An Introduction to the Privacy Act

Privacy Act 1993Privacy Act 1993Privacy Act 1993Privacy Act 1993

• Promotes and protects individual privacy

• Is concerned with the privacy of information about people rather than physical intrusions into privacy

• Establishes 12 information privacy principles which regulate the collection, storage, use and disclosure of personal information and give people the right to access and correct their information

• Allows the Privacy Commissioner to issue industry specific codes of practice

• Sets out rules for information matching

• Provides a set of principles regulating how information on public registers can be used

• Sets up a complaints procedure

• Sets out how law enforcement information is to be dealt with

• Provides for the appointment of a Privacy Commissioner and sets out his role and functions

Definition of Personal Definition of Personal InformationInformation

Definition of Personal Definition of Personal InformationInformation

• Information about an identifiable individual

• Does not include information about a corporate body

AgencyAgencyAgencyAgency

• Any person or body of persons

• Corporate or unincorporate

• Public or private sector

• Some exceptions: MPs, courts and tribunals, news media in relation to its news activities

• Sections 3 and 4

Breach of IPPBreach of IPPANDAND

Adverse ConsequenceAdverse ConsequenceResults in Interference With Individual’s Results in Interference With Individual’s

PrivacyPrivacy

Breach of IPPBreach of IPPANDAND

Adverse ConsequenceAdverse ConsequenceResults in Interference With Individual’s Results in Interference With Individual’s

PrivacyPrivacy

Breach InterferenceLoss

Interference With Privacy (Access)

Interference With Privacy (Access)

• Referral

• Failure to respond within 20 working days

• Conditions on use

• Charging

• Refusal to correct

Interference with privacy if there is no proper basis for:

IPP 1 - Purpose of IPP 1 - Purpose of Collection ofCollection of

Personal InformationPersonal Information

IPP 1 - Purpose of IPP 1 - Purpose of Collection ofCollection of

Personal InformationPersonal Information

• Information is collected for a lawful purpose connected with the function / activity of the agency

• Collection necessary for that purpose

Not to be collected by an agency unless:

ISSUESISSUES

Lawful purpose?

Is it purpose connected with a function / activity of the agency?

Is collection necessary for that purpose?

IPP 2 - Source of Personal IPP 2 - Source of Personal InformationInformation

IPP 2 - Source of Personal IPP 2 - Source of Personal InformationInformation

Where an agency collects personal information, the agency shall collect the information directly from the individual concerned.

No compliance permissible where the agency believes, on reasonable grounds, that:

• Individual has authorised collection of the information from someone else

• Compliance would prejudice the purpose of that collection

• Compliance not reasonably practicable in the circumstances

(Non-compliance permissible oncertain other grounds)

IPP 3 - Collection of IPP 3 - Collection of Personal InformationPersonal Information

From Subject (A)From Subject (A)

IPP 3 - Collection of IPP 3 - Collection of Personal InformationPersonal Information

From Subject (A)From Subject (A)

Where personal information collected directly from individual concerned, agency required to take reasonable steps to ensure individual is aware of:• Fact information is being collected

• Purpose for which information is collected

• Intended recipients of information

• Contact details for agencies collecting and holding information

• Whether supply of information is mandatory / voluntary (Where law authorises / requires collection)

• Consequences if information not supplied

• Rights of access and correction

Provide these details beforecollection if practicable

IPP 3 - Collection of IPP 3 - Collection of Personal InformationPersonal Information

From Subject (B)From Subject (B)

IPP 3 - Collection of IPP 3 - Collection of Personal InformationPersonal Information

From Subject (B)From Subject (B)

• It is authorised by the individual

• It would not prejudice the individual’s interests

• Compliance would prejudice purposes of collection

Also certain other grounds IPP 3(4)

Repeat explanation not necessary

If given recently

Non-compliance permissible where agency believes, on reasonable grounds, that:

IPP 4 - Manner of Collection IPP 4 - Manner of Collection of Personal Informationof Personal Information

IPP 4 - Manner of Collection IPP 4 - Manner of Collection of Personal Informationof Personal Information

• Unlawful means

• Means that, in the circumstances are,

- Unfair

- Unreasonably intrude upon the Individual’s personal affairs

Personal information must not be collectedby:

KEY CONCEPTSKEY CONCEPTSPURPOSE AND OPENNESSPURPOSE AND OPENNESS

KEY CONCEPTSKEY CONCEPTSPURPOSE AND OPENNESSPURPOSE AND OPENNESS

Develop information handling policies

Convey policies when collecting information

IPP 5 - Storage and Security IPP 5 - Storage and Security of Informationof Information

IPP 5 - Storage and Security IPP 5 - Storage and Security of Informationof Information

• Loss

• Unauthorised access, use, modification or disclosure

• Other misuse

Agency holding personal information must take reasonable security safeguards to protect against:

ISSUESISSUES

Physical security?

Operational security?

Security of transmission?

Disposal or destruction?

