any case or class of cases, grant an extension of the time limit set out
in section 179(2) in respect of that information if the Commissioner is satisfied
that the agency cannot reasonably be required to meet that time limit because
of—
(a) the large quantity of information derived or received by the agency; or
(b) the complexity of the issues involved; or
(c) any other reason.
Compare: 1993 No 28 s 102
181 Notice of adverse action proposed
(1) A specified agency must not take adverse action against an individual on the
basis (whether in whole or in part) of a discrepancy produced by an authorised
information matching programme—
(a) unless that agency has given that individual written notice that—
(i) specifies the particulars of the discrepancy and of the adverse
action that it proposes to take; and
(ii) states that the individual has 5 working days from the receipt of
the notice in which to show cause why the action should not be
taken; and
(b) until the expiration of those 5 working days.
(2) Subsection (1) does not prevent the department for the time being responsible
for the administration of the Social Security Act 2018 from immediately suspending sole parent support, the supported living payment, an emergency bene2020 No 31 Privacy Act 2020 Part 7 s 181
107
fit, jobseeker support, a young parent payment, or a youth payment paid to an
individual if—
(a) the discrepancy arises in respect of departure information supplied to
that department under section 308 of the Customs and Excise Act 2018;
and
(b) before or immediately after the decision to suspend the benefit, the
department gives the individual written notice that—
(i) specifies the particulars of the discrepancy and the suspension of
benefit, and any other adverse action that the department proposes
to take; and
(ii) states that the individual has 5 working days from the receipt of
the notice to show cause why the benefit ought not to have been
suspended or why the adverse action should not be taken, or both.
(3) An adverse action must not be taken under subsection (2) until the expiry of the
5 working days referred to in paragraph (b)(ii).
(4) Subsection (1) does not prevent the Commissioner of Inland Revenue from
immediately taking action to recover amounts relating to—
(a) unpaid amounts owed to the Commissioner by an individual who is in
serious default and who is identified in information supplied to the Commissioner under section 306 of the Customs and Excise Act 2018; or
(b) financial support under the Child Support Act 1991 owed to the Commissioner by an individual who is identified in information supplied to
the Commissioner under section 307 or 313 of the Customs and Excise
Act 2018.
(5) Subsections (1) and (2) do not prevent an agency from taking adverse action
against an individual if compliance with the requirements of those subsections
would prejudice any investigation into the commission of an offence or the
possible commission of an offence.
(6) Subsection (1) does not prevent any constable or any bailiff from immediately
executing a warrant to arrest an individual in respect of the non-payment of all
or any part of a fine if—
(a) the discrepancy arises in respect of arrival and departure information
supplied under section 310 of the Customs and Excise Act 2018; and
(b) before the warrant is executed, the individual concerned is—
(i) informed of the intention to execute the warrant; and
(ii) given an opportunity to confirm that they are the individual named
in the warrant; and
(iii) given the opportunity to confirm that neither of the following circumstances applies:
(A) the fine has been paid:
Part 7 s 181 Privacy Act 2020 2020 No 31
108
(B) an arrangement to pay the fine over time has been entered
into.
(7) In this section,—
amount of reparation has the meaning given to it in section 79(1) of the Summary Proceedings Act 1957
bailiff means a bailiff of the District Court or of the High Court
fine means—
(a) a fine within the meaning of section 79(1) of the Summary Proceedings
Act 1957:
(b) a fine to which section 19 of the Crimes Act 1961 applies:
(c) a fine to which section 43 or 45 of the Misuse of Drugs Amendment Act
1978 applies:
(d) any amount payable under section 138A(1) of the Sentencing Act 2002.
(8) This section is subject to section 180C(1) of the Corrections Act 2004.
Compare: 1993 No 28 s 103(1)–(2), (5)
182 Reporting requirements
(1) If the Commissioner so requires, an agency that is involved in an authorised
information matching programme must report to the Commissioner in respect
of the programme.
(2) Without limiting subsection (1), the matters on which the Commissioner may
require an agency to submit a report include the following:
(a) the actual costs and benefits of an authorised information matching programme:
(b) any difficulties experienced in the operation of an authorised information
matching programme and how those difficulties are being, or have been,
overcome:
(c) whether internal audits or other forms of assessment are undertaken by
an agency in relation to an authorised information matching programme,
and, if so, the results of those audits or assessments:
(d) if an agency dispenses with the giving of notice under section 181, the
reasons why that dispensation is made and the grounds in support of
those reasons:
(e) the details of the operation of an authorised information matching programme, including—
(i) the number of matches undertaken:
(ii) the proportion of matches that revealed discrepancies in information involved in the matching:
(iii) the number of discrepancies revealed:
2020 No 31 Privacy Act 2020 Part 7 s 182
109
(iv) the proportion of cases in which action was taken as a result of the
discrepancies:
(v) the number of cases in which action was taken:
(vi) the number of cases in which action was taken even though the
accuracy of the discrepancy was challenged:
(vii) the proportion of cases in which action did not proceed after the
individual concerned was notified of the discrepancy:
(viii) the number of cases in which action taken as a result of a discrepancy was successful:
(f) any other matters that the Commissioner considers relevant.
Compare: 1993 No 28 s 104
183 Reports on authorised information matching programmes
(1) The Commissioner must, before the end of each calendar year, report to the
responsible Minister on each authorised information matching programme that
is carried out (in whole or in part) during the financial year ending on 30 June
in that year.
(2) A report must set out, in relation to each programme,—
(a) an outline of the programme; and
(b) an assessment of the extent of the programme’s compliance, during that
year, with—
(i) sections 178 to 181; and
(ii) the information matching rules; and
(c) the details of each extension granted under section 180, the reasons why
the extension was granted, and the grounds in support of those reasons.
(3) This section does not require the Commissioner to disclose in any report any
information relating to an information matching programme that would be
likely to frustrate the objective of the programme.
(4) Sections 85 to 89 apply in relation to an assessment carried out by the Commissioner for the purposes of subsection (2)(b), and all references in those sections
to an investigation must be read as a reference to an assessment.
(5) As soon as practicable after receiving a report, the responsible Minister must
present a copy of the report to the House of Representatives.
Compare: 1993 No 28 s 105
184 Reports on information matching provisions
(1) The Commissioner must, at 5-yearly intervals,—
(a) review the operation of every information matching provision and consider, in particular, whether—
Part 7 s 183 Privacy Act 2020 2020 No 31
110
(i) the authority conferred by the information matching provision
should be continued; and
(ii) any amendments to the provision are necessary or desirable; and
(b) report the result of the review to the responsible Minister.
(2) The first report of an information matching provision under this section is due
not later than—
(a) 5 years after the date of the last report prepared in respect of that information matching provision by the Commissioner under section 106 of
the Privacy Act 1993; or
(b) 5 years after the commencement of this section, if no previous report has
been prepared in respect of that information matching provision by the
Commissioner.
Compare: 1993 No 28 s 106(1)
185 Responsible Minister must present copy of report under section 184 and
report setting out Government’s response to House of Representatives
The responsible Minister must—
(a) present a copy of a report under section 184 to the House of Representatives within 5 working days after receiving it from the Commissioner or,
if Parliament is not in session, as soon as practicable after the commencement of the next session of Parliament; and
(b) within 6 months after complying with paragraph (a), present a report to
the House of Representatives setting out the Government’s response to
the report under section 184.
Compare: 1993 No 28 s 106(2)
186 Avoidance of controls on information matching through use of exceptions
to information privacy principles
Despite section 176, if the collection or disclosure of information is authorised
by an information matching provision, nothing in IPP 2(2)(e)(i) or IPP
11(1)(e)(i) authorises or permits the collection or disclosure of that information
for the purposes of—
(a) any authorised information matching programme; or
(b) any information matching programme whose objective is similar in
nature to any authorised information matching programme.
Compare: 1993 No 28 s 108
187 Avoidance of controls on information matching through use of official
information statutes
Despite anything in the Official Information Act 1982 or the Local Government Official Information and Meetings Act 1987, a public sector agency must
not disclose to any other public sector agency under those Acts any personal
2020 No 31 Privacy Act 2020 Part 7 s 187
111
information if the information is sought solely or principally for use in an information matching programme.
Compare: 1993 No 28 s 109
188 Power to amend Schedule 5 by Order in Council
The Governor-General may, by Order in Council made on the recommendation
of the responsible Minister,—
(a) amend Schedule 5 by—
(i) replacing a reference to an information matching provision that
has been renumbered with a reference to the corresponding
renumbered information matching provision:
(ii) repealing an information matching provision; or
(b) repeal Schedule 5.
189 Power to amend Schedule 6 by Order in Council
(1) The Governor-General may, by Order in Council made on the recommendation
of the Privacy Commissioner, amend the information matching rules in Schedule 6.
(2) The power conferred by subsection (1) includes the power to—
(a) replace Schedule 6:
(b) repeal Schedule 6.
Compare: 1993 No 28 s 107
190 Amendments to other enactments related to this subpart
The enactments listed in Schedule 7 are amended in the manner set out in that
schedule.
191 Repeal of section 190 and Schedule 7
Section 190 and Schedule 7 are repealed on the close of 8 December 2020.
Part 8
Prohibiting onward transfer of personal information received in
New Zealand from overseas
192 Interpretation
In this Part, unless the context otherwise requires, transfer prohibition notice
means a notice given under section 193 prohibiting the transfer of personal
information from New Zealand to another country.
Compare: 1993 No 28 s 114A
Part 7 s 188 Privacy Act 2020 2020 No 31
112
193 Prohibition on transfer of personal information outside New Zealand
(1) The Commissioner may prohibit a transfer of personal information from New
Zealand to another country if the Commissioner is satisfied, on reasonable
grounds, that—
(a) the information has been, or will be, received in New Zealand from
another country and is likely to be transferred to a third country where it
will not be subject to a law providing comparable safeguards to those in
this Act; and
(b) the transfer would be likely to lead to a contravention of the basic principles of national application set out in Part Two of the OECD Guidelines and in Schedule 8 of this Act.
(2) In determining whether to prohibit a transfer of personal information, the Commissioner must also consider, in addition to the matters set out in subsection (1)
and section 21, the following:
(a) whether the transfer affects, or is likely to affect, any individual; and
(b) the general desirability of facilitating the free flow of information
between New Zealand and other countries; and
(c) any existing or developing international guidelines relevant to transborder data flows, including (but not limited to)—
(i) the OECD Guidelines:
(ii) the General Data Protection Regulation.
(3) Subsection (1) does not apply if the transfer of the information, or the information itself, is—
(a) required or authorised by or under any enactment; or
(b) required by any convention or other instrument that imposes international obligations on New Zealand.
Compare: 1993 No 28 s 114B
194 Commissioner’s power to obtain information
(1) To enable the Commissioner to determine whether to prohibit a transfer of personal information, the Commissioner may hear or obtain information from any
person as the Commissioner considers necessary, and for that purpose subpart 2
of Part 5 applies as if the Commissioner were carrying out an investigation
under that subpart.
(2) In exercising any power under subsection (1), the Commissioner may adopt
any procedure the Commissioner considers appropriate.
Compare: 1993 No 28 s 114C
2020 No 31 Privacy Act 2020 Part 8 s 194
113
195 Transfer prohibition notice
(1) A prohibition under section 193(1) is effected by the service of a transfer prohibition notice on the agency that proposes to transfer the personal information
concerned.
(2) A transfer prohibition notice must—
(a) state the name of the agency to whom it relates; and
(b) describe the personal information concerned; and
(c) state that the transfer of the personal information concerned from New
Zealand to a specified country is prohibited—
(i) absolutely; or
(ii) until the agency has taken the steps stated in the notice to protect
the interests of any individual or individuals affected by the transfer; and
(d) state the time at which the notice takes effect; and
(e) state the ground for the prohibition; and
(f) state that the agency on whom the notice is served may lodge an appeal
against the notice to the Tribunal, and state the time within which the
appeal must be lodged.
(3) The time at which the notice takes effect under subsection (2)(d) must not be
before the end of the period within which an appeal against the notice can be
lodged.
(4) If an appeal is brought, the notice does not take effect until the determination or
withdrawal of the appeal.
(5) If the Commissioner, by reason of special circumstances, considers that the
prohibition should take effect as a matter of urgency in relation to all or any
part of the notice,—
(a) subsections (3) and (4) do not apply; and
(b) the notice takes effect on the sixth working day after the date on which
the notice is served; and
(c) the notice must include—
(i) a statement that the Commissioner considers that the prohibition
must take effect as a matter of urgency; and
(ii) a statement of the reasons why the Commissioner has reached that
conclusion.
Compare: 1993 No 28 s 114D
196 Commissioner may vary or cancel transfer prohibition notice
(1) If, at any time, the Commissioner considers that all or any of the provisions of
a transfer prohibition notice served on an agency need not be complied with in
Part 8 s 195 Privacy Act 2020 2020 No 31
114
order to avoid a contravention of basic principles of privacy or data protection,
the Commissioner may vary or cancel the transfer prohibition notice by serving
notice to that effect on the agency concerned.
(2) An agency on whom a transfer prohibition notice has been served may, at any
time after the end of the period during which an appeal under section 198(1)(a)
can be lodged, apply in writing to the Commissioner for the notice to be varied
or cancelled under subsection (1).
(3) The Commissioner must, within 20 working days after the date on which an
application under subsection (2) is received, notify the agency that the application—
(a) has been granted and that the transfer prohibition notice has been—
(i) varied; or
(ii) cancelled; or
(b) has been refused and give the reason for the refusal.
(4) If the Commissioner cancels or varies a transfer prohibition notice under subsection (1), the variation or cancellation of the notice takes effect on the day
after the date on which notice of the Commissioner’s decision to vary or cancel
the transfer prohibition notice is served.
Compare: 1993 No 28 s 114E
197 Offence in relation to transfer prohibition notice
Every person who, without reasonable excuse, fails or refuses to comply with a
transfer prohibition notice commits an offence and is liable on conviction to a
fine not exceeding $10,000.
Compare: 1993 No 28 s 114F
198 Appeals against transfer prohibition notice
(1) An agency on whom a transfer prohibition notice is served may appeal to the
Tribunal—
(a) against all or any part of the notice; or
(b) if the notice contains a statement by the Commissioner in accordance
with section 195(5)(c), against the decision to include that statement in
respect of all or any part of the notice; or
(c) against the decision of the Commissioner to vary the notice in accordance with section 196(1); or
(d) against the refusal of an application under section 196(2) to vary or cancel the notice.
(2) An appeal under subsection (1) must be lodged,—
(a) in the case of an appeal under subsection (1)(a) or (b), within 15 working
days from the date on which the transfer prohibition notice was served
on the agency concerned:
2020 No 31 Privacy Act 2020 Part 8 s 198
115
(b) in the case of an appeal under subsection (1)(c) or (d), within 15 working
days from the date on which notice of the decision or refusal was served
on the agency concerned.
(3) The Tribunal must allow an appeal or substitute any other decision or notice
that could have been made or served by the Commissioner if it considers that—
(a) the decision or notice against which the appeal is brought is not in
accordance with the law; or
(b) to the extent that the decision or notice involved an exercise of discretion
by the Commissioner, the Commissioner ought to have exercised the discretion differently.
(4) The Tribunal may review any determination of fact on which the decision or
notice in question was based.
(5) On any appeal under subsection (1)(b), the Tribunal may—
(a) direct—
(i) that the notice in question must have effect as if it did not contain
the statement that is mentioned in the notice; or
(ii) that the inclusion of the statement must not have effect in relation
to any part of the notice; and
(b) make any modifications required to give effect to that direction.
Compare: 1993 No 28 s 114G
199 Application of Human Rights Act 1993
Part 4 of the Human Rights Act 1993 (except sections 97, 108A, and 108B)
applies in relation to proceedings under section 198 as if they were proceedings
under that Act.
Compare: 1993 No 28 s 114H
200 Power to amend Schedule 8 by Order in Council
The Governor-General may, by Order in Council,—
(a) amend the principles in Schedule 8 to the extent required to bring them
up to date:
(b) replace Schedule 8 to update the principles.
Compare: 1993 No 28 s 128A
Part 8 s 199 Privacy Act 2020 2020 No 31
116
Part 9
Miscellaneous provisions
General
201 Privacy officers
(1) An agency must appoint as privacy officers for the agency 1 or more individuals (within or outside the agency) whose responsibilities include—
(a) encouraging the agency to comply with the IPPs:
(b) dealing with requests made to the agency under this Act:
(c) working with the Commissioner in relation to investigations conducted
under Part 5 in relation to the agency:
(d) ensuring that the agency complies with the provisions of this Act.
(2) Subsection (1) does not apply to an agency that is an individual who is collecting and holding personal information solely for the purposes of, or in connection with, the individual’s personal or domestic affairs.
