Purpose of the Act
8.72 The purpose of the Privacy Act 2020 is to promote and protect individual privacy, by:
- providing a framework for protecting privacy of personal information, including access by individuals to their information, while also recognising other rights and interests; and
- giving effect to international privacy obligations and standards.
The Act covers both the public and private sectors.
8.73 The Privacy Act 2020 covers “personal information”, which is defined in section 7 of the Act as information about an identifiable individual. There are 13 information privacy principles (dealing with the collection, storage, use, and disclosure of personal information, and an individual's right to access their personal information and to request correction). Codes of practice that may modify the information privacy principles (such as the Health Information Privacy Code 2020) are also issued from time to time.
8.74Ministers and agencies are responsible for compliance with the law when they collect, use, hold, or disclose information concerning individuals. A breach of the Privacy Act 2020 may lead to a complaint to the Privacy Commissioner, or the Privacy Commissioner can take compliance action without receiving a complaint. Agencies that breach the Act can face financial penalties, or may have to provide redress, which could include paying damages. A Minister and agency must not collect personal information unless the collection is necessary for a lawful purpose related to their functions. Section 7 of the Privacy Act 2020 defines “collect” as “to take any step to seek or obtain the personal information, but does not include receipt of unsolicited information”.
8.75Ministers and agencies are also responsible for complying with requirements in the Privacy Act 2020 to notify the Privacy Commissioner and (in most cases) affected individuals of privacy breaches that are likely to cause serious harm.
8.76Ministers are subject to the Privacy Act 2020 in their role as Ministers. They are not subject to the Privacy Act 2020 in their official capacity as members of Parliament. This distinction is set out in relation to official information at paragraph 8.26.
8.77Each agency must appoint a privacy officer for the agency (within or outside the agency) who is assigned responsibility to fulfil the compliance requirements set out in section 201 of the Privacy Act 2020. The Office of the Privacy Commissioner is available for advice and guidance in relation to the operation of the Privacy Act 2020.
8.78The Government Chief Privacy Officer is responsible for developing standards, issuing guidance, and providing assurance to support the public service in building capability in privacy and security management.
Ministerial access to and use of personal information
8.79Ministers should exercise great care in dealing with personal information, and seek advice from the Office of the Privacy Commissioner in cases of doubt. In particular, Ministers and agencies must handle personal information in accordance with the information privacy principles, as set out in section 22 of the Privacy Act 2020. Other primary legislative provisions may vary the application of the information privacy principles. Ministers and agencies should be aware of, and comply with, any differing approaches in their particular regulatory systems.
8.80In the course of their duties, Ministers may have occasion to be provided with or to request personal information held by the agencies for which they are responsible. There are types of disclosure of information that are routine and clearly authorised, such as when the Minister requires personal information to:
- exercise statutory functions; and
- respond to individuals who seek the Minister's assistance with their cases.
Other circumstances involve a case-by-case assessment of whether personal information can be disclosed in connection with a Minister's general portfolio responsibilities and accountability to the House. Decisions by officials to provide personal information to Ministers require judgement and discretion, and should be finely tuned to particular circumstances.
8.81Agencies need to have a clear understanding of the lawful basis on which they are able to disclose personal information to Ministers, and to ensure that any such disclosures comply with the Privacy Act 2020. Before disclosing personal information to a Minister, an agency must be satisfied that the disclosure is consistent with information privacy principle 11 in section 22 of the Act or another statutory provision. It must also consider whether there is a legal obligation under other legislation not to disclose the information (for example, under the statutory provisions protecting information collected by the Inland Revenue Department). The convention of ministerial accountability and the “no surprises” principle do not override the Privacy Act 2020's disclosure principles or other statutory restrictions on disclosure. Best practice is for the agency to consider whether personal details need to be disclosed to adequately inform the Minister, including:
- whether the Minister needs to be briefed on an issue;
- if a briefing is needed, whether it needs to include information about identifiable individuals; and
- if it is necessary to provide personal information, how much information is required, and whether some personal details are irrelevant or unnecessary for the briefing.
Where the agency believes, on reasonable grounds, that disclosure of personal information to a Minister is one of the purposes for which the information was collected or is directly related to one of those purposes, the disclosure will not be a breach of information privacy principle 11.
8.82If a Minister wishes to access information about an individual that is held by an agency in another portfolio area, the Minister should, in line with the general principle that Ministers deal only with their own agencies, seek assistance from the Minister with responsibility for that area (see paragraph 3.28).
- If the person to whom the information relates requests the information, the request must be considered in accordance with the Privacy Act 2020. Information privacy principle 6, in section 22 of the Act, gives individuals a legal right to access such personal information. Part 4 of the Act sets out reasons why such an individual access request may be refused.
- If another person requests the information, the request must be considered in accordance with the Official Information Act 1982. Section 9 of the Act provides that the need to protect an individual's privacy may justify withholding the information if there is no overriding public interest in release. It will be important to identify and consider the strengths of all the relevant privacy interests and balance them against the strengths of the competing public interest in its release.
- A disclosure by a Minister or agency of information about an individual, (including from agencies to Ministers) in the absence of a request for it, is governed by information privacy principle 11 of the Privacy Act 2020 (unless subject to other statutory provisions). That principle allows only limited situations in which it would be appropriate to disclose personal information; for example:
- if the disclosure is one of the purposes for which the information was obtained, or is directly related to one of those purposes;
- if disclosure does not relate to an identifiable individual;
- if disclosure is authorised by the individual concerned;
- if the information is already publicly available and its disclosure would not be unfair or unreasonable in the circumstances; or
- if disclosure is necessary to prevent a serious threat to public health or the life of another individual.
8.84Parliamentary privilege affords protection to statements made by Ministers as part of parliamentary proceedings, including when answering parliamentary questions (see the Parliamentary Privilege Act 2014). However, the same considerations set out in paragraph 8.83(c) should inform agencies and Ministers when deciding whether and to what extent it is necessary to disclose personal information that may end up becoming part of parliamentary proceedings.
8.85Further guidance can be found on the Office of the Privacy Commissioner website.
Role of the Privacy Commissioner
8.86The Privacy Commissioner can investigate complaints concerning breaches of the privacy principles in the Privacy Act 2020 (and of the rules in any code issued under that Act, such as the Health Information Privacy Code 2020). Such a breach can occur when an individual is denied access to information about them or is wrongly refused the opportunity to correct information about them, or when an individual suffers some form of harm as a result of a breach of a privacy principle, a rule in a code of practice, or an information-matching or information-sharing provision. The Privacy Commissioner can attempt to settle a complaint. If the parties are unable to reach a settlement, the complainant can take a case to the Human Rights Review Tribunal.
8.87The Privacy Commissioner can also inquire into any matter if it appears that the privacy of individuals may be infringed, and can take action to require an agency to comply with the Privacy Act 2020, regardless of whether the non-compliance has been the subject of a complaint.
8.88The Privacy Commissioner's other responsibilities include monitoring proposed legislation to see if it affects the privacy of individuals, and commenting on any privacy problems. The LDAC Guidelines give guidance about factors to consider when developing legislative proposals that could affect individual privacy (see paragraph 7.41) including proposed information sharing.
8.89The Office of the Privacy Commissioner should be consulted about all legislative proposals that have implications for personal information or for individual privacy more broadly. The Privacy Commissioner can also report directly to the Minister of Justice or the Prime Minister about legislation or other developments affecting individual privacy.