IPP 6 - Access to Personal IPP 6 - Access to Personal Information Information

IPP 6 - Access to Personal IPP 6 - Access to Personal Information Information

Where an agency holds personal information in a way that it can readily be retrieved, individuals are entitled to have access to information relating to them

IPP 6 - Access to Personal IPP 6 - Access to Personal Information Information

IPP 6 - Access to Personal IPP 6 - Access to Personal Information Information

Obligations of agencies to• Provide assistance• Transfer access requests• Respond within time limits• Make information available in form

requested

Precautions by appropriate procedures:• Satisfactory identification of individual• Authority of agent

Charges:• No charge by public sector agency• Reasonable charges by others

Withholding Grounds - Principle 6

• 27(1)(c) - prejudice maintenance of law

• 27(1)(d) - endanger safety

• 29(1)(a) - unwarranted disclosure

• 29(1)(c) - prejudice physical / mental health

• 29(2) - not readily retrievable / cannot be found / does not exist

IPP 7 - Correction of IPP 7 - Correction of Personal InformationPersonal InformationIPP 7 - Correction of IPP 7 - Correction of Personal InformationPersonal Information

An individual is entitled to request the correction of information

Agency must either:

Agency must notify known recipients of the information about this correction

Make correction

OROR

Attach statement by individual of correction sought

IPP 8 - Accuracy of Personal IPP 8 - Accuracy of Personal Information to Be Checked Information to Be Checked

Before UseBefore Use

IPP 8 - Accuracy of Personal IPP 8 - Accuracy of Personal Information to Be Checked Information to Be Checked

Before UseBefore Use

Agencies must take reasonable steps to ensure personal information is accurate before using it

Accurate

Up to date

Complete

Not misleading Relevant

IPP 9 - Agency Not to Keep IPP 9 - Agency Not to Keep Personal Information or Personal Information or Longer Than NecessaryLonger Than Necessary

IPP 9 - Agency Not to Keep IPP 9 - Agency Not to Keep Personal Information or Personal Information or Longer Than NecessaryLonger Than Necessary

Agency holding personal information shall not keep it for longer than required for the purposes for which it may lawfully be used.

ISSUESISSUES

Should it be retained at all?

If so, for how long?

Note legal obligations to retain,

eg. tax, medical records

Consider return, destruction, transfer

IPP 10 - Limits on Use of IPP 10 - Limits on Use of Personal InformationPersonal Information

IPP 10 - Limits on Use of IPP 10 - Limits on Use of Personal InformationPersonal Information

Personal information collected for one purpose cannot be used for another purpose unless agency believes, on reasonable grounds, that:

(Non-compliance permissible onCertain other grounds)

• Use for other purpose authorised by individual concerned

• Information sourced from publicly available publication

• Use for other purpose necessary to prevent or lessen a serious and imminent threat to- public health / safety- life / health of someone

• Purpose is directly related to the purpose for which it was collected

IPP 11 - Limits of Disclosure IPP 11 - Limits of Disclosure ofof

Personal InformationPersonal Information

IPP 11 - Limits of Disclosure IPP 11 - Limits of Disclosure ofof

Personal InformationPersonal Information

An agency shall not disclose personal information unless it believes, on reasonable grounds, that disclosure:

(Non compliance permissible onCertain other grounds)

• Is to the individual concerned

• Is authorised by the individual

• Is one of the purposes in connection with which the information was obtained or is a directly related purpose

• Is in a form in which the individual is not identified

Information Privacy Information Privacy Principle 11Principle 11

Information Privacy Information Privacy Principle 11Principle 11

Authorised by Privacy Commissioner

Research (No ID)

Purpose of Collection

Publicly Available

Maintenance of the Law

To the Person

Public Health or Safety

Needed to sell Business

DISCLOSUREDISCLOSURE

Don’t do it unlessDon’t do it unless

IPP 12 - Unique IdentifiersIPP 12 - Unique IdentifiersIPP 12 - Unique IdentifiersIPP 12 - Unique Identifiers

• Agencies not to assign unique identifiers unless necessary to enable them to carry out their functions efficiently

• Agencies not to assign unique identifier that has been assigned by another agency

• Clearly identify the individual before assigning unique identifier

• Agencies not to require people to disclose a unique identifier assigned by another agency unless disclosure is for the purposes for which that unique identifier was assigned

Notification

Complaints Review Tribunal

Complaints ProcessComplaints ProcessComplaints ProcessComplaints Process

Commissioner assistsparties with settlement

Investigation

Final opinion

Provisional Opinion- with right of response

Referred by Privacy Commissioner

Referred byComplainant

Privacy Act and Official Privacy Act and Official Information Act Information Act

InterfaceInterface

Privacy Act and Official Privacy Act and Official Information Act Information Act

InterfaceInterface

Requester X asks forinformation about

himself Privacy Act

• IPP 6• Part IV Privacy Act• Sections 27-29 - withholding grounds apply

Requester X asks forinformation about Y

Official InformationAct

Section 5Presumption of availability

Unless good reason forwithholding information

Section 9(2)(a) protectprivacy of natural persons

Action authorisedby other

Legislation

Privacy Act

Does not Derogate

Other LegislationOther LegislationOther LegislationOther Legislation

Telephone: 04-474 7590Enquiries hotline: 0800 803 909Or: 09-302 8655Email: privacy@actrix.co.nz

Internet address: http://www.privacy.org.nz

Postal address: Privacy CommissionerPO Box 10-094Wellington

Don’t blame the Privacy ActDon’t blame the Privacy ActDon’t blame the Privacy ActDon’t blame the Privacy Act