Compare: 1993 No 28 s 23
202 Commissioner may require agency to supply information
For the purpose of enabling the Commissioner to respond to inquiries from the
public about personal information held by an agency, the Commissioner may
require an agency to supply—
(a) the name and contact details of the agency’s privacy officer appointed
under section 201; and
(b) any other information that the Commissioner reasonably requires in relation to the personal information held by the agency.
Compare: 1993 No 28 s 22
203 Inquiries
Sections 86 to 90 apply in relation to an inquiry conducted by the Commissioner under section 17(1)(i), and for this purpose all references in those sections to an investigation must be read as a reference to an inquiry.
204 Powers relating to declaratory judgments
(1) If, at any time, it appears to the Commissioner that it may be desirable to
obtain a declaratory judgment or an order of the High Court in accordance with
the Declaratory Judgments Act 1908, the Commissioner may refer the matter to
the Director for the purpose of deciding whether proceedings under that Act
should be instituted.
(2) If a matter is referred to the Director under subsection (1), the Director has sufficient standing to institute proceedings under the Declaratory Judgments Act
1908.
2020 No 31 Privacy Act 2020 Part 9 s 204
117
(3) Subsection (2) applies—
(a) despite anything to the contrary in the Declaratory Judgments Act 1908,
or any other enactment or rule of law; and
(b) whether or not the matter is within the Director’s functions and powers
under this Act or the Human Rights Act 1993.
Compare: 1993 No 28 s 20
205 Protection against certain actions
(1) If any personal information is made available in good faith under IPP 6,—
(a) no proceedings, civil or criminal, may be brought against the Crown or
any other person in respect of the making available of that information,
or in respect of any consequences that follow from the making available
of that information; and
(b) no proceedings, civil or criminal, in respect of any publication involved
in, or resulting from, the making available of that information may be
brought against the author of the information or any other person by reason of that author or other person having supplied the information to an
agency.
(2) The making available of, or the giving of access to, any personal information in
consequence of a request made under IPP 6 is not to be taken, for the purposes
of the law relating to defamation or breach of confidence or infringement of
copyright, to constitute an authorisation or approval of the publication of the
information or of its contents by the individual to whom the information is
made available or the access is given.
Compare: 1993 No 28 s 115
206 Commissioner and staff to maintain secrecy
(1) The following persons must maintain secrecy in respect of all matters that
come to their knowledge in the exercise of their functions under this Act:
(a) the Commissioner, or any person who has held the appointment of Commissioner:
(b) a person who is employed or engaged, or who has been employed or
engaged, by the Commissioner.
(2) Despite subsection (1), the Commissioner may disclose any matters that in the
Commissioner’s opinion ought to be disclosed for the purposes of giving effect
to this Act.
(3) Except where necessary for the purposes of referring a complaint or matter to
the Director, the power conferred by subsection (2) does not extend to—
(a) any matter that might prejudice—
Part 9 s 205 Privacy Act 2020 2020 No 31
118
(i) the security, defence, or international relations of New Zealand
(including New Zealand’s relations with the Government of any
other country or with any international organisation); or
(ii) any interest protected by section 7 of the Official Information Act
1982; or
(iii) the prevention, investigation, or detection of offences; or
(b) any matter that might involve the disclosure of the deliberations of Cabinet; or
(c) any information, answer, document, or thing obtained by the Commissioner by reason only of compliance with a requirement made under section 88(1).
Compare: 1993 No 28 s 116
207 Commissioner may share information with overseas privacy enforcement
authority
(1) The Commissioner may provide to an overseas privacy enforcement authority
any information, or a copy of any document, that the Commissioner—
(a) holds in relation to the performance or exercise of the Commissioner’s
functions, duties, or powers under this Act (including under section 86
or 87) or any other enactment; and
(b) considers may—
(i) assist the authority in the performance or exercise of the authority’s functions, duties, or powers under or in relation to any enactment; or
(ii) enable the authority to reciprocate with the provision of other related information that will assist the Commissioner in the performance or exercise of the Commissioner’s functions, duties, or
powers under this Act or any other enactment.
(2) The Commissioner may impose any conditions that the Commissioner considers appropriate in relation to the provision of any information or copy of any
document under subsection (1), including conditions related to—
(a) the storage and use of, or access to, anything provided:
(b) the copying, return, or disposal of copies of any documents provided.
(3) This section overrides section 206(1).
208 Consultation
(1) The Commissioner may at any time consult any of the following persons about
any matter relating to the functions of the Commissioner under this Act:
(a) an Ombudsman:
(b) the Health and Disability Commissioner:
2020 No 31 Privacy Act 2020 Part 9 s 208
119
(c) the Inspector-General of Intelligence and Security.
(2) For the purpose of consulting a person specified in subsection (1), the Commissioner may disclose to that person any information that the Commissioner considers necessary.
(3) This section overrides section 206(1).
Compare: 1993 No 28 ss 117, 117A, 117B
209 Exclusion of public interest immunity
(1) The rule of law that authorises or requires the withholding of any document, or
the refusal to answer any question, on the ground that the disclosure of the
document or the answering of the question would be injurious to the public
interest does not apply in respect of—
(a) any investigation by or proceedings before the Commissioner or the Tribunal under this Act; or
(b) any application under the Judicial Review Procedure Act 2016 for the
review of any decision under this Act.
(2) Subsection (1) does not entitle any person to any information that the person
would not be entitled to otherwise than under this section.
(3) Subsection (1) does not limit sections 44(2)(d) and 47.
Compare: 1993 No 28 s 119
210 Adverse comment
The Commissioner must not, in any report or statement made pursuant to this
Act or the Crown Entities Act 2004, make any comment that is adverse to any
person unless that person has been given an opportunity to be heard.
Compare: 1993 No 28 s 120
Liability and offences
211 Liability of employers, principals, and agencies
(1) For the purpose of this Act,—
(a) anything done or omitted to be done by a person (A) as an employee of
another person (B) is to be treated as being done or omitted by both A
and B, whether or not it was done or omitted with B’s knowledge or
approval:
(b) anything done or omitted to be done by a person (A) as an agent of
another person (B) is to be treated as being done or omitted by both A
and B, unless it was done or omitted without B’s express or implied
authority:
(c) anything done or omitted to be done by a person as a member of an
agency is to be treated as being done or omitted by both the person and
Part 9 s 209 Privacy Act 2020 2020 No 31
120
the agency, unless it is done or omitted without the agency’s express or
implied authority.
(2) In proceedings under this Act against any person (C) in respect of an act
alleged to have been done by an employee of that person (D), it is a defence to
prove that C took such steps as were reasonably practicable to prevent D from
doing that or any similar act.
(3) Subsection (2) overrides subsection (1)(a).
(4) This section is subject to sections 119 and 120.
Compare: 1993 No 28 s 126
212 Offences
(1) A person commits an offence against this Act and is liable on conviction to a
fine not exceeding $10,000 if the person,—
(a) without reasonable excuse, obstructs, hinders, or resists the Commissioner or any other person in the exercise of their powers under this Act:
(b) without reasonable excuse, refuses or fails to comply with any lawful
requirement of the Commissioner or any other person under this Act.
(2) A person commits an offence against this Act and is liable on conviction to a
fine not exceeding $10,000 if the person—
(a) makes any statement or gives any information to the Commissioner or
any other person exercising powers under this Act, knowing that the
statement or information is false or misleading:
(b) represents directly or indirectly that they hold any authority under this
Act when they do not hold that authority:
(c) misleads an agency by impersonating an individual, or falsely pretending
to be an individual or to be acting under the authority of an individual,
for the purpose of—
(i) obtaining access to that individual’s personal information:
(ii) having that individual’s personal information used, altered, or
destroyed:
(d) destroys any document containing personal information, knowing that a
request has been made in respect of that information under subpart 1 of
Part 4.
Compare: 1993 No 28 s 127
Regulations
213 Regulations: prescribed binding schemes
(1) The Governor-General may, by Order in Council made on the recommendation
of the responsible Minister given after consultation with the Commissioner,
make regulations prescribing binding schemes for the purpose of IPP 12(1)(d).
2020 No 31 Privacy Act 2020 Part 9 s 213
121
(2) The Minister may recommend the making of regulations under subsection (1)
only if the Minister is satisfied that the binding schemes require a foreign person or entity to protect personal information in a way that, overall, provides
comparable safeguards to those in this Act.
214 Regulations: prescribed countries
(1) The Governor-General may, by Order in Council made on the recommendation
of the responsible Minister given after consultation with the Commissioner,
make regulations prescribing countries for the purpose of IPP 12(1)(e).
(2) The Minister may recommend the making of regulations under subsection (1)
only if the Minister is satisfied that the countries have privacy laws that, overall, provide comparable safeguards to those in this Act.
(3) A country may be prescribed subject to any specified limitation or qualification
relating to—
(a) the type of foreign person or entity in that country that personal information may be disclosed to:
(b) the type of personal information that may be disclosed to a foreign person or entity in that country.
215 Other regulations
(1) The Governor-General may, by Order in Council, made on the recommendation of the responsible Minister, make regulations for all or any of the following purposes:
(a) providing the procedure for giving, issuing, or serving notices and documents under this Act, including to persons or agencies who are overseas:
(b) prescribing a body as a regulatory body for the purposes of the definition
of news entity in section 7(1):
(c) specifying the information to be included in a compliance notice under
section 125(1)(e):
(d) prescribing the matters that the Commissioner may specify to a lead
agency as matters that are to be included in a report by the lead agency
under section 155:
(e) providing for such matters as are contemplated by or necessary for giving full effect to this Act and for its due administration.
(2) The responsible Minister may not recommend the making of regulations under
subsection (1)(b) unless the Minister—
(a) has consulted with the Commissioner; and
(b) is satisfied that the body—
(i) acts independently in performing its functions and duties; and
Part 9 s 214 Privacy Act 2020 2020 No 31
122
(ii) encourages news entities to develop and observe principles, standards, or codes of conduct appropriate to the type of news activity
undertaken by the entities, particularly principles, standards, or
codes of conduct in relation to the privacy of individuals; and
(iii) has a proper procedure for receiving and dealing with complaints
about news activities.
Compare: 1993 No 28 s 128
Repeal, revocation, and consequential amendments
216 Repeal and revocation
(1) The Privacy Act 1993 (1993 No 28) is repealed.
(2) The Privacy Regulations 1993 (SR 1993/149) are revoked.
217 Consequential amendments
The enactments specified in Schedule 9 are consequentially amended in the
manner indicated in that schedule.
218 Repeal of section 217 and Schedule 9
Section 217 and Schedule 9 are repealed on the close of 8 December 2020.
2020 No 31 Privacy Act 2020 Part 9 s 218
123
Schedule 1
Transitional, savings, and related provisions
s 5
Part 1
Provisions relating to this Act as enacted
1 Interpretation
In this schedule,—
commencement day means 1 December 2020
this Act means the Privacy Act 2020.
2 Appointment of Privacy Commissioner
The person who immediately before the commencement day held office as the
Privacy Commissioner under the Privacy Act 1993 continues in office on and
after that day as if the person were appointed under section 13 of this Act, and
that person’s instrument of appointment is to be construed accordingly.
3 Appointment of privacy officers
Any person who immediately before the commencement day was a privacy
officer under section 23 of the Privacy Act 1993 continues on and after that day
as a privacy officer under section 201 of this Act.
4 Application of IPP 6 and IPP 7
(1) A request made to an agency under information privacy principle 6 of the Privacy Act 1993 before the commencement day, but not dealt with by that day,
must be treated as a request under IPP 6 and dealt with under this Act.
(2) A request made to an agency under information privacy principle 7 of the Privacy Act 1993 before the commencement day, but not dealt with by that day,
must be treated as a request under IPP 7 and dealt with under this Act.
5 Authorisations
An authorisation given by the Commissioner under section 54 of the Privacy
Act 1993 that is in force immediately before the commencement day continues
in force on and after that day as if it had been made under section 30 of this
Act, and is subject to the same conditions (if any) as applied immediately
before the commencement day.
6 Codes of practice
A code of practice that was issued by the Commissioner under section 46 of the
Privacy Act 1993 and that is in force immediately before the day on which subpart 2 of Part 3 of this Act comes into force continues in force on and after that
Schedule 1 Privacy Act 2020 2020 No 31
124
day as if it had been issued under section 32 of this Act and may at any time be
amended.
7 Complaints
(1) A complaint made before the commencement day under the Privacy Act 1993
that has not been resolved or otherwise dealt with by the Commissioner must
be resolved or otherwise dealt with by the Commissioner under the procedures
in this Act, even though the action that is the subject of the complaint occurred
before that day.
(2) A complaint made after the commencement day under this Act that relates to
an action that occurred before the commencement day must be resolved or
otherwise dealt with by the Commissioner under the procedures in this Act.
(3) Any decision made, or thing done, by the Commissioner under the Privacy Act
1993 in relation to a complaint that before the commencement day was not the
subject of an investigation must be treated as if it had been made or done under
this Act.
8 Investigations and inquiries
(1) This clause applies to—
(a) an investigation that was commenced by the Commissioner under Part 8
of the Privacy Act 1993 before the commencement day, but not completed by that day (a pending investigation):
(b) an investigation that is commenced by the Commissioner under this Act
after the commencement day and that relates to an action that occurred
before the commencement day:
(c) an inquiry that was commenced by the Commissioner under section
13(1)(m) or 61(1) of the Privacy Act 1993 before the commencement
day but not completed by that day (a pending inquiry).
(2) A pending investigation, an investigation referred to in subclause (1)(b), or a
pending inquiry must be continued and completed or, in the case of an investigation referred to in subclause (1)(b), dealt with under this Act.
(3) Any decision made, or thing done, by the Commissioner under the Privacy Act
1993 in relation to a pending investigation or pending inquiry must be treated
as if it had been made or done under this Act.
9 Proceedings
(1) Any proceedings commenced before the Human Rights Review Tribunal under
Part 8 of the Privacy Act 1993 before the commencement day, but not completed by that day, must be continued and completed under this Act.
(2) Any proceedings that are commenced before the Human Rights Review Tribunal under this Act after the commencement day and that relate to an action that
occurred before the commencement day must be dealt with under this Act.
2020 No 31 Privacy Act 2020 Schedule 1
125
10 Notifiable privacy breaches
(1) In this clause, notifiable privacy breach has the meaning given to it in section
112 of this Act.
(2) The provisions of subpart 1 of Part 6 do not apply to a notifiable privacy
breach that occurred before the commencement day even if it continues after
that day.
11 Information matching agreements
(1) An information matching agreement that was made under Part 10 of the Privacy Act 1993 and that is in force immediately before the commencement day
continues in force, in accordance with its terms, as if it had been made under
subpart 4 of Part 7 of this Act and may at any time be amended.
(2) Any decision or thing done under the Privacy Act 1993 before the commencement day in relation to a proposed information matching agreement must be
treated as if it had been made or done under this Act.
12 Information sharing agreements
(1) An information sharing agreement that was made under Part 9A of the Privacy
Act 1993 and that is in force immediately before the commencement day continues in force, in accordance with its terms, as if it had been made under subpart 1 of Part 7 of this Act.
(2) Any decision made or thing done under the Privacy Act 1993 before the commencement day in relation to a proposed information sharing agreement must
be treated as if it had been made or done under this Act.
13 Orders in Council approving information sharing agreements
(1) An Order in Council that was made under sections 96J to 96L of the Privacy
Act 1993 and that is in force immediately before the commencement day continues in force, in accordance with its terms, as if it had been made under sections 145 to 147 of this Act, and may at any time be amended.
(2) An Order in Council that was made under sections 96J to 96L of the Privacy
Act 1993 but has not come into force before the commencement day, continues
to have effect, in accordance with its terms, as if it had been made under sections 145 to 147 of this Act, and may at any time be amended.
14 Transfer prohibition notices
A transfer prohibition notice that was given by the Commissioner under section
114B of the Privacy Act 1993 and that is in force immediately before the commencement day continues in force, in accordance with its terms, as if it had
been given by the Commissioner under section 195 of this Act.
Schedule 1 Privacy Act 2020 2020 No 31
126
15 Police may continue to access law enforcement information in relation to
persons aged 17 years
(1) Subclause (2) applies if, immediately before the commencement day,—
(a) the Police have commenced proceedings against a person aged 17 years,
but those proceedings have not been completed, or, in respect of those
proceedings, sentencing is pending; and
(b) the Police are accessing, or intending to access, the item of law enforcement information in Schedule 5 of the Privacy Act 1993 relating to court
records described as details of hearings.
(2) If this subclause applies, Schedule 5 of the Privacy Act 1993 continues in force
in relation to accessing the records of the person aged 17 years until—
(a) the proceedings referred to in subclause (1)(a) are discontinued or completed:
(b) the sentencing referred to in subclause (1)(a) is completed:
(c) the outcome of the proceedings and sentencing referred to in subclause
(1)(a) has been recorded by the Police.
