Cabinet Manual

Purpose of the Act

8.52 The purpose of the Privacy Act 1993 is to promote and protect individual privacy - in particular to establish principles on:

  1. collection, use, and disclosure of information relating to individuals;
  2. access by individuals to information held about them.

The Act covers both the public and private sectors.

Compliance

8.53 Ministers and departments must be careful to ensure that they comply with the law when they collect, use, and disclose information concerning individuals. A breach of the Act may result in legal action, including, in some cases, an award of damages.

8.54 Each agency must ensure that privacy officers within the agency are assigned responsibility to fulfil the compliance requirements set out in section 23 of the Privacy Act 1993. The Office of the Privacy Commissioner is available for training, advice, and guidance in relation to the operation of the Privacy Act 1993.

Key provisions

8.55 The Privacy Act 1993 covers "personal information", which is defined in section 2 of the Act as "information about an identifiable individual."

8.56 The key provisions of the Privacy Act 1993 are:

  1. the 12 information privacy principles (dealing with the collection, holding, use, and disclosure of personal information, and the assigning of unique identifiers): section 6;
  2. an individual's right to access their personal information held by an agency: section 6, principle 6;
  3. reasons for refusing access: Part IV;
  4. codes of practice and exemptions from information privacy principles: Part VI;
  5. public register privacy principles: Part VII;
  6. complaints to the Privacy Commissioner: sections 67 - 68;
  7. investigations by and proceedings of the Privacy Commissioner: sections 69 - 80;
  8. information matching guidelines: Part X.

Ministerial access to and use of personal information

8.57 Ministers should exercise great care in dealing with personal information, and seek advice from the Office of the Privacy Commissioner in cases of doubt. In particular, Ministers and departments must handle personal information in accordance with the information privacy principles, as set out in section 6 of the Privacy Act 1993.

8.58 If a Minister requests personal information about an individual from his or her own department in order to deal with a portfolio issue, the department should in general provide that information to the Minister unless there is a legal obligation not to do so. (The statutory provisions protecting information collected by the Inland Revenue Department are an example of such an obligation.) The information privacy principles, as set out in section 6 of the Privacy Act 1993, should be carefully considered in relation to any such request.

8.59 If a Minister wishes to access information about an individual that is held by a department in another portfolio area, the Minister should, in line with the general principle that Ministers deal only with their own departments, seek assistance from the Minister with responsibility for that area. (See paragraph 3.18.)

8.60 The disclosure of information about an individual by Ministers is governed by both the Official Information Act 1982 and the Privacy Act 1993.

  1. If the person to whom the information relates requests the information, the request must be considered in accordance with the Privacy Act 1993. Principle 6, in section 6 of the Act, gives individuals a legal right to access such personal information. Sections 27 to 32 of the Act set out reasons why such individual access request may be refused.
  2. If another person requests the information, the request must be considered in accordance with the Official Information Act 1982. Section 9 of that Act provides that individual privacy may justify withholding the information, if there is no overriding public interest in release. It will be important to consider the principles of the Privacy Act 1993 when balancing competing interests under section 9.
  3. A release by a Minister of information about an individual, in the absence of a request for it, is governed by Principle 11 of the Privacy Act 1993. That principle allows only limited situations in which it would be appropriate to disclose personal information; for example:
    • if the disclosure is directly related to the purposes for which the information was obtained;
    • if disclosure is authorised by the individual concerned; or
    • if disclosure is necessary to prevent a serious threat to public health or the life of another individual.

8.61 Further guidance can be found on the Privacy Commissioner's website, www.privacy.org.nz.