(3) Subclause (2) does not limit the application of section 19 of the Interpretation
Act 1999.
2020 No 31 Privacy Act 2020 Schedule 1
127
Schedule 2
Approved information sharing agreements
ss 147(2), 161
Name of
agreement
Public service(s) to be facilitated by
agreement
Internet address where copy of
agreement can be accessed Lead agency for agreement
Description of personal information or
type of personal information to be shared
under agreement
Information sharing
to support services
for disengaged
youth: information
sharing agreement
between the
Ministry of
Education and the
Ministry of Social
Development made
on 8 August 2012
To provide services to encourage and help
young persons who have ceased to be
enrolled at a registered school or a tertiary
education organisation to move into, or
remain in, education, training, and
employment rather than receiving financial
support under the Social Security Act 1964
(replaced by the Social Security Act 2018)
http://www.youthservice.govt.nz/
for-providers/provider-guide/
neet-clients/informationsharing.html
Ministry of Social
Development
(a) student name (and any alternative
names):
(b) gender:
(c) ethnicity:
(d) date of birth:
(e) residency information (if known):
(f) address:
(g) home and mobile phone numbers
(if known):
(h) email address:
(i) schools attended (including
geographical regions and deciles):
(j) number of schools attended:
(k) date left school and year level:
(l) leaving reason (for each school):
(m) qualification information at time of
leaving school:
(n) details of any interventions that
student may have participated in:
(o) any information on student’s
participation in tertiary education
Supply of adult
passport
information for the
(a) Inland Revenue collecting student
loan debt (including core
assessment, penalties, and interest):
http://www.ird.govt.nz Inland Revenue (a) first name(s):
(b) surname:
(c) date of birth:
Schedule 2 Privacy Act 2020 2020 No 31
128
Name of
agreement
Public service(s) to be facilitated by
agreement
Internet address where copy of
agreement can be accessed Lead agency for agreement
Description of personal information or
type of personal information to be shared
under agreement
purpose of locating
overseas-based
student loan
borrowers who are
in default of their
repayment
obligations and
child support liable
parents living
overseas who are in
default of their
repayment or
contact obligations
Information sharing
agreement (made on
6 June 2014)
(b) Inland Revenue collecting child
support liable parent debt
(including core assessments and
penalties):
(c) Inland Revenue advising overseasbased borrowers of their student
loan obligations and entitlements,
and requiring compliance with
those obligations:
(d) Inland Revenue advising liable
parents living overseas of their
child support payment obligations
and entitlements, and requiring
compliance with those obligations
(d) passport number:
(e) personal telephone number:
(f) work telephone number:
(g) mobile telephone number:
(h) home address:
(i) passport delivery address:
(j) email address
Information sharing
agreement made
between Inland
Revenue and the
New Zealand Police
on 2 July 2014
entitled
“Information
Sharing Agreement
Between Inland
Revenue and New
Zealand Police
relating to
disclosure of
personal
information to New
Zealand Police for
the purpose of
prevention,
The maintenance of public safety.
Law enforcement and crime prevention, in
particular, the prevention, detection, and
investigation of serious crime and the
provision of evidence of serious crime
http://www.ird.govt.nz Inland Revenue (a) tax information:
(b) financial transaction information:
(c) financial relationship information:
(d) domestic relationship information:
(e) information about assets:
(f) employment information:
(g) personal records:
(h) social assistance information:
(i) personal information about an
identifiable individual’s associates:
(j) any other personal information
Inland Revenue identifies in the
course of performing its usual
functions and duties
2020 No 31 Privacy Act 2020 Schedule 2
129
Name of
agreement
Public service(s) to be facilitated by
agreement
Internet address where copy of
agreement can be accessed Lead agency for agreement
Description of personal information or
type of personal information to be shared
under agreement
detection,
investigation or
providing evidence
of serious crime
pursuant to Part 9A
of the Privacy Act
1993 and section
81A of the Tax
Administration Act
1994, July 2014, as
amended 16 March
2015”
Approved
Information Sharing
Agreement for
Improving Public
Services for At-risk
Children dated 25
June 2015
Improving the well-being of at-risk children http://www.msd.govt.nz
http://
childrensactionplan.govt.nz
Ministry of Social
Development
(a) the name and address of a child,
and the names and address or
addresses, of the child’s parents
and caregivers:
(b) a child’s date of birth:
(c) a notification or an alert from a
health practitioner that a child or
the child’s family is at risk:
(d) any history of harm to a child or
history of harm to a child in the
child’s family:
(e) information about a child’s
physical or mental health that may
indicate that the child has been
abused or neglected or is at risk of
abuse or neglect:
(f) information about a child’s current
and previous well-being, including
financial circumstances, and issues
of concern about the child’s wellbeing, including financial
circumstances:
Schedule 2 Privacy Act 2020 2020 No 31
130
Name of
agreement
Public service(s) to be facilitated by
agreement
Internet address where copy of
agreement can be accessed Lead agency for agreement
Description of personal information or
type of personal information to be shared
under agreement
(g) information about a child’s
psychological or emotional
difficulties:
(h) information about the capacities
and strengths of a child and the
child’s family:
(i) issues of concern that have been
raised with respect to a child’s
education, including any special
education needs:
(j) information that indicates that a
child has a record of a substance
abuse problem or a history of
violence:
(k) information about whether a parent
or caregiver of a child has a mental
illness:
(l) information about whether a parent
or caregiver of a child has a
substance abuse problem or a
history of domestic violence:
(m) information about a person who
may pose a risk to a child and
information about that risk:
(n) any assessments of a child for the
purposes of the Oranga Tamariki
Act 1989
Information Sharing
Agreement for
Sharing Permitted
Information with
Statistics New
Bona fide research in relation to matters of
public interest
Production of official statistics by Statistics
New Zealand
http://www.justice.govt.nz Ministry of Justice Permitted information, being permitted
information that is specified in Part B of the
items relating to court information in
Schedule 2 of the Senior Courts Act 2016,
but not including any permitted information
2020 No 31 Privacy Act 2020 Schedule 2
131
Name of
agreement
Public service(s) to be facilitated by
agreement
Internet address where copy of
agreement can be accessed Lead agency for agreement
Description of personal information or
type of personal information to be shared
under agreement
Zealand made on
14 March 2017
suppressed by or under a court order or any
enactment
Permitted information, being permitted
information that is specified in Part B of the
items relating to court information in
Schedule 1 of the District Court Act 2016,
but not including any permitted information
suppressed by or under a court order or any
enactment
Information Sharing
Agreement Between
Ministry of Social
Development And
Inland Revenue
Department made in
September 2018
The accurate and efficient assessment of
eligibility for, and entitlement to, benefits
and subsidies
The accurate and efficient assessment and
enforcement of tax obligations, including
recovering any associated debt
The accurate and efficient assessment and
enforcement of obligations relating to
benefits and subsidies, including recovering
any associated debt
http://www.msd.govt.nz
http://www.ird.govt.nz
Inland Revenue (a) contact information:
(b) identifying information:
(c) information about domestic
relationships, including—
(i) the current and previous
names, aliases, contact
details, and dates of birth
of persons with whom an
identifiable individual has
or had a domestic
relationship; and
(ii) in relation to any of those
persons, information
about employment,
information about
finances and income,
information about social
assistance, and
information about tax:
(d) information about employment:
(e) information about finances and
income:
(f) information about social
assistance:
(g) information about tax
Schedule 2 Privacy Act 2020 2020 No 31
132
Name of
agreement
Public service(s) to be facilitated by
agreement
Internet address where copy of
agreement can be accessed Lead agency for agreement
Description of personal information or
type of personal information to be shared
under agreement
Information sharing
agreement between
the Ministry of
Justice and the
Crown Law Office
made on 31 July
2017
(a) maintaining an efficient and
effective criminal justice system:
(b) improving the quality of public
prosecutions:
(c) managing the budget for Crown
prosecutions
http://www.justice.govt.nz Ministry of Justice (a) the CRI given to any proceeding
commenced against a person:
(b) permitted information, being
permitted information that is
specified in Part B of the items
relating to court information in
Schedule 2 of the Senior Courts
Act 2016:
(c) permitted information, being
permitted information that is
specified in Part B of the items
relating to court information in
Schedule 1 of the District Court
Act 2016
Information Sharing
Agreement between
the New Zealand
Gang Intelligence
Centre Agencies
made on
7 November 2018
(a) maintaining public safety:
(b) crime prevention:
(c) law enforcement
http://www.police.govt.nz New Zealand Police (a) identifying information:
(b) contact details:
(c) gang associations:
(d) family relationship information:
(e) health and disability information:
(f) education information:
(g) employment information:
(h) social assistance information:
(i) financial information:
(j) financial relationship information:
(k) financial transaction information:
(l) tax information:
(m) housing information:
(n) asset information:
2020 No 31 Privacy Act 2020 Schedule 2
133
Name of
agreement
Public service(s) to be facilitated by
agreement
Internet address where copy of
agreement can be accessed Lead agency for agreement
Description of personal information or
type of personal information to be shared
under agreement
(o) travel, movement, and location
information:
(p) communications information:
(q) criminal investigation information:
(r) immigration information:
(s) import and export information:
(t) threat or risk to safety of others:
(u) next-of-kin information
Information Sharing
Agreement between
Ministry of Social
Development and
New Zealand
Customs Service
made on 1 April
2019
(a) the accurate and efficient
assessment of the entitlement to, or
the eligibility for, any benefit:
(b) the reduction in the amount of
money owed by beneficiaries to the
Crown.
http://www.msd.govt.nz
http://www.customs.govt.nz
Ministry of Social
Development
(a) the individual’s full name:
(b) the individual’s date of birth:
(c) the individual’s gender:
(d) the individual’s nationality:
(e) the individual’s citizenship:
(f) the number of the individual’s New
Zealand travel document:
(g) the individual’s flight or craft
details:
(h) the port where the individual
boarded their plane or craft:
(i) the port where the individual
disembarked from their plane or
craft:
(j) the unique number generated for
the individual’s movement by the
New Zealand Customs Service’s
computer systems:
(k) the time, date, and place of the
individual’s—
Schedule 2 Privacy Act 2020 2020 No 31
134
Name of
agreement
Public service(s) to be facilitated by
agreement
Internet address where copy of
agreement can be accessed Lead agency for agreement
Description of personal information or
type of personal information to be shared
under agreement
(i) departure from New
Zealand; or
(ii) arrival in New Zealand.
Information Sharing
Agreement between
Registrar-General
and New Zealand
Police made on 9
September 2019
Assisting New Zealand Police to perform its
functions relating to the maintenance of the
law specified in section 9 of the Policing
Act 2008
https://www.police.govt.nz
https://www.dia.govt.nz
New Zealand Police (a) death information if an individual’s
death is registered in New Zealand:
(b) name change information if an
individual’s name change is
registered, and the individual’s
birth is registered in New Zealand:
(c) name change information if an
individual’s name change is
registered, but the individual’s
birth is not registered in New
Zealand:
(d) non-disclosure direction made,
withdrawn, or expired in relation
to an individual’s birth
information:
(e) non-disclosure direction made,
withdrawn, or expired in relation
to an individual’s name change
information, if the individual’s
birth is registered in New Zealand:
(f) non-disclosure direction made,
withdrawn, or expired in relation
to an individual’s name change
information, if the individual’s
birth is not registered in New
Zealand.
Information Sharing
Agreement between
(a) the efficient provision of identity
services:
https://www.dia.govt.nz Department of Internal Affairs (a) birth information:
(b) death information:
(c) marriage information:
2020 No 31 Privacy Act 2020 Schedule 2
135
Name of
agreement
Public service(s) to be facilitated by
agreement
Internet address where copy of
agreement can be accessed Lead agency for agreement
Description of personal information or
type of personal information to be shared
under agreement
Department of
Internal Affairs and
Registrar-General
made on 18 October
2019
(b) the prevention, detection,
investigation, and prosecution of
offences:
(c) the conduct of civil proceedings.
(d) civil union information:
(e) name change information:
(f) celebrant information:
(g) overseas death information:
(h) overseas name change information:
(i) overseas marriage and civil union
information:
(j) citizenship information:
(k) New Zealand passport information:
(l) New Zealand emergency travel
document information:
(m) New Zealand certificate of identity
information:
(n) New Zealand refugee travel
document information:
(o) communications information:
(p) customer alerts:
(q) contact details:
(r) name change lodgements.
Schedule 2 Privacy Act 2020 2020 No 31
136
Schedule 3
Identity information
ss 165, 168
Accessing agency Purpose of access Holder agency
Department of
Corrections
To verify the identity of—
(a) a person under
control or
supervision (as
defined in section
3(1) of the
Corrections Act
2004):
(b) a person who, under
section 30B of the
Bail Act 2000, has
been granted bail
with an electronic
monitoring condition
Department of Internal
Affairs
MBIE (Immigration)
Ministry of Health and
District Health Boards (only
in relation to special patients,
restricted patients, and
special care recipients)
Ministry of Justice
New Zealand Police
New Zealand Transport
Agency
Registrar-General
Department of
Internal Affairs
To verify the identity of a
person who has applied for
the issue of—
(a) a New Zealand travel
document:
(b) a certificate of New
Zealand citizenship:
(c) an electronic identity
credential
Department of Corrections
MBIE (Immigration)
Ministry of Health and
District Health Boards (only
in relation to special patients,
restricted patients, and
special care recipients)
New Zealand Police
New Zealand Transport
Agency
MBIE
(Immigration)
To verify the identity of a
person—
(a) who is seeking to
travel to New
Zealand:
(b) who is arriving in or
departing from New
Zealand:
(c) who is applying for a
visa:
(d) who an immigration
officer has good
cause to suspect—
(i) has
committed an
offence
against the
Immigration
Act 2009:
Department of Corrections
Department of Internal
Affairs
Ministry of Health and
District Health Boards (only
in relation to special patients,
restricted patients, and
special care recipients)
Ministry of Justice
New Zealand Customs
Service
New Zealand Police
New Zealand Transport
Agency
Registrar-General
2020 No 31 Privacy Act 2020 Schedule 3
137
Accessing agency Purpose of access Holder agency
(ii) has obtained
a visa under
a fraudulent
identity:
(iii) is liable for
deportation
or
turnaround:
(iv) is unlawfully
in New
Zealand
Ministry of Health
and District Health
Boards
To verify the identity of a
person who—
(a) is being admitted, or
returned, to a
hospital as a special
patient or restricted
patient; or
(b) is being admitted, or
returned, to a secure
facility as a special
care recipient
Department of Corrections
Department of Internal
Affairs
MBIE (Immigration)
New Zealand Police
Registrar-General
New Zealand
Customs Service
To verify the identity of a
person who—
(a) is in a Customscontrolled area; and
(b) is departing, or
attempting to depart,
from New Zealand
Department of Corrections
Department of Internal
Affairs
MBIE (Immigration)
Ministry of Health and
District Health Boards (only
in relation to special patients,
restricted patients, and
special care recipients)
New Zealand Transport
Agency
Registrar-General
New Zealand
Police
To verify the identity of a
person—
(a) whose identifying
particulars have been
taken under section
32 or 33 of the
Policing Act 2008:
(b) whose identifying
particulars have been
taken under section
11 of the Returning
Offenders
(Management and
Information) Act
2015:
Department of Corrections
Department of Internal
Affairs
MBIE (Immigration)
Ministry of Health and
District Health Boards (only
in relation to special patients,
restricted patients, and
special care recipients)
New Zealand Customs
Service
New Zealand Transport
Agency
Schedule 3 Privacy Act 2020 2020 No 31
138
Accessing agency Purpose of access Holder agency
(c) who has breached,
has attempted to
breach, or is
preparing to breach a
condition of any
sentence, or order
imposed under any
enactment, that the
person not leave
New Zealand
Registrar-General
Registrar-General To verify the identity of a
person who has applied for
the registration of a name
change
MBIE (Immigration)
Ministry of Health and
District Health Boards (only
in relation to special patients,
restricted patients, and
special care recipients)
New Zealand Police
New Zealand Transport
Agency
Note:
1 References in this schedule to the Department of Internal Affairs are references to the parts of
the Department of Internal Affairs that administer the Citizenship Act 1977 and the Passports
Act 1992.
2 References in this schedule to MBIE (Immigration) are references to the part of the Ministry
of Business, Innovation, and Employment that administers the Immigration Act 2009.
3 References in this schedule to the Registrar-General are references to the Registrar-General
appointed under section 79(1) of the Births, Deaths, Marriages, and Relationships Registration
Act 1995, and include a Deputy Registrar-General.
2020 No 31 Privacy Act 2020 Schedule 3
139
Schedule 4
Law enforcement information
ss 172, 173
Court records
Subject Description Access available to
Court document
processing
Particulars of proceedings in
respect of which informations
are to be laid or charging
documents filed; the
acceptance of data for and the
preparation of associated
documents
Police
Serious Fraud Office
Department of Corrections
Legal Services Commissioner, limited only
to finding out whether an applicant for
criminal legal aid has any charges currently
pending determination by the courts
Details of hearings Details of hearings of
proceedings in respect of which
informations have been laid or
charging documents have been
filed, including convictions,
sentences, and all other matters
ancillary and subsequent to a
determination
Police (access is limited so as to exclude
details relating to young persons, being
persons over 14 years but under 18 years,
where the offence did not carry a liability to
imprisonment)
New Zealand Transport Agency (access is
limited to traffic cases only)
Serious Fraud Office (access is limited so as
to exclude details relating to young persons,
being persons over 14 years but under 18
years, where the offence did not carry a
liability to imprisonment)
Department of Corrections
Legal Services Commissioner, for the
purpose of determining an application for a
grant of legal aid (access is limited so as to
exclude details relating to young persons,
being persons over 14 years but under 18
years, where the offence did not carry a
liability to imprisonment)
Ministry of Justice (access for the purpose
of responding to requests for criminal
conviction histories)
Enforcement of fines
and other orders
Particulars of writs, warrants,
or orders in force and issued or
made on default in the payment
of fines or other monetary
sums ordered in proceedings;
particulars of the persons to
whom the writs, warrants, or
orders relate; and particulars of
fines, sentences, or orders
imposed or made against those
persons, including the amounts
remaining payable thereunder
and the arrangements for
payment
Police
Department of Corrections
Legal Services Commissioner, for the
purpose of determining an application for a
grant of legal aid in relation to a criminal
matter
Ministry of Justice (access for the purpose
of responding to requests for criminal
conviction histories)
Non-performance of
bail conditions
Records relating to failure to
comply with bail conditions
Police
Schedule 4 Privacy Act 2020 2020 No 31
140
Subject Description Access available to
entered under section 39(3) of
the Bail Act 2000
Ministry of Justice records
Subject Description Access available to
Driver licence stop
orders
Particulars of each order
served, cancelled, or
terminated, the full name, full
address, telephone number,
driver licence number, and date
of birth of the person on whom
the order was served; the date
and time when the order was
served on the person, the date
of the cancellation or
termination of the order, and
any amendments required, as at
the date of service,
cancellation, or termination, to
the person’s full address and
telephone number
New Zealand Transport Agency (access is
limited to recording, on the driver licence
register, the service, cancellation, or
termination of an order and any
amendments required to the person’s full
address and telephone number, and to
replacing a driver licence following the
cancellation or termination of the order)
Police records
Subject Description Access available to
Details of overseas
hearings
Details of hearings of overseas
proceedings before overseas
courts, including convictions,
sentences, and all other matters
ancillary and subsequent to a
determination
Ministry of Justice
Department of Corrections
Serious Fraud Office
Ministry of Business, Innovation, and
Employment (access is limited to obtaining
information for the purposes of section 52
of the Outer Space and High-altitude
Activities Act 2017)
Offender identity Particulars of the identity of
persons who have been charged
with an offence
Department of Corrections (access is
limited to identity details for the purposes
of—
(a) entering information relating to
prosecutions initiated otherwise
than by the Police; or
(b) undertaking criminal history checks
of persons wishing to visit prisons
who have consented to such a
check; or
(c) research conducted by the
department, and with the limitation
that information so obtained must
not be published in a form that
could reasonably be expected to
identify the individual concerned)
Ministry of Justice (access is limited to—
2020 No 31 Privacy Act 2020 Schedule 4
141
Subject Description Access available to
(a) identity details for the purposes
of—
(i) entering information
relating to prosecutions
initiated otherwise than by
the Police; or
(ii) providing assistance to
victims in accordance with
the Sentencing Act 2002,
the Parole Act 2002, the
Victims’ Rights Act 2002,
and the Prisoners’ and
Victims’ Claims Act 2005;
or
(iii) updating an existing
database of court
proceedings; or
(b) obtaining information for the
purpose of research conducted by
the Ministry, and with the limitation
that information so obtained must
not be published in a form that
could reasonably be expected to
identify the individual concerned)
Ministry of Business, Innovation, and
Employment (access is limited to obtaining
information for the purposes of section 52
of the Outer Space and High-altitude
Activities Act 2017)
Victim identity The name, sex, date of birth,
address, and telephone number
of persons who are the victims
of a criminal offence in respect
of which another person has
been charged
Ministry of Justice (access is limited to
identity details for the purpose of providing
assistance to victims in accordance with the
Sentencing Act 2002, the Parole Act 2002,
the Victims’ Rights Act 2002, and the
Prisoners’ and Victims’ Claims Act 2005)
Medical details An indicator to identify persons
who are or have been special
patients under the Mental
Health (Compulsory
Assessment and Treatment)
Act 1992 or any former Act
and the hospitals at which
those persons are or have been
detained as special patients, or
as committed patients, or as
patients (within the meaning of
that Act)
New Zealand Transport Agency (access is
limited to obtaining information for the
purposes of—
(a) section 19 of the Land Transport
Act 1998; or
(b) subpart 2 of Part 4A of the Land
Transport Act 1998)
Department of Corrections
Ministry of Justice
Traffic offence and
infringement
enforcement and
document processing
Traffic offence and
infringement enforcement
processing, including
infringement fees enforcement
and preparation of documents
New Zealand Transport Agency
Ministry of Justice (access is limited to
obtaining information for the purpose of
processing cases before a court)
Legal Services Commissioner (access is
limited to obtaining information for the
Schedule 4 Privacy Act 2020 2020 No 31
142
Subject Description Access available to
purpose of processing cases before a court,
and for determining an application for a
grant of legal aid relating to a criminal
matter)
Vehicles of interest Particulars of motor vehicles
stolen, unlawfully taken,
missing, abandoned, or found,
or where location is for other
reasons required to be known
by the Police
Registrar of Motor Vehicles (access is
limited so as to exclude any particulars that
the Police may determine in any case)
Vehicles impounded
under Land
Transport Act 1998
Particulars of an impounded
vehicle, including make,
model, type, registration plate
number, vehicle identification
number; the section of the Land
Transport Act 1998 under
which it is impounded, the date
on which it was impounded,
and the place where it is
impounded; whether any
appeals are yet to be
determined; particulars of the
person who was driving the
vehicle immediately before its
impoundment, including the
full name, full address,
telephone number, occupation,
driver licence number, and date
of birth of that person and the
same particulars also for every
other person who is registered
in respect of the vehicle
Ministry of Justice (access is limited to
giving effect to action taken, under Part 3 of
the Summary Proceedings Act 1957, to
enforce the payment of fines, reparation,
and related payments)
Wanted persons Particulars concerning persons
wanted for arrest
New Zealand Transport Agency (access is
limited to obtaining information for the
purposes of—
(a) subpart 2 of Part 4A of the Land
Transport Act 1998:
(b) carrying out the functions conferred
on the Agency by section 95(1) of
the Land Transport Management
Act 2003)
Ministry of Justice (access is limited to
persons wanted in connection with fines
enforcement)
Ministry of Business, Innovation, and
Employment (access is limited to obtaining
information for the purposes of section 52
of the Outer Space and High-altitude
Activities Act 2017)
Missing persons Particulars concerning persons
missing or required to be
located
New Zealand Transport Agency (access is
limited so as to exclude any particulars that
the Police may determine in any case)
2020 No 31 Privacy Act 2020 Schedule 4
143
Subject Description Access available to
Ministry of Justice (access is limited to
persons required to be located in connection
with fines enforcement)
Firearms licences Particulars of persons
authorised to possess firearms
in accordance with the Arms
Act 1983
Ministry of Justice (access is limited to
identity details of persons who possess
firearms, where that information is required
for the purpose of serving orders made
under the Family Violence Act 2018)
Protection orders Details of protection orders
made under the Domestic
Violence Act 1995
Department of Corrections (access is
limited to obtaining information about any
offender who is subject to a protection order
while also subject to—
(a) a full-time custodial sentence
(including while released on parole
or subject to conditions imposed
under section 93 of the Sentencing
Act 2002); or
(b) a sentence of supervision, intensive
supervision, community work, or
community detention; or
(c) a non-association order; or
(d) a sentence of home detention
(including while subject to postdetention conditions); or
(e) an extended supervision order; or
(f) a public protection order, a prison
detention order, or a protective
supervision order under the Public
Safety (Public Protection Orders)
Act 2014
Access is for the purpose of managing the
offender’s sentence, any post-sentence
conditions, any post-sentence supervision,
or any order under the Public Safety (Public
Protection Orders) Act 2014 in a manner
consistent with any protection order)
Restraining orders Details of restraining orders
made under the Harassment
Act 1997
Department of Corrections (access is
limited to obtaining information about any
offender who is subject to a restraining
order while also subject to—
(a) a full-time custodial sentence
(including while released on parole
or subject to conditions imposed
under section 93 of the Sentencing
Act 2002); or
(b) a sentence of supervision, intensive
supervision, community work, or
community detention; or
(c) a non-association order; or
(d) a sentence of home detention
(including while subject to postdetention conditions); or
Schedule 4 Privacy Act 2020 2020 No 31
144
Subject Description Access available to
(e) an extended supervision order; or
(f) a public protection order, a prison
detention order, or a protective
supervision order under the Public
Safety (Public Protection) Orders
Act 2014
Access is for the purpose of managing the
offender’s sentence, any post-sentence
conditions, any post-sentence supervision,
or any order under the Public Safety (Public
Protection Orders) Act 2014 in a manner
consistent with any restraining order)
Non-contact orders Details of non-contact orders
made under the Victims’ Orders
Against Violent Offenders Act
2014
Department of Corrections (access is
limited to obtaining information about any
offender who is subject to a non-contact
order while also subject to—
(a) a full-time custodial sentence
(including while released on parole
or subject to an extended
supervision order made under
section 107I of the Parole Act 2002
or to conditions imposed under
section 93 of the Sentencing Act
2002); or
(b) a sentence of intensive supervision,
community detention, community
work, or supervision; or
(c) a non-association order; or
(d) a sentence of home detention
(including while subject to postdetention conditions); or
(e) an extended supervision order; or
(f) a public protection order, a prison
detention order, or a protective
supervision order under the Public
Safety (Public Protection) Orders
Act 2014
Access is for the purpose of managing the
offender’s sentence, any post-sentence
conditions, any post-sentence supervision,
or any order under the Public Safety (Public
Protection Orders) Act 2014 in a manner
consistent with any non-contact order)
New Zealand Transport Agency records
Subject Description Access available to
Driver licence
register (except
photographic images
on driver licences)
A national register of all driver
licences
Department of Corrections
Ministry of Justice
Police
Serious Fraud Office
2020 No 31 Privacy Act 2020 Schedule 4
145
Subject Description Access available to
Road User Charges Collector (access is
limited to obtaining information for the
purpose of verifying the identity of people
who are or apply to be holders of licences
issued under the Road User Charges Act
2012)
Registrar of Motor Vehicles (access is
limited to obtaining information for the
purposes of—
(a) verifying the identity of people who
are or apply to be registered on the
register of motor vehicles in respect
of motor vehicles; or
(b) correcting or updating information
held on the register of motor
vehicles about such people)
Transport services
licensing register
A national register of all
transport service licences
Police
Demerit points The recording of demerit points
in relation to traffic offences
Police
Rail licensing
register
A national register of all
licences under the Railways
Act 2005
Police
Registrar of Motor Vehicles records
Subject Description Access available to
Motor vehicles
register
A national register of all motor
vehicles
Ministry of Justice (including for the
purpose of enforcing civil debts)
Police
Serious Fraud Office
WorkSafe New Zealand (access is limited to
name and address details of persons who are
or were previously registered in respect of a
specified vehicle for the purposes of
enforcing the health and safety at work
legislation)
Ministry of Business, Innovation, and
Employment (access is limited to name and
address details of persons who are or were
previously registered in respect of a
specified vehicle for the purposes of
enforcing immigration legislation)
Ministry for Primary Industries (access is
limited to name and address details of
persons who are or were previously
registered in respect of a specified vehicle
for the purposes of enforcing fisheries
legislation and any other enactment that
confers enforcement powers on fisheries
officers)
Schedule 4 Privacy Act 2020 2020 No 31
146
Subject Description Access available to
New Zealand Customs Service (access is
limited to obtaining information for the
purposes of enforcing legislation for which
the Service has enforcement powers)
New Zealand Transport Agency (access is
limited to obtaining information for the
purposes of carrying out the functions
conferred on the Agency by section 95(1) of
the Land Transport Management Act 2003)
Legal Services Commissioner (access is
limited to obtaining information for the
purpose of determining an applicant’s
financial eligibility for a grant of legal aid
in relation to a criminal matter)
An enforcement authority under the Land
Transport Management Act 2003.
Road User Charges Collector records
Subject Description Access available to
Road user charges Details of licences issued under
the Road User Charges Act
2012 and details of the
corresponding licence holders
Police (access is limited to obtaining
information for the purpose of enforcing the
Road User Charges Act 2012)
New Zealand Transport Agency (access is
limited to obtaining information for the
purposes of carrying out the functions
conferred on the Agency by section 95(1) of
the Land Transport Management Act 2003)
Department of Corrections records
Subject Description Access available to
Community-based
sentences, sentences
of home detention,
and conditions of
release
Particulars of persons—
(a) released on probation
or parole, or released
on conditions under
Part 6 of the Criminal
Justice Act 1985, or
sentenced to
supervision; or
(b) released on parole,
home detention, or
compassionate release
under subpart 2 of Part
1 of the Parole Act
2002 or sentenced to
supervision, intensive
supervision,
community work,
community detention,
or home detention.
Police (access is limited to—
(a) the person’s area of reporting:
(b) in the case of a person released from
a prison, the conditions of the
person’s release (whether imposed
on release or imposed or varied
subsequently, and including any
direction issued to that person by a
probation officer))
Ministry of Justice
Extended
supervision orders
Details of extended supervision
orders made under Part 1A of
the Parole Act 2002
Police (access is for the purpose of
managing the conditions of the extended
supervision order)
2020 No 31 Privacy Act 2020 Schedule 4
147
Subject Description Access available to
Records of prisoners Particulars of prisoners in a
prison, including the date of
release from the prison
Police (access is limited to the location and
the date of release of the prisoner)
Ministry of Justice
Schedule 4 Privacy Act 2020 2020 No 31
148
Schedule 5
Information matching provisions
ss 177, 188
Enactment Information matching provision
Accident Compensation Act 2001 Sections 246, 280, and 281
Births, Deaths, Marriages, and Relationships Registration
Act 1995
Section 78A
Citizenship Act 1977 Section 26A
Corrections Act 2004 Sections 180 to 180D and 181
Customs and Excise Act 2018 Sections 306 to 310
Education Act 1989 Sections 226A, 235F, 307D, and 360
Electoral Act 1993 Sections 263A and 263B
Electronic Identity Verification Act 2012 Section 39
Immigration Act 2009 Sections 294, 295, 298, 299, and 300
Motor Vehicle Sales Act 2003 Sections 120 to 123
Social Security Act 2018 Section 385(3), clauses 13 and 15 of
Schedule 6
Student Loan Scheme Act 2011 Section 208
Tax Administration Act 1994 Clauses 41, 42, 43, and 45 of Schedule
7
2020 No 31 Privacy Act 2020 Schedule 5
149
Schedule 6
Information matching rules
ss 177, 178, 189
1 Notice to individuals affected
(1) Agencies involved in an authorised information matching programme must
take all reasonable steps (which may consist of or include public notification)
to ensure that the individuals who will be affected by the programme are notified of the programme.
(2) Nothing in subclause (1) requires an agency to notify any individual about an
authorised information matching programme if to do so would be likely to frustrate the objective of the programme.
2 Use of unique identifiers
Except as provided in any other enactment, unique identifiers may not be used
as part of any authorised information matching programme unless their use is
essential to the success of the programme.
3 Technical standards
(1) The agency primarily responsible for the operation of an authorised information matching programme must establish and maintain detailed technical standards to govern the operation of the programme.
(2) The technical standards established by an agency in accordance with subclause
(1) must deal with the following matters:
(a) the integrity of the information to be matched, with particular reference
to—
(i) key terms and their definition; and
(ii) relevance, timeliness, and completeness:
(b) the matching techniques to be used in the programme, with particular
reference to—
(i) the matching algorithm:
(ii) any use of unique identifiers:
(iii) the nature of the matters being sought to be identified by the
matching process:
(iv) the relevant information definitions:
(v) the procedure for recognising matches:
(c) the controls being used to ensure the continued integrity of the programme, including the procedures that have been established to confirm
the validity of matching results:
Schedule 6 Privacy Act 2020 2020 No 31
150
(d) the security features included within the programme to minimise and
audit access to personal information, including the means by which the
information is to be transferred between agencies.
(3) The technical standards established in accordance with subclause (1) must be
incorporated in a written document (in this clause, a Technical Standards
Report), and copies of the Technical Standards Report must be held by all
agencies that are involved in the authorised information matching programme.
(4) Variations may be made to a Technical Standards Report by way of a Variation
Report appended to the original report.
(5) The agency that prepares a Technical Standards Report must forward a copy of
that report, and of every Variation Report appended to that report, to the Commissioner.
(6) The Commissioner may at any time direct that a Technical Standards Report be
varied, and that direction must be complied with by the agency that prepared
the report.
(7) Every agency involved in an authorised information matching programme must
comply with the requirements of the associated Technical Standards Report
(including any variations made to the report).
4 Safeguards for individuals affected by results of programmes
(1) The agencies involved in an authorised information matching programme must
establish reasonable procedures for confirming the validity of discrepancies
before an agency seeks to rely on them as a basis for action in respect of an
individual.
(2) Subclause (1) does not apply if the agencies concerned consider that there are
reasonable grounds to believe that the results are not likely to be in error, and in
forming that view the agencies must have regard to the consistency in content
and context of the information being matched.
(3) Where those confirmation procedures do not take the form of checking the
results against the source information, but instead involve direct communication with the individual affected, the agency that seeks to rely on the discrepancy as a basis for action in respect of an individual must notify the individual
affected that no check has been made against the information which formed the
basis for the information supplied for the programme.
(4) Every notification in accordance with subclause (3) must include an explanation of the procedures that are involved in the examination of a discrepancy
revealed by the programme.
5 Destruction of information
(1) In this clause, information matching information means—
2020 No 31 Privacy Act 2020 Schedule 6
151
(a) information that is disclosed to an agency under an information matching provision for use in an authorised information matching programme;
and
(b) information that is produced from an authorised information matching
programme.
(2) Information matching information held by an agency that does not reveal a discrepancy must be destroyed as soon as practicable by the agency.
(3) An agency that holds information matching information that reveals a discrepancy must destroy that information within 60 working days after becoming
aware of the discrepancy unless the agency decides to take adverse action
against any individual on the basis of that discrepancy.
(4) An agency that decides to take adverse action against any individual on the
basis of a discrepancy must destroy the information as soon as practicable after
the information is no longer required.
(5) This clause does not apply in relation to the Inland Revenue Department.
6 No new databank
(1) Subject to subclauses (2) and (3), the agencies involved in an authorised information matching programme must not permit the information used in the programme to be linked or merged in such a way that a new separate permanent
register or databank of information is created about all or any of the individuals
whose information has been subject to the programme.
(2) Subclause (1) does not prevent an agency from maintaining a register of individuals in respect of whom further inquiries are warranted following a discrepancy revealed by the programme, but information relating to an individual may
be maintained on a register of that kind only for so long as is necessary to
enable those inquiries to be carried out, and in no case longer than is necessary
to enable any adverse action to be taken against an individual.
(3) Subclause (1) does not prevent an agency from maintaining a register for the
purpose of excluding individuals from being selected for investigation, but that
register may contain only the minimum amount of information necessary for
that purpose.
Schedule 6 Privacy Act 2020 2020 No 31
152
Schedule 7
Amendments to other enactments related to subpart 4 of Part 7
s 190
Accident Compensation Act 2001 (2001 No 49)
After section 246(7), insert:
(8) On or after 1 December 2020, no information may be requested or provided
under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
Replace section 280(2) with:
(2) The purpose of this section is to facilitate the disclosure of information by the
Department of Corrections (the Department) to the Corporation for the purpose of verifying—
(a) the entitlement or eligibility of any person to or for any payment; or
(b) the amount of any payment to which any person is or was entitled or for
which any person is or was eligible.
In section 280(3) and (5), delete “concerned”.
In section 280(3)(b), replace “that Department” with “the Department”.
After section 280(5), insert:
(6) On or after 1 December 2020, no information may be disclosed under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
After section 281(5), insert:
(6) On or after 1 December 2020, no information may be disclosed under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
In section 343(1), after “363,”, insert “370, 371,”.
2020 No 31 Privacy Act 2020 Schedule 7
153
Births, Deaths, Marriages, and Relationships Registration Act 1995 (1995 No 16)
After section 78A(4A), insert:
(4B) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an information matching agreement entered into under subpart 4 of
Part 7 of the Privacy Act 2020; or
(c) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
Repeal section 78B.
Citizenship Act 1977 (1977 No 61)
In the heading to section 26A, delete “specified”.
In section 26A(1), delete “specified”.
In section 26A(2), replace “a specified agency” with “an agency”.
In section 26A(2), replace “the specified agency” with “the agency”.
After section 26A(5A), insert:
(5B) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an information matching agreement entered into under subpart 4 of Part
7 of the Privacy Act 2020; or
(c) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
Replace section 26A(6) with:
(6) In this section, citizenship information—
(a) means information held by the Secretary that relates to the acquisition or
loss of citizenship by, or the citizenship status of, any person; and
(b) includes information as to any change of identity or gender.
In the Schedule 4 heading, delete “specified”.
In Schedule 4, heading above first column of table, replace “Specified agency” with
“Agency”.
Corrections Act 2004 (2004 No 50)
After section 180A(3), insert:
Schedule 7 Privacy Act 2020 2020 No 31
154
Corrections Act 2004 (2004 No 50)—continued
(4) On or after 1 December 2020, no information may be disclosed under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
After section 181(5), insert:
(5A) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
Customs and Excise Act 2018 (2018 No 4)
After section 306(5), insert:
(5A) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
After section 307(5), insert:
(5A) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
After section 308(5), insert:
(5A) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
2020 No 31 Privacy Act 2020 Schedule 7
155
Customs and Excise Act 2018 (2018 No 4)—continued
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
After section 309(6), insert:
(6A) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
After section 310(5), insert:
(5A) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
Education Act 1989 (1989 No 80)
In section 226A(3), delete “, in accordance with arrangements under the Privacy Act
1993 previously agreed between the chief executive and any institution (or, where
they are unable to agree, in accordance with arrangements under that Act settled by
the Privacy Commissioner appointed under the Privacy Act 1993),”.
Replace section 226A(9) with:
(9) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an information matching agreement entered into under subpart 4 of
Part 7 of the Privacy Act 2020; or
(c) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
(10) In respect of any information matching agreement referred to in subsection (9),
section 182 of the Privacy Act 2020 applies as if subsection (1) of that section
also required the Commissioner, before seeking a report on any of the matters
in section 182(2)(a), (d), and (e) from a tertiary institution, to seek a report on
Schedule 7 Privacy Act 2020 2020 No 31
156
Education Act 1989 (1989 No 80)—continued
the matter from the department for the time being responsible for the administration of the Social Security Act 2018.
In section 235F(3), delete “in accordance with arrangements under the Privacy Act
1993 previously agreed between the chief executive and any institution (or, where
they are unable to agree, in accordance with arrangements under that Act settled by
the Privacy Commissioner appointed under the Privacy Act 1993),”.
Replace section 235F(9) with:
(9) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
(10) In respect of any information matching agreement referred to in subsection (9),
section 182 of the Privacy Act 2020 applies as if subsection (1) of that section
also required the Commissioner, before seeking a report on any of the matters
in section 182(2)(a), (d), and (e) from a private training establishment, to seek a
report on the matter from the department for the time being responsible for the
administration of the Social Security Act 2018.
After section 307D(1), insert:
(1A) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
In section 360(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
In section 360(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
After section 360(3), insert:
(3A) On or after 1 December 2020, no information may be exchanged under this
section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
2020 No 31 Privacy Act 2020 Schedule 7
157
Electoral Act 1993 (1993 No 87)
After section 263A(6), insert:
(7) On or after 1 December 2020, no information may be disclosed under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
After section 263B(5), insert:
(5A) On or after 1 December 2020, no information may be disclosed under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
Electronic Identity Verification Act 2012 (2012 No 123)
After section 39(4), insert:
(5) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an information matching agreement entered into under subpart 4 of Part
7 of the Privacy Act 2020; or
(c) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
Immigration Act 2009 (2009 No 51)
After section 294(4), insert:
(4A) On or after 1 December 2020, no information may be disclosed under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
After section 295(3), insert:
Schedule 7 Privacy Act 2020 2020 No 31
158
Immigration Act 2009 (2009 No 51)—continued
(3A) On or after 1 December 2020, no information may be exchanged under this
section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
After section 298(6), insert:
(6A) On or after 1 December 2020, no information may be disclosed under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
After section 299(5), insert:
(5A) On or after 1 December 2020, no information may be disclosed under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
After section 300(8), insert:
(8A) On or after 1 December 2020, no information may be disclosed under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
Motor Vehicle Sales Act 2003 (2003 No 12)
After section 121(2), insert:
(3) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
2020 No 31 Privacy Act 2020 Schedule 7
159
Motor Vehicle Sales Act 2003 (2003 No 12)—continued
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
After section 123(2), insert:
(3) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
Public and Community Housing Management Act 1992 (1992 No 76)
Repeal Part 6.
Social Security Act 2018 (2018 No 32)
In Schedule 1, replace clause 62 with:
62 Information disclosure arrangements and determinations
Arrangements or determinations made under section 126A or 126AC of the
Social Security Act 1964 are saved as if they were arrangements or determinations made under (as the case requires) clause 13 or 15 of Schedule 6.
In Schedule 6, after clause 13(5), insert:
(5A) On or after 1 December 2020, no information may be supplied under this
clause except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
In Schedule 6, repeal clause 14.
In Schedule 6, after clause 15(6), insert:
(7) On or after 1 December 2020, no information may be given under this clause
except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
Schedule 7 Privacy Act 2020 2020 No 31
160
Student Loan Scheme Act 2011 (2011 No 62)
After section 208(4), insert:
(5) On or after 1 December 2020, no information may be disclosed under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
Tax Administration Act 1994 (1994 No 166)
Repeal section 46A.
In Schedule 7, after clause 41(8), insert:
(8A) On or after 1 December 2020, no information may be disclosed under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
In Schedule 7, after clause 42(2), insert:
(2A) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
In Schedule 7, after clause 43(6), insert:
(6A) On or after 1 December 2020, no information may be supplied under this section except under—
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
In Schedule 7, after clause 45(5), insert:
(5A) On or after 1 December 2020, no information may be supplied under this section except under—
2020 No 31 Privacy Act 2020 Schedule 7
161
Tax Administration Act 1994 (1994 No 166)—continued
(a) an information matching agreement entered into under Part 10 of the Privacy Act 1993 and continued by clause 11 of Schedule 1 of the Privacy
Act 2020; or
(b) an approved information sharing agreement entered into under subpart 1
of Part 7 of the Privacy Act 2020.
Schedule 7 Privacy Act 2020 2020 No 31
162
Schedule 8
Basic principles of national application set out in Part Two of OECD
Guidelines
ss 193, 200
Collection limitation principle
There should be limits to the collection of personal data and any such data should be
obtained by lawful and fair means and, where appropriate, with the knowledge or
consent of the data subject.
Data quality principle
Personal data should be relevant to the purposes for which they are to be used, and, to
the extent necessary for those purposes, should be accurate, complete, and kept up-todate.
Purpose specification principle
The purposes for which personal data are collected should be specified not later than
at the time of data collection and the subsequent use limited to the fulfilment of those
purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
Use limitation principle
Personal data should not be disclosed, made available or otherwise used for purposes
other than those specified in accordance with [the Purpose specification principle
above] except:
(a) with the consent of the data subject; or
(b) by the authority of law.
Security safeguards principle
Personal data should be protected by reasonable security safeguards against such risks
as loss or unauthorised access, destruction, use, modification or disclosure of data.
Openness principle
There should be a general policy of openness about developments, practices and
policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as
well as the identity and usual residence of the data controller.
Individual participation principle
An individual should have the right:
(a) to obtain from a data controller, or otherwise, confirmation of whether or not
the data controller has data relating to him;
2020 No 31 Privacy Act 2020 Schedule 8
163
(b) to have communicated to him, data relating to him—

• within a reasonable time;
• at a charge, if any, that is not excessive;
• in a reasonable manner; and
• in a form that is readily intelligible to him;
  (c) to be given reasons if a request made under subparagraphs (a) and (b) is
  denied, and to be able to challenge such denial; and
  (d) to challenge data relating to him and, if the challenge is successful to have the
  data erased, rectified, completed or amended.
  Accountability principle
  A data controller should be accountable for complying with measures which give
  effect to the principles stated above.
  Schedule 8 Privacy Act 2020 2020 No 31
  164
  Schedule 9
  Consequential amendments
  s 217
  Part 1
  Amendments to Acts
  Accident Compensation Act 2001 (2001 No 49)
  In section 246(7), replace “section 103 of the Privacy Act 1993” with “section 181 of
  the Privacy Act 2020”.
  In section 289(6)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 290(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 295(5), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Animal Products Act 1999 (1999 No 93)
  In section 161(2), replace “privacy principles 2 and 11 of the Privacy Act 1993” with
  “information privacy principles 2 and 11 set out in section 22 of the Privacy Act
  2020”.
  Animal Welfare Act 1999 (1999 No 142)
  In section 103(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (2009
  No 35)
  In section 36(2) and (3), replace “privacy principles 5 to 11 in section 6 of the Privacy
  Act 1993” with “information privacy principles 5 to 12 set out in section 22 of the
  Privacy Act 2020”.
  In section 139(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 146(1)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Auditor Regulation Act 2011 (2011 No 21)
  In section 46(3)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 46(4) with:
  (4) A person who searches the register for personal information in breach of this
  section must be treated, for the purposes of Parts 5 and 6 of the Privacy Act
  2020, as having breached an information privacy principle under section
  69(2)(a)(i) of that Act.
  Biosecurity Act 1993 (1993 No 95)
  In section 41G(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 41I(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  2020 No 31 Privacy Act 2020 Schedule 9
  165
  Births, Deaths, Marriages, and Relationships Registration Act 1995 (1995 No 16)
  In section 2, definition of approved information sharing agreement and information sharing agreement, replace “section 96C of the Privacy Act 1993” with “section
  138 of the Privacy Act 2020”.
  In section 2, definition of Privacy Commissioner, replace “section 12 of the Privacy
  Act 1993” with “section 13 of the Privacy Act 2020”.
  In section 75E(1), replace “section 2 of the Privacy Act 1993” with “section 7(1) of
  the Privacy Act 2020”.
  In the heading to section 78A, delete “specified”.
  In section 78A(1), delete “specified”.
  In section 78A(2), replace “a specified agency” with “an agency”.
  In section 78A(2), replace “the specified agency” with “the agency”.
  Repeal section 78A(5).
  In section 78A(6), replace “a specified agency” with “an agency”.
  In the Schedule 1A heading, delete “specified”.
  In Schedule 1A, heading above first column of table, replace “Specified agency”
  with “Agency”.
  Broadcasting Act 1989 (1989 No 25)
  In section 2(1), definition of individual, replace “section 2(1) of the Privacy Act
  1993” with “section 7(1) of the Privacy Act 2020”.
  In section 21(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Brokering (Weapons and Related Items) Controls Act 2018 (2018 No 9)
  Repeal section 44.
  Repeal Schedule 2.
  Building Act 2004 (2004 No 72)
  In section 308, replace “section 66 of the Privacy Act 1993” with “section 69 of the
  Privacy Act 2020”.
  Charities Act 2005 (2005 No 39)
  In section 29, replace “section 66 of the Privacy Act 1993” with “section 69 of the
  Privacy Act 2020”.
  Child Protection (Child Sex Offender Government Agency Registration) Act
  2016 (2016 No 42)
  In section 43(2)(g), replace “section 2 of the Privacy Act 1993” with “section 7(1) of
  the Privacy Act 2020”.
  Schedule 9 Privacy Act 2020 2020 No 31
  166
  Child Protection (Child Sex Offender Government Agency Registration) Act
  2016 (2016 No 42)—continued
  In section 43(3)(a), replace “section 111 of the Privacy Act 1993” with “section 172
  of the Privacy Act 2020”.
  Children’s Commissioner Act 2003 (2003 No 121)
  In section 22(2)(c), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 22(4), replace “sections 27 to 29 of the Privacy Act 1993” with “sections
  49 to 53 of the Privacy Act 2020”.
  Civil Aviation Act 1990 (1990 No 98)
  In section 10(7)(a)(i), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 10(7)(a)(ii), replace “section 27(1)(d)” with “section 49(1)(a)(i)”.
  In section 19(7)(a)(i), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 19(7)(a)(ii), replace “section 27(1)(d)” with “section 49(1)(a)(i)”.
  In section 74(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Climate Change Response Act 2002 (2002 No 40)
  In section 52(1)(a)(ii), replace “principles of the Privacy Act 1993” with “information
  privacy principles set out in section 22 of the Privacy Act 2020”.
  Companies Act 1993 (1993 No 105)
  In section 371A(5), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Conservation Act 1987 (1987 No 65)
  In section 17U(1)(g), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Coroners Act 2006 (2006 No 38)
  In section 29(2)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Corrections Act 2004 (2004 No 50)
  In section 110A(b)(i), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 110A(b)(iv), replace “section 54(1) of the Privacy Act 1993” with “section
  30 of the Privacy Act 2020”.
  In the heading to section 110C, replace “Privacy Act 1993” with “Privacy Act
  2020”.
  In section 110C, replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 117(2)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 117(2)(c), replace “section 2(1) of the Privacy Act 1993” with “section 7(1)
  of the Privacy Act 2020”.
  2020 No 31 Privacy Act 2020 Schedule 9
  167
  Corrections Act 2004 (2004 No 50)—continued
  In section 117(2)(d), replace “section 54(1) of the Privacy Act 1993” with “section 30
  of the Privacy Act 2020”.
  In the heading to section 119, replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 119, replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 120(1)(a)(iv) and (2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 180C(2), definition of adverse action, replace “section 97 of the Privacy
  Act 1993” with “section 177 of the Privacy Act 2020”.
  In section 180C(2), definition of discrepancy, replace “section 97 of the Privacy Act
  1993” with “section 177 of the Privacy Act 2020”.
  In section 180C(2), definition of working day, replace “section 2(1) of the Privacy
  Act 1993” with “section 7(1) of the Privacy Act 2020”.
  In section 180C(3), (4), and (5), replace “section 103(1) of the Privacy Act 1993”
  with “section 181 of the Privacy Act 2020”.
  In section 181A(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 181A(4), definition of specified agency, paragraph (c), replace “section 2
  of the Privacy Act 1993” with “section 7(1) of the Privacy Act 2020”.
  In section 182A(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 182C(f), replace “section 2 of the Privacy Act 1993” with “section 7(1) of
  the Privacy Act 2020”.
  In section 182D(2)(c), replace “section 6 of the Privacy Act 1993” with “section 22 of
  the Privacy Act 2020”.
  Criminal Cases Review Commission Act 2019 (2019 No 66)
  In section 35(3), replace “of the Privacy Act 1993” with “set out in section 22 of the
  Privacy Act 2020”.
  In section 36(2)(g), replace “section 2(1) of the Privacy Act 1993” with “section 7(1)
  of the Privacy Act 2020”.
  Criminal Disclosure Act 2008 (2008 No 38)
  In section 6(1), replace the definition of publicly available publication with:
  publicly available publication means a publication (including a register, list,
  or roll of data) in printed or electronic form that is, or will be, generally available to members of the public free of charge or on payment of a fee
  Criminal Investigations (Bodily Samples) Act 1995 (1995 No 55)
  In section 24R(1)(b), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 24R(4) with:
  Schedule 9 Privacy Act 2020 2020 No 31
  168
  Criminal Investigations (Bodily Samples) Act 1995 (1995 No 55)—continued
  (4) Nothing in this section limits the jurisdiction of the Privacy Commissioner
  under the Privacy Act 2020 to investigate any complaint made under Part 5 of
  that Act.
  In section 27(1)(b), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 27(3) with:
  (3) Nothing in this section limits the jurisdiction of the Privacy Commissioner
  under the Privacy Act 2020 to investigate any complaint made under Part 5 of
  that Act.
  Criminal Procedure (Mentally Impaired Persons) Act 2003 (2003 No 115)
  In section 46(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Criminal Records (Clean Slate) Act 2004 (2004 No 36)
  In section 4, definition of law enforcement agency, replace “Schedule 5 of the Privacy Act 1993” with “Schedule 4 of the Privacy Act 2020”.
  Criminal Records (Expungement of Convictions for Historical Homosexual
  Offences) Act 2018 (2018 No 7)
  In section 4, definition of law enforcement agency, paragraph (a), replace “Schedule
  5 of the Privacy Act 1993” with “Schedule 4 of the Privacy Act 2020”.
  In section 10(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 13(3)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 14(1)(b), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Crown Organisations (Criminal Liability) Act 2002 (2002 No 37)
  Replace section 10(1)(b)(iii) with:
  (iii) section 86 or 87 of the Privacy Act 2020; or
  Crown Pastoral Land Act 1998 (1998 No 65)
  In section 51(2)(f), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Customs and Excise Act 2018 (2018 No 4)
  In section 302(2), replace “section 6 of the Privacy Act 1993” with “section 22 of the
  Privacy Act 2020”.
  In section 303(2), replace “section 6 of the Privacy Act 1993” with “section 22 of the
  Privacy Act 2020”.
  In section 326(5), replace “section 6 of the Privacy Act 1993” with “section 22 of the
  Privacy Act 2020”.
  In section 357(6), replace “section 6 of the Privacy Act 1993” with “section 22 of the
  Privacy Act 2020”.
  2020 No 31 Privacy Act 2020 Schedule 9
  169
  District Court Act 2016 (2016 No 49)
  In section 236(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 237(2), (3), and (4), replace “Privacy Act 1993” with “Privacy Act 2020”
  in each place.
  Dog Control Act 1996 (1996 No 13)
  Repeal section 35(5)(f)(i).
  Earthquake Commission Act 1993 (1993 No 84)
  In section 31A(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 31A(5), definition of serious threat, replace “section 2(1) of the Privacy
  Act 1993” with “section 7(1) of the Privacy Act 2020”.
  Education Act 1989 (1989 No 80)
  In section 18AA(1)(f), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 226A(8) with:
  (8) Information supplied by an institution under subsection (7) must be in a form
  previously agreed between the institution and the chief executive under the Privacy Act 2020 (or, where they are unable to agree, in a form settled by the Privacy Commissioner), and may include coded information.
  Replace section 235F(8) with:
  (8) Information supplied by a private training establishment under subsection (7)
  must be in a form previously agreed between the private training establishment
  and the chief executive under the Privacy Act 2020 (or, where they are unable
  to agree, in a form settled by the Privacy Commissioner), and may include
  coded information.
  Electoral Act 1993 (1993 No 87)
  In section 111A(b)(iii), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 111E(3)(c), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 204I(7), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 204X with:
  204X When search constitutes interference with privacy of individual
  A search of the register for personal information that has not been carried out
  for a purpose specified in section 204S constitutes an action that is an interference with the privacy of an individual under section 69 of the Privacy Act
  2020.
  Schedule 9 Privacy Act 2020 2020 No 31
  170
  Electricity Act 1992 (1992 No 122)
  In section 141, replace “section 66 of the Privacy Act 1993” with “section 69 of the
  Privacy Act 2020”.
  Electricity Industry Act 2010 (2010 No 116)
  In section 134(3), replace “section 66 of the Privacy Act 1993” with “section 69 of
  the Privacy Act 2020”.
  In Schedule 4, clause 17(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Electronic Identity Verification Act 2012 (2012 No 123)
  In section 7, definition of personal information, replace “section 2 of the Privacy
  Act 1993” with “section 7(1) of the Privacy Act 2020”.
  In section 7, definition of Privacy Commissioner, replace “section 12 of the Privacy
  Act 1993” with “section 13 of the Privacy Act 2020”.
  Replace section 40(2) with:
  (2) This section applies despite rule 5 of the information matching rules set out in
  Schedule 6 of the Privacy Act 2020.
  In the heading to section 59, replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 59(1), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 59(2), replace “principle 7(3) in section 6 of the PA” with “principle 7 set
  out in section 22 of the PA”.
  In section 59(4), replace “in section 6” with “set out in section 22”.
  In section 59(5), replace “in section 6 of the PA, as required by the precedence given
  to this Act by section 7(1) and (2) of the PA” with “set out in section 22 of the PA, as
  required by the precedence given to this Act by section 24(1) of the PA”.
  In section 59(6), replace “Part 8, a person is taken to have breached an information
  privacy principle under its section 66(1)(a)(i)” with “Part 5, a person is taken to have
  breached an information privacy principle under its section 69(2)(a)(i)”.
  In section 59(7), replace “Part 8” with “Part 5”.
  Repeal section 59(8).
  In section 65(2), replace “Part 8 of the Privacy Act 1993” with “Part 5 of the Privacy
  Act 2020”.
  Employment Relations Act 2000 (2000 No 24)
  Replace section 4(1C)(a)(ii) with:
  (ii) the Privacy Act 2020 (despite section 24(1) of that Act):
  In section 34(8), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 69G(2)(e)(iii), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 69OEA(7), replace “Privacy Act 1993” with “Privacy Act 2020”.
  2020 No 31 Privacy Act 2020 Schedule 9
  171
  Employment Relations Act 2000 (2000 No 24)—continued
  In section 233B(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Energy Efficiency and Conservation Act 2000 (2000 No 14)
  In section 38(6), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Environmental Protection Authority Act 2011 (2011 No 14)
  In section 24(2), replace “section 66 of the Privacy Act 1993” with “section 69 of the
  Privacy Act 2020”.
  In section 30(2), replace “section 66 of the Privacy Act 1993” with “section 69 of the
  Privacy Act 2020”.
  In section 45(5), replace “section 66 of the Privacy Act 1993” with “section 69 of the
  Privacy Act 2020”.
  In section 50(5), replace “section 66 of the Privacy Act 1993” with “section 69 of the
  Privacy Act 2020”.
  Fair Trading Act 1986 (1986 No 121)
  In section 48A(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Family Violence Act 2018 (2018 No 46)
  In section 19, definition of personal information, replace “section 2 of the Privacy
  Act 1993” with “section 7(1) of the Privacy Act 2020”.
  In section 21(2)(b), replace “information privacy principle 11 in section 6 of the Privacy Act 1993” with “information privacy principle 11 or 12 in section 22 of the Privacy Act 2020”.
  In section 23(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 205(5), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 230, definition of Privacy Commissioner, replace “Privacy Act 1993”
  with “Privacy Act 2020”.
  In section 230, replace the definition of public register with:
  public register means a register, roll, list, or other publication containing personal information that—
  (a) is established and maintained in any form under an enactment; and
  (b) is, or will be, generally available to members of the public free of charge
  or on payment of a fee
  Replace section 247(2) with:
  (2) The provisions referred to in subsection (1) are sections 72 to 74, 80, 81, 82, 86
  to 90, 96, 205, 206, and 208 to 212 of the Privacy Act 2020.
  In the heading to section 256, replace “Privacy Act 1993” with “Privacy Act 2020”.
  Schedule 9 Privacy Act 2020 2020 No 31
  172
  Family Violence Act 2018 (2018 No 46)—continued
  In section 256, replace “Sections 47 to 52 of the Privacy Act 1993” with “Sections 33
  to 37 of the Privacy Act 2020”.
  Financial Advisers Act 2008 (2008 No 91)
  In section 151(5)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Financial Markets Authority Act 2011 (2011 No 5)
  In section 30(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 32(1)(b), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 33(3)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 44(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 54(1)(c), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 59(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 60(3)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 66 with:
  66 Part does not limit Privacy Act 2020
  Nothing in this Part limits the Privacy Act 2020.
  In section 72(2), replace “section 66 of the Privacy Act 1993” with “section 69 of the
  Privacy Act 2020”.
  In section 78(3), replace “section 66 of the Privacy Act 1993” with “section 69 of the
  Privacy Act 2020”.
  Financial Markets Conduct Act 2013 (2013 No 69)
  In Schedule 2, replace clause 12(4) with:
  (4) A person who searches the register for personal information in breach of this
  clause must be treated, for the purposes of Parts 5 and 6 of the Privacy Act
  2020, as having breached an information privacy principle under section
  69(2)(a)(i) of that Act.
  Financial Reporting Act 2013 (2013 No 101)
  In section 21, definitions of personal information and Privacy Commissioner,
  replace “section 2(1) of the Privacy Act 1993” with “section 7(1) of the Privacy Act
  2020”.
  Replace section 23 with:
  2020 No 31 Privacy Act 2020 Schedule 9
  173
  Financial Reporting Act 2013 (2013 No 101)—continued
  23 Disclosure required to comply with standards does not breach information
  privacy principles
  (1) The disclosure of personal information is not a breach of information privacy
  principle 10, 11, or 12 set out in section 22 of the Privacy Act 2020 if the disclosure is required for compliance with a standard or an authoritative notice.
  (2) Subsection (1) does not apply to standards issued or approved before the commencement of the Financial Reporting Amendment Act 2001.
  Financial Service Providers (Registration and Dispute Resolution) Act 2008
  (2008 No 97)
  In section 32(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 33 with:
  33 When search breaches information privacy principle
  A person who searches a public register for personal information for a purpose
  that is not a purpose set out in section 32 must be treated, for the purposes of
  Parts 5 and 6 of the Privacy Act 2020, as having breached an information privacy principle under section 69(2)(a)(i) of that Act.
  In section 67(1)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 69(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Fire and Emergency New Zealand Act 2017 (2017 No 17)
  In section 97(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 98(3)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In Schedule 1, clause 5(2), replace “section 66 of the Privacy Act 1993” with “section
  69 of the Privacy Act 2020”.
  In Schedule 1, clause 6(2), replace “section 66 of the Privacy Act 1993” with “section
  69 of the Privacy Act 2020”.
  In Schedule 1, clause 7(2), replace “section 66 of the Privacy Act 1993” with “section
  69 of the Privacy Act 2020”.
  Fisheries Act 1996 (1996 No 88)
  In the heading to section 102, replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 102(1), delete “public registers for the purposes of the Privacy Act 1993
  and shall be”.
  Replace section 129(1) with:
  (1) The registers kept under this Part must be open for inspection by members of
  the public on payment of the prescribed fee (if any) during ordinary office
  hours, and the chief executive must, on request and on payment of a reasonable
  charge, supply to any person copies of all or any part of a register.
  Schedule 9 Privacy Act 2020 2020 No 31
  174
  Fisheries Act 1996 (1996 No 88)—continued
  (1A) Subsection (1) is subject to section 130.
  Repeal section 186M(1).
  In section 296ZH(2), replace “Information Privacy Principle 12(2) of the Privacy Act
  1993” with “information privacy principle 13(2) set out in section 22 of the Privacy
  Act 2020”.
  Food Act 2014 (2014 No 32)
  In section 368(2)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 370(2)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Gambling Act 2003 (2003 No 51)
  In section 233(c), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Game Animal Council Act 2013 (2013 No 98)
  In section 26(6)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Harmful Digital Communications Act 2015 (2015 No 63)
  In section 24(5), replace “privacy principle 11(e)(iv) in section 6 of the Privacy Act
  1993” with “information privacy principle 11(1)(e)(iv) set out in section 22 of the Privacy Act 2020”.
  In section 24(6), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Hazardous Substances and New Organisms Act 1996 (1996 No 30)
  In section 82C(6)(a)(i), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 82C(6)(a)(ii), replace “section 27(1)(d)” with “section 49(1)(a)(i)”.
  In section 97C(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Health Act 1956 (1956 No 65)
  In section 22B, definition of agency, replace “section 2 of the Privacy Act 1993” with
  “section 7(1) of the Privacy Act 2020”.
  In section 22C(1)(b)(i), replace “section 46 of the Privacy Act 1993” with “section 32
  of the Privacy Act 2020”.
  In section 22C(1)(b)(ii), replace “section 6” with “section 22”.
  In section 22C(3), replace “principle 11(d) of the Privacy Act 1993” with “information privacy principle 11(1)(c) set out in section 22 of the Privacy Act 2020”.
  In section 22F(2)(c), replace “section 46 of the Privacy Act 1993” with “section 32 of
  the Privacy Act 2020”.
  In section 22F(3)(c), replace “section 6 of the Privacy Act 1993” with “section 22 of
  the Privacy Act 2020”.
  2020 No 31 Privacy Act 2020 Schedule 9
  175
  Health Act 1956 (1956 No 65)—continued
  In section 22F(4), replace “Part 8 of the Privacy Act 1993” with “Part 5 of the Privacy Act 2020”.
  In section 92I(9), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 92J(9), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 92K(9), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 92U, replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 92ZS, replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 92ZZF(3) and (4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 92ZZG(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Health and Disability Commissioner Act 1994 (1994 No 88)
  Replace section 20(1)(c)(i) with:
  (i) matters of privacy (other than matters that may be the subject of a
  complaint under Part 5 of the Privacy Act 2020 or matters to
  which subpart 4 of Part 7 of that Act relates):
  Health and Safety at Work Act 2015 (2015 No 70)
  In section 16, definition of personal information, replace “section 2(1) of the Privacy Act 1993” with “section 7(1) of the Privacy Act 2020”.
  In section 197(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 199(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 210(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Health Practitioners Competence Assurance Act 2003 (2003 No 48)
  In section 44(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 78(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 154(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 157G(b), replace “section 6 of the Privacy Act 1993” with “section 22 of
  the Privacy Act 2020”.
  Human Assisted Reproductive Technology Act 2004 (2004 No 92)
  Replace the cross-heading above section 66 with:
  Application of Privacy Act 2020
  Replace the heading to section 66 with “Application of Privacy Act 2020”.
  In section 66(1), replace “section 12 of the Privacy Act 1993” with “section 13 of the
  Privacy Act 2020”.
  Schedule 9 Privacy Act 2020 2020 No 31
  176
  Human Assisted Reproductive Technology Act 2004 (2004 No 92)—continued
  In section 66(2), replace “Sections 40 and 41 of the Privacy Act 1993” with “Sections
  44 to 48 of the Privacy Act 2020”.
  Replace section 66(3) and (4) with:
  (3) Parts 5, 6, and 9 of the Privacy Act 2020, so far as applicable and with any
  necessary modifications, apply to the making of a complaint under subsection
  (1) as if the matter to which the complaint relates were an interference with the
  privacy of an individual under section 69 of that Act.
  (4) Nothing in this section limits the jurisdiction of the Privacy Commissioner
  under the Privacy Act 2020 to investigate any complaint made under Part 5 of
  that Act.
  Human Rights Act 1993 (1993 No 82)
  In section 148A(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Human Tissue Act 2008 (2008 No 28)
  In section 78(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Identity Information Confirmation Act 2012 (2012 No 124)
  In section 5, definition of Privacy Commissioner, replace “section 12 of the Privacy
  Act 1993” with “section 13 of the Privacy Act 2020”.
  Replace section 21(1)(d) with:
  (d) the Privacy Act 2020.
  Immigration Act 1987 (1987 No 74)
  In section 141ABA(5), replace “Privacy Act 1993” with “Privacy Act 2020”
  Immigration Act 2009 (2009 No 51)
  In section 11(1)(c)(ia), replace “section 6 of the Privacy Act 1993” with “section 22
  of the Privacy Act 2020”.
  In section 31(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 35(2)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 151(3)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 177(4)(ab), replace “privacy” with “information privacy”.
  In section 177(4)(ab), replace “section 6 of the Privacy Act 1993” with “section 22 of
  the Privacy Act 2020”.
  In section 229(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 304(5), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 463(1A) with:
  2020 No 31 Privacy Act 2020 Schedule 9
  177
  Immigration Act 2009 (2009 No 51)—continued
  (1A) Information privacy principle 6 set out in section 22 of the Privacy Act 2020
  (which relates to access to personal information) does not apply to any reasons
  for any decision made by an immigration officer under section 58 of the former
  Act.
  Income Tax Act 2007 (2007 No 97)
  In section BH 1(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Insolvency Act 2006 (2006 No 55)
  In section 153(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 456 with:
  456 When search breaches information privacy principle
  A person who searches a public register for a purpose that is not a purpose set
  out in section 454 must be treated, for the purposes of Parts 5 and 6 of the Privacy Act 2020, as having breached an information privacy principle under section 69(2)(a)(i) of that Act.
  Insolvency Practitioners Regulation Act 2019 (2019 No 29)
  In section 33(3)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 33(4), replace “Part 8 of the Privacy Act 1993, as having breached an information privacy principle under section 66(1)(a)(i)” with “Parts 5 and 6 of the Privacy
  Act 2020, as having breached an information privacy principle under section
  69(2)(a)(i)”.
  In section 62(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 63(3)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Insurance (Prudential Supervision) Act 2010 (2010 No 111)
  In section 227(4), replace “section 66 of the Privacy Act 1993” with “section 69 of
  the Privacy Act 2020”.
  Intelligence and Security Act 2017 (2017 No 10)
  In section 4, definition of Privacy Commissioner, replace “section 12 of the Privacy
  Act 1993” with “section 13 of the Privacy Act 2020”.
  In section 119(b), replace “in section 6 of the Privacy Act 1993” with “set out in section 22 of the Privacy Act 2020”.
  In section 122(3), replace “section 6 of the Privacy Act 1993” with “section 22 of the
  Privacy Act 2020”.
  In section 220(2), replace “in section 6 of the Privacy Act 1993” with “set out in section 22 of the Privacy Act 2020”.
  Schedule 9 Privacy Act 2020 2020 No 31
  178
  Judicial Conduct Commissioner and Judicial Conduct Panel Act 2004 (2004 No
  38)
  Replace section 19(3) with:
  (3) Nothing in information privacy principle 6 set out in section 22 of the Privacy
  Act 2020 (access to personal information) applies in respect of any information
  held by the office of the Commissioner that relates to any investigation conducted by the Commissioner under this Act, other than any document (as defined
  in section 7(1) of the Privacy Act 2020) that comes into existence before the
  commencement of that investigation.
  Kāinga Ora–Homes and Communities Act 2019 (2019 No 50)
  In Schedule 1, clause 3(2), replace “section 66 of the Privacy Act 1993” with “section
  69 of the Privacy Act 2020”.
  In Schedule 1, clause 14(4), replace “section 66 of the Privacy Act 1993” with “section 69 of the Privacy Act 2020”.
  KiwiSaver Act 2006 (2006 No 40)
  In section 4(1), definition of personal information, replace “Privacy Act 1993” with
  “Privacy Act 2020”.
  Replace section 41(g) with:
  (g) a statement about collection of personal information that complies with
  information privacy principle 3 set out in section 22 of the Privacy Act
  2020; and
  In section 158(3)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 207(2), replace “Information Privacy Principle 12(2) or (4) of the Privacy
  Act 1993” with “information privacy principle 13(2) or (5) set out in section 22 of the
  Privacy Act 2020”.
  Land Transport Act 1998 (1998 No 110)
  In section 30I(2)(a)(i), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 30I(2)(a)(ii), replace “section 27(1)(d)” with “section 49(1)(a)(i)”.
  Replace section 200(1A)(c) with:
  (c) subpart 2 of Part 7 of the Privacy Act 2020.
  In section 211(2), replace “Privacy Act 1993” with “Privacy Act 2020” in each place.
  In section 211(3), replace “section 35 of the Privacy Act 1993” with “section 66 of
  the Privacy Act 2020”.
  In section 237(4)(a)(ii), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Land Transport Management Act 2003 (2003 No 118)
  In section 5(1), definition of personal information, replace “section 2(1) of the Privacy Act 1993” with “section 7(1) of the Privacy Act 2020”.
  2020 No 31 Privacy Act 2020 Schedule 9
  179
  Land Transport Management Act 2003 (2003 No 118)—continued
  In section 46(3)(f), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 50(4), replace “principle 11 in the Privacy Act 1993” with “information privacy principle 11 set out in section 22 of the Privacy Act 2020”.
  Limited Partnerships Act 2008 (2008 No 1)
  Replace section 66 with:
  66 When search breaches information privacy principle
  A person who searches a register for a purpose that is not a purpose set out in
  section 65 must be treated, for the purposes of Parts 5 and 6 of the Privacy Act
  2020, as having breached an information privacy principle under section
  69(2)(a)(i) of that Act.
  Local Government Act 2002 (2002 No 84)
  In section 258Z(1), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In Schedule 7, clause 11(3), replace “information privacy principles 6, 7, and 11 of
  the Privacy Act 1993” with “information privacy principles 6, 7, 11, and 12 set out in
  section 22 of the Privacy Act 2020”.
  Local Government (Auckland Council) Act 2009 (2009 No 32)
  In section 87(1)(b), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Local Government Official Information and Meetings Act 1987 (1987 No 174)
  In section 2(1), definition of official information, paragraph (c), replace “Privacy
  Act 1993” with “Privacy Act 2020”.
  In section 10(1A), replace “subclause (1)(b) of principle 6 of the Privacy Act 1993”
  with “information privacy principle 6(1)(b) set out in section 22 of the Privacy Act
  2020”.
  In section 29A, replace “Privacy Act 1993” with “Privacy Act 2020”.
  Local Government (Rating) Act 2002 (2002 No 6)
  Repeal section 27(6)(c).
  Māori Purposes (Wi Pere Trust) Act 1991 (1991 No 38)
  In Schedule 1, clause 9.8, replace “Privacy Act 1993” with “Privacy Act 2020”.
  Marine and Coastal Area (Takutai Moana) Act 2011 (2011 No 3)
  Repeal section 117.
  Maritime Transport Act 1994 (1994 No 104)
  In section 49(7)(a)(i), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 49(7)(a)(ii), replace “section 27(1)(d)” with “section 49(1)(a)(i)”.
  Schedule 9 Privacy Act 2020 2020 No 31
  180
  Maritime Transport Act 1994 (1994 No 104)—continued
  In section 50(7)(a)(i), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 50(7)(a)(ii), replace “section 27(1)(d)” with “section 49(1)(a)(i)”.
  In section 189(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 276(7)(a)(i), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 276(7)(a)(ii), replace “section 27(1)(d)” with “section 49(1)(a)(i)”.
  Motor Vehicle Sales Act 2003 (2003 No 12)
  Replace section 59 with:
  59 When search constitutes interference with privacy of individual
  A search of the register for personal information that has not been carried out
  in accordance with sections 56 to 58 constitutes an action that is an interference
  with the privacy of an individual under section 69 of the Privacy Act 2020.
  Replace section 81 with:
  81 When search constitutes interference with privacy of individual
  A search of the list for personal information that has not been carried out in
  accordance with sections 78 to 80 constitutes an action that is an interference
  with the privacy of an individual under section 69 of the Privacy Act 2020.
  In section 129(c), replace “Privacy Act 1993” with “Privacy Act 2020”.
  National Animal Identification and Tracing Act 2012 (2012 No 2)
  In section 4, definition of personal information, replace “section 2(1) of the Privacy
  Act 1993” with “section 7(1) of the Privacy Act 2020”.
  In Schedule 2, clause 55(3)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In Schedule 2, clause 78(3)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  National Bank of New Zealand Limited Act 1994 (1994 No 3 (P))
  In section 5(3)(b)(ii), replace “Privacy Act 1993” with “Privacy Act 2020”.
  New Zealand Infrastructure Commission/Te Waihanga Act 2019 (2019 No 51)
  In section 23(7)(a), replace “section 2(1) of the Privacy Act 1993” with “section 7(1)
  of the Privacy Act 2020”.
  New Zealand Public Health and Disability Act 2000 (2000 No 91)
  In section 23(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 30(6), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 79(6), replace “Privacy Act 1993” with “Privacy Act 2020”.
  2020 No 31 Privacy Act 2020 Schedule 9
  181
  New Zealand Public Health and Disability Act 2000 (2000 No 91)—continued
  In Schedule 3, clause 21(5)(a), replace “subclause (1)(b) of principle 6 of the Privacy
  Act 1993” with “information privacy principle 6(1)(b) set out in section 22 of the Privacy Act 2020”.
  In Schedule 3, clause 32(d), replace “Part 8 of the Privacy Act 1993” with “Part 5 of
  the Privacy Act 2020”.
  In Schedule 4, clause 23(5)(a), replace “subclause (1)(b) of principle 6 of the Privacy
  Act 1993” with “information privacy principle 6(1)(b) set out in section 22 of the Privacy Act 2020”.
  In Schedule 4, clause 34(d), replace “Part 8 of the Privacy Act 1993” with “Part 5 of
  the Privacy Act 2020”.
  In Schedule 5, clause 3(a), replace “section 2(1) of the Privacy Act 1993” with “section 7(1) of the Privacy Act 2020”.
  Official Information Act 1982 (1982 No 156)
  In section 2(1), definition of official information, paragraph (j), replace “Privacy Act
  1993” with “Privacy Act 2020”.
  In section 12(1A), replace “subclause (1)(b) of principle 6 of the Privacy Act 1993”
  with “information privacy principle 6(1)(b) set out in section 22 of the Privacy Act
  2020”.
  In section 29B, replace “Privacy Act 1993” with “Privacy Act 2020”.
  Ombudsmen Act 1975 (1975 No 9)
  In section 17A(1) and (3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 21A, replace “Privacy Act 1993” with “Privacy Act 2020”.
  Oranga Tamariki Act 1989 (1989 No 24)
  In section 66(1), replace “section 2(1) of the Privacy Act 1993” with “section 7(1) of
  the Privacy Act 2020”.
  In section 66Q(2), replace “12 of section 6 of the Privacy Act 1993” with “13 set out
  in section 22 of the Privacy Act 2020”.
  In section 66Q(3), replace “principle 11 in section 6 of the Privacy Act 1993 (which
  permits” with “principles 11 and 12 set out in section 22 of the Privacy Act 2020
  (which permit”.
  In section 66Q(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Outer Space and High-altitude Activities Act 2017 (2017 No 29)
  In section 85(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Overseas Investment Act 2005 (2005 No 82)
  In section 41D(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Schedule 9 Privacy Act 2020 2020 No 31
  182
  Overseas Investment Act 2005 (2005 No 82)—continued
  In section 41E(3)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Parole Act 2002 (2002 No 10)
  In section 13(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 13AC(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 13AD(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 15A(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 108(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Personal Property Securities Act 1999 (1999 No 126)
  In section 16(1), definition of personal information, replace “section 2(1) of the Privacy Act 1993” with “section 7(1) of the Privacy Act 2020”.
  In section 173(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 174 with:
  174 When search constitutes interference with privacy of individual
  A search of the register for personal information that has not been carried out
  in accordance with sections 171 to 173 constitutes an action that is an interference with the privacy of an individual under section 69 of the Privacy Act
  2020.
  Plumbers, Gasfitters, and Drainlayers Act 2006 (2006 No 74)
  Replace section 87 with:
  87 When search constitutes interference with privacy of individual
  A search of the register for personal information that has not been carried out
  in accordance with sections 84 to 86 constitutes an action that is an interference
  with the privacy of an individual under section 69 of the Privacy Act 2020.
  Policing Act 2008 (2008 No 72)
  In the heading to section 57, replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 57, replace “Nothing in principles 2, 3, or 10 of the Privacy Act 1993” with
  “Nothing in information privacy principles 2, 3, and 10 set out in section 22 of the
  Privacy Act 2020”.
  Replace section 95B(6) with:
  (6) A person who contravenes a provision of this section must be treated, for the
  purposes of Parts 5 and 6 of the Privacy Act 2020, as having breached an information privacy principle under section 69(2)(a)(i) of that Act.
  2020 No 31 Privacy Act 2020 Schedule 9
  183
  Prisoners’ and Victims’ Claims Act 2005 (2005 No 74)
  In section 3(2A)(b), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 6(2), definition of a breach of, or interference with, a specified right,
  replace paragraph (c) with:
  (c) an interference with the privacy of an individual (within the meaning of
  section 69 of the Privacy Act 2020)
  Public and Community Housing Management Act 1992 (1992 No 76)
  In section 79(2), replace “section 7(1) of the Privacy Act 1993” with “section 24 of
  the Privacy Act 2020”.
  In section 80(5), replace “section 7(1) of the Privacy Act 1993” with “section 24 of
  the Privacy Act 2020”.
  In section 86(4), replace “Part 6 of the Privacy Act 1993” with “section 32 of the Privacy Act 2020”.
  In section 88(2), replace “Part 6 of the Privacy Act 1993” with “section 32 of the Privacy Act 2020”.
  Replace section 89(2) with:
  (2) Parts 5 and 6 of the Privacy Act 2020 apply to any such complaint as if the
  code of conduct were a code of practice issued under section 32 of that Act.
  In section 124(2), replace “section 7(1) of the Privacy Act 1993” with “section 24 of
  the Privacy Act 2020”.
  In section 125(5), replace “section 7(1) of the Privacy Act 1993” with “section 24 of
  the Privacy Act 2020”.
  In section 138(4), replace “Part 6 of the Privacy Act 1993” with “section 32 of the
  Privacy Act 2020”.
  In section 140(2), replace “Part 6 of the Privacy Act 1993” with “section 32 of the
  Privacy Act 2020”.
  Replace section 141(2) with:
  (2) Parts 5 and 6 of the Privacy Act 2020 apply to the complaint as if the code of
  conduct were a code of practice issued under section 32 of that Act.
  Public Audit Act 2001 (2001 No 10)
  In section 25(2)(c), replace “information privacy principle 3 of the Privacy Act 1993”
  with “information privacy principle 3 set out in section 22 of the Privacy Act 2020”.
  Repeal section 30(4).
  Public Records Act 2005 (2005 No 40)
  In section 25(1)(c) and (2)(e), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 44(8), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Schedule 9 Privacy Act 2020 2020 No 31
  184
  Public Safety (Public Protection Orders) Act 2014 (2014 No 68)
  In section 56(2)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 56(2)(d), replace “section 54(1) of the Privacy Act 1993” with “section 30
  of the Privacy Act 2020”.
  In section 57(1), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 58 with:
  58 Application of Privacy Act 2020
  The Privacy Act 2020 applies to the monitoring of resident calls under sections
  51 to 61.
  In section 59(1)(b)(iv), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 59(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Radiation Safety Act 2016 (2016 No 6)
  In section 34(1)(d), replace “section 54(1) of the Privacy Act 1993” with “section 30
  of the Privacy Act 2020”.
  Real Estate Agents Act 2008 (2008 No 66)
  Replace section 70 with:
  70 When search constitutes interference with privacy of individual
  A person who searches the register for a purpose that is not a purpose set out in
  section 64 must be treated, for the purposes of Parts 5 and 6 of the Privacy Act
  2020, as having breached an information privacy principle under section
  69(2)(a)(i) of that Act.
  In section 86(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Residential Tenancies Act 1986 (1986 No 120)
  In section 66O(2)(b)(ii), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Search and Surveillance Act 2012 (2012 No 24)
  In section 5(b), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Senior Courts Act 2016 (2016 No 48)
  In section 173(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 174(2), (3), and (4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Sentencing Act 2002 (2002 No 9)
  In section 29(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  2020 No 31 Privacy Act 2020 Schedule 9
  185
  Social Security Act 2018 (2018 No 32)
  In section 212(2), replace “section 103(1) of the Privacy Act 1993” with “section
  181(1) of the Privacy Act 2020”.
  Replace section 381(2)(a) with:
  (a) whether the mutual assistance provision complies with the information
  privacy principles set out in section 22 of the Privacy Act 2020, having
  regard to—
  (i) whether the objective of the provision relates to a matter of significant public importance:
  (ii) whether the use of the provision to achieve that objective will
  result in significant and quantifiable monetary savings, or in other
  comparable benefits to society:
  (iii) whether the use of an alternative means of achieving that objective would give either of the results referred to in paragraph (ii):
  (iv) whether the public interest in allowing the provision to proceed
  outweighs the public interest in adhering to the information privacy principles that the provision would otherwise contravene:
  (v) whether the provision involves information matching on a scale
  that is excessive, having regard to—
  (A) the number of agencies that will be involved; and
  (B) the amount of detail about an individual that will be
  matched under the provision:
  (vi) whether the provision will comply with the information matching
  rules in Schedule 6 of the Privacy Act 2020:
  Replace section 385(4) with:
  (4) Sections 179, 180, and 182 to 185 of the Privacy Act 2020 apply in respect of
  the provision as if the provision were an authorised information matching programme (as that term is defined in section 177 of the Privacy Act 2020) and
  MSD were the only specified agency involved in that programme.
  In section 386(2), replace “section 97 of the Privacy Act 1993” with “section 177 of
  the Privacy Act 2020”.
  In section 418(1)(p), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In Schedule 2, repeal the definition of information-matching programme.
  In Schedule 6, repeal clauses 6 and 7.
  In Schedule 6, clause 8(1), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In Schedule 6, in the heading to clause 10, replace “1993” with “2020”.
  In Schedule 6, clause 10(1) and (3), replace “Part 6 of the Privacy Act 1993” with
  “Part 3 of the Privacy Act 2020”.
  Schedule 9 Privacy Act 2020 2020 No 31
  186
  Social Security Act 2018 (2018 No 32)—continued
  In Schedule 6, replace clause 12(3) with:
  (3) Parts 5 and 6 of the Privacy Act 2020 apply to the complaint as if the code of
  conduct were a code of practice issued under Part 3 of that Act.
  In Schedule 6, clause 16(1), replace “Part 9A of the Privacy Act 1993” with “subpart
  1 of Part 7 of the Privacy Act 2020”.
  In Schedule 6, replace clause 21(3) with:
  (3) Parts 5 and 6 of the Privacy Act 2020—
  (a) apply to a complaint under subclause (1) as if the information sharing
  agreement concerned were a code of practice issued under Part 3 of that
  Act; and
  (b) apply to a complaint under subclause (2) as if clause 18 and the regulations concerned together constituted a code of practice issued under Part
  3 of that Act.
  Social Workers Registration Act 2003 (2003 No 17)
  In section 46(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 68B(3)(b), replace “Privacy Act 1993” with “Privacy Act 2020”.
  State Sector Act 1988 (1988 No 20)
  In section 9C(2), replace “section 2(1) of the Privacy Act 1993” with “section 7(1) of
  the Privacy Act 2020”.
  Summary Proceedings Act 1957 (1957 No 87)
  In section 92A(1), replace the definition of agency with:
  agency—
  (a) means any person or body of persons whether incorporated or not, and
  whether in the public sector or the private sector; and
  (b) for the avoidance of doubt, includes a department
  In section 92A(1), definition of credit reporting code of practice, replace “Privacy
  Act 1993” with “Privacy Act 2020”.
  In section 92A(1), definition of fines enforcement records, replace “Schedule 5 of
  the Privacy Act 1993” with “Schedule 4 of the Privacy Act 2020”.
  In section 92F(1)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 92F(3) with:
  (3) A person who contravenes this section or who discloses or uses information in
  contravention of any regulations made under section 92I must be treated, for
  the purposes of Parts 5 and 6 of the Privacy Act 2020, as having breached an
  information privacy principle under section 69(2)(a)(i) of that Act.
  2020 No 31 Privacy Act 2020 Schedule 9
  187
  Summary Proceedings Act 1957 (1957 No 87)—continued
  In section 92G(2) and (3), replace “section 103 of the Privacy Act 1993” with “section 181 of the Privacy Act 2020”.
  Takeovers Act 1993 (1993 No 107)
  In section 15A(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 15B(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 15C(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 31E(c), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 31R(2)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Tax Administration Act 1994 (1994 No 166)
  In section 18E(2), replace “section 96J of the Privacy Act 1993” with “section 145 of
  the Privacy Act 2020”.
  In section 18E(2)(b), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace section 18E(6) with:
  (6) For the purposes of this section and section 18F, agency has the meaning given
  in section 138 of the Privacy Act 2020.
  In Schedule 7, clause 29, replace “the Privacy Act 1993” with “section 7(1) of the
  Privacy Act 2020”.
  Te Urewera Act 2014 (2014 No 51)
  In Schedule 3, clause 14(g), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Telecommunications Act 2001 (2001 No 103)
  In section 100C(1)(c), replace “section 66 of the Privacy Act 1993” with “section 69
  of the Privacy Act 2020”.
  In Schedule 3C, clause 15(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Trans-Tasman Mutual Recognition Act 1997 (1997 No 60)
  In section 33(1)(b)(ii), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 34, replace “Privacy Act 1993” with “Privacy Act 2020”.
  Transport Accident Investigation Commission Act 1990 (1990 No 99)
  In the heading to section 14Q, replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 14Q(1), replace “principle 6 of the Privacy Act 1993” with “information
  privacy principle 6 set out in section 22 of the Privacy Act 2020”.
  In section 14Q(4), replace “sections 27 to 29 of the Privacy Act 1993” with “sections
  49 to 53 of the Privacy Act 2020”.
  Schedule 9 Privacy Act 2020 2020 No 31
  188
  Veterinarians Act 2005 (2005 No 126)
  In section 42(3), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Victims’ Rights Act 2002 (2002 No 39)
  In the heading to section 15, replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 15(1) and (2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 23(4), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 49(2)(d), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 50(3), replace “section 2(1) of the Privacy Act 1993” with “section 7(1) of
  the Privacy Act 2020”.
  Waikato Raupatu Claims Settlement Act 1995 (1995 No 58)
  In Schedule 4, clause 2(2)(b)(ii), replace “Privacy Act 1993” with “Privacy Act
  2020”.
  Westpac New Zealand Act 2006 (2006 No 3 (P))
  In section 20(4)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 21(a)(iii), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Westpac New Zealand Act 2011 (2011 No 1 (P))
  In section 24(4)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In section 25(a)(iii), replace “Privacy Act 1993” with “Privacy Act 2020”.
  WorkSafe New Zealand Act 2013 (2013 No 94)
  In section 17(4), replace “section 66 of the Privacy Act 1993” with “section 69 of the
  Privacy Act 2020”.
  Part 2
  Amendments to legislative instruments
  Chartered Professional Engineers of New Zealand Rules (No 2) 2002 (SR
  2002/389)
  In rule 42(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Companies Act 1955 Liquidation Regulations 1994 (SR 1994/129)
  In the Schedule, forms 1 and 2, replace “Privacy Act 1993” with “Privacy Act 2020”
  in each place.
  Companies Act 1993 Liquidation Regulations 1994 (SR 1994/130)
  In the Schedule, forms 1 and 2, replace “Privacy Act 1993” with “Privacy Act 2020”
  in each place.
  2020 No 31 Privacy Act 2020 Schedule 9
  189
  Criminal Investigations (Bodily Samples) Regulations 2004 (SR 2004/53)
  In the Schedule, forms 5A, 5B, 6, 8, 8A, 9, and 9A, replace “Privacy Act 1993” with
  “Privacy Act 2020”.
  Customs and Excise Regulations 1996 (SR 1996/232)
  In Schedule 2, form 10, replace “Privacy Act 1993” with “Privacy Act 2020”.
  Double Taxation Relief (Poland) Order 2006 (SR 2006/169)
  In clause 3(1), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Double Taxation Relief (Spain) Order 2006 (SR 2006/170)
  In clause 3(1), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Education (Pastoral Care of International Students) Code of Practice 2016 (LI
  2016/57)
  In clause 25(1)(c), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Education (Stand-Down, Suspension, Exclusion, and Expulsion) Rules 1999 (SR
  1999/202)
  In rule 15(2)(c), replace “Privacy Act 1993” with “Privacy Act 2020”.
  In rule 20(2)(c), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Fisheries (Foreign Fishing Vessel) Regulations 2001 (SR 2001/258)
  In Schedule 1, form 1, paragraph 14, replace “Privacy Act 1993” with “Privacy Act
  2020”.
  Health and Disability Commissioner (Code of Health and Disability Services
  Consumers’ Rights) Regulations 1996 (SR 1996/78)
  In the Schedule, clause 4, replace the definition of privacy with:
  privacy means all matters of privacy in respect of a consumer, other than matters of privacy that may be the subject of a complaint under Part 5 of the Privacy Act 2020 or matters to which subpart 4 of Part 7 of that Act relates
  Health and Safety at Work (General Risk and Workplace Management)
  Regulations 2016 (LI 2016/13)
  In regulation 52(2), replace “section 97 of the Privacy Act 1993” with “section 177 of
  the Privacy Act 2020”.
  Health and Safety at Work (Hazardous Substances) Regulations 2017 (LI
  2017/131)
  In regulations 6.7(5)(b), 6.18(5)(a)(i), 6.26(4)(a), 6.31(5)(a)(i), 7.6(6)(a)(i), and
  7.13(5)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Schedule 9 Privacy Act 2020 2020 No 31
  190
  Health and Safety at Work (Hazardous Substances) Regulations 2017 (LI
  2017/131)—continued
  In regulations 6.26(4)(d)(iv) and 7.13(5)(b)(iii), replace “section 54(1) of the Privacy
  Act 1993” with “section 30 of the Privacy Act 2020”.
  Human Rights Review Tribunal Regulations 2002 (SR 2002/19)
  In regulation 3(1), definition of Privacy Commissioner, replace “section 12 of the
  Privacy Act 1993” with “section 13 of the Privacy Act 2020”.
  In regulation 3(1), definition of proceedings, replace paragraph (a)(ii) with:
  (ii) section 97 or 98 of the Privacy Act 2020; or
  In regulation 6, table, first column, replace “section 82 of the Privacy Act 1993” with
  “section 97 of the Privacy Act 2020”.
  In regulation 6, table, first column, replace “section 83 of the Privacy Act 1993” with
  “section 98 of the Privacy Act 2020”.
  In the heading to regulation 10, replace “section 82 or section 83 of the Privacy Act
  1993” with “section 97 or 98 of the Privacy Act 2020”.
  In regulation 10, replace “section 82 or section 83 of the Privacy Act 1993” with
  “section 97 or 98 of the Privacy Act 2020”.
  In regulation 10(a), replace “section 82” with “section 97”.
  In regulation 10(b), replace “section 83” with “section 98”.
  In regulation 14, table, first column, replace “section 83 of the Privacy Act 1993”
  with “section 98 of the Privacy Act 2020”.
  In regulation 15(2), replace “information privacy principle 6 (set out in section 6) of
  the Privacy Act 1993” with “information privacy principle 6 (set out in section 22) of
  the Privacy Act 2020”.
  In regulation 16(1)(b), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Replace regulation 16(3)(b) with:
  (b) section 97 or 98 of the Privacy Act 2020:
  In regulation 17(2), replace “section 86 of the Privacy Act 1993” with “section 99 of
  the Privacy Act 2020”.
  In regulation 18(2)(d), replace “section 83 of the Privacy Act 1993” with “section 98
  of the Privacy Act 2020”.
  In regulation 21(1)(e), replace “section 82 of the Privacy Act 1993” with “section 97
  of the Privacy Act 2020”.
  In regulation 21(1)(f), replace “section 83 of the Privacy Act 1993” with “section 98
  of the Privacy Act 2020”.
  2020 No 31 Privacy Act 2020 Schedule 9
  191
  Lake Taupo (Crown Facilities, Permits and Fees) Regulations 2004 (SR
  2004/140)
  In Schedule 2, note 7, replace “Privacy Act 1993” with “Privacy Act 2020” in each
  place.
  Land Transport (Motor Vehicle Registration and Licensing) Regulations 2011
  (SR 2011/79)
  In regulation 57(k), after “Privacy Act 1993”, insert “or Privacy Act 2020”.
  Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008
  (SR 2008/214)
  In the Schedule, footnote 6, replace “Privacy Act 1993” with “Privacy Act 2020”.
  Private Security Personnel and Private Investigators (Code of Conduct—
  Surveillance of Individuals) Regulations 2011 (SR 2011/72)
  In regulation 5(2)(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Real Estate Agents Act (Professional Conduct and Client Care) Rules 2012 (SR
  2012/413)
  In rule 9.17(d), replace “in section 6 of the Privacy Act 1993” with “set out in section
  22 of the Privacy Act 2020”.
  Registered Architects Rules 2006 (SR 2006/161)
  In rule 45(2), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Social Security Regulations 2018 (LI 2018/202)
  In regulation 242(1)(d)(iii), replace “section 99 of the Privacy Act 1993” with “section 178 of the Privacy Act 2020”.
  In regulation 242(1)(d)(iv), replace “clause 4 of Schedule 4 of the Privacy Act 1993”
  with “clause 3 of Schedule 6 of the Privacy Act 2020”.
  Replace regulation 242(1)(d)(v) with:
  (v) in relation to New Zealand, has been agreed to by the Privacy
  Commissioner, the Commissioner having had regard to the matters in section 381(2)(a) of the Act.
  In regulation 242(2), replace “section 99(4) of the Privacy Act 1993” with “section
  178(3) of the Privacy Act 2020”.
  Replace regulation 243(5) to (7) with:
  (5) A written notice to be given under subclause (2) may be given as specified in
  regulations made under the Privacy Act 2020 for the giving of notices under
  section 181 of that Act.
  Schedule 9 Privacy Act 2020 2020 No 31
  192
  Social Security Regulations 2018 (LI 2018/202)—continued
  (6) A failure by MSD to comply, in relation to an individual, with subclause (2) is
  taken for the purposes of Part 5 of the Privacy Act 2020, to constitute a failure
  to comply with the provisions of subpart 4 of Part 7 of that Act.
  (7) In this regulation and regulation 244, expressions defined in section 177 of the
  Privacy Act 2020 have the meanings so defined, with any necessary modifications.
  In regulation 273(3), definition of agency, replace “section 2(1) of the Privacy Act
  1993” with “section 7(1) of the Privacy Act 2020”.
  In regulation 281(a), replace “Privacy Act 1993” with “Privacy Act 2020”.
  Summary Proceedings (Credit Reporting of Fines) Regulations 2011 (SR
  2011/399)
  In regulation 5(2), replace “Privacy Act 1993” with “Privacy Act 2020” in each place.
  Legislative history
  20 March 2018 Introduction (Bill 34–1)
  11 April 2018 First reading and referral to Justice Committee
  13 March 2019 Reported from Justice Committee (Bill 34–2)
  7 August 2019 Second reading
  3 June 2020 Committee of the whole House (Bill 34–3)
  24 June 2020 Third reading
  30 June 2020 Royal assent
  This Act is administered by the Ministry of Justice.
  Wellington, New Zealand:
  Published under the authority of the New Zealand Government—2020
  2020 No 31 Privacy Act 2020 Schedule 9
  193