Privacy Act & codes

(1) Where an agency collects personal information directly from the individual concerned, the agency shall take such steps (if any) as are, in the circumstances, reasonable to ensure that the individual concerned is aware of -

(a) the fact that the information is being collected; and

(b) the purpose for which the information is being collected; and

(d) the name and address of -

(i) the agency that is collecting the information; and

(ii) the agency that will hold the information; and

(e) if the collection of the information is authorised or required by or under law -

(i) the particular law by or under which the collection of the information is so authorised or required; and

(ii) whether or not the supply of the information by that individual is voluntary or mandatory; and

(f) the consequences (if any) for that individual if all or any part of the requested information is not provided; and

(g) the rights of access to, and correction of, personal information provided by these principles.

(2) The steps referred to in subclause (1) shall be taken before the information is collected or, if that is not practicable, as soon as practicable after the information is collected.

(3) An agency is not required to take the steps referred to in subclause (1) in relation to the collection of information from an individual if that agency has taken those steps in relation to the collection, from that individual, of the same information or information of the same kind, on a recent previous occasion.

(4) It is not necessary for an agency to comply with subclause (1) if the agency believes, on reasonable grounds -

(a) that non-compliance is authorised by the individual concerned; or

(b) that non-compliance would not prejudice the interests of the individual concerned; or

(i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; or

(ii) for the enforcement of a law imposing a pecuniary penalty; or

(iii) for the protection of the public revenue; or

(iv) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or

(d) that compliance would prejudice the purposes of the collection; or

(e) that compliance is not reasonably practicable in the circumstances of the particular case; or

(f) that the information -

(i) will not be used in a form in which the individual concerned is identified; or

(ii) will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.

Agencies should be open when collecting information. They need to make sure that the person will not be surprised about how that information is used later on, or who it will be given to.

What steps do agencies need to take to tell people about the collection of their information?
Agencies must take reasonable steps to ensure that the person they are collecting information from is aware, among other things, of why it is being collected and who might receive it. What the reasonable steps are will depend on the circumstances of the particular case.

Agencies do not necessarily have to inform people in writing about the collection and use of their information. The Privacy Act does not set out how agencies should tell people. However, if there are a lot of details involved, it is best to put these in writing. This should make it easier for the person to understand those details and to remember them. It will also help both the agency and the individual if they want to refer back to what was said - this may help to avoid uncertainty or clear up disputes later on.

Sometimes, a brochure or a sign in a public area will be enough to inform people that information will be collected and what it will be used for. For example, a company operating security cameras in a car park simply needs to have a sign in place to let people know that security cameras are operating.

Verbal explanations are more suitable than written explanations for some situations. For example, telephone market research surveys have to provide a clear verbal explanation, to let people know what will happen to their information.

Does this requirement still apply in emergencies?
There often won't be time to spell everything out in an emergency.

For example, if a doctor urgently needs to collect information about a patient's medical conditions in order to treat them if they are having a heart attack, the doctor is unlikely to be able to give details about who will receive the information later. Once the emergency has passed, the doctor can then let the person know it collected information from them, why it was collected and how it will be used.

Our company regularly collects personal information from the same customers. Do we need to go through the collection details with them every time we collect the information?
Not if you are collecting the same kinds of information from customers on a reasonably regular basis and using it for the same purposes each time. Principle 3 requires agencies to do what is reasonable in the circumstances to make individuals aware of what their personal information will be used for and who may see it.

An agency needs to ensure it makes people aware of how their information will be used the first time the agency collects it from them. It also needs to inform the people it deals with regularly of any changes to the ways it deals with their information.

For general discussion of an agency's rule 3 obligations, see HRRT decision AB v Accident Compensation Corporation (decision 17/02) reference no. 40/2002.

Principle 3(1)(a) - collection of information by an agency
An agency must tell people that it is collecting information about them. It will often be apparent because a person is asked direct questions, but there may be times when it is not so obvious.

For example, an agency may have CCTV cameras monitoring some of its areas and collecting information about the people that pass through those areas without them necessarily being aware of this. The agency could let people know that cameras are operating by having signs up in those areas.

Another situation where it may not be clear that information is being collected is where an employer talks to a staff member in what appears to be an informal discussion, but the employer is in fact gathering information to include in that person's file.

Or it may not be obvious that a website is recording information about a visitor.

In these cases, the agency (the employee or website operator, for example) should tell the person that they are collecting information.See Case Note 18302 [2001] NZPrivCmr 8

Principle 3(1)(b) - reasons for collection of information
In almost all cases, agencies have to be open about their purposes for collecting personal information. At the time an agency collects personal information from an individual it should tell the person its reasons for collecting that information and what it will be used for. If it's genuinely not possible to tell the person at the time, the agency should do so as soon as it can.

The person should not be surprised later on about how that information is used.

How much detail do I have to give a person when I collect information from them?
It will depend on the circumstances. Some ways an agency will want to use information will be more obvious so it will not need to set these out in as much detail. However, other uses might be less obvious so the agency may need to explain these more fully.

What if I've told someone why I'm collecting their personal information but later I think of other ways I'd like to use it?
Generally you shouldn't use information for any purposes that you didn't tell the person about when you collected it.

If you have a genuine need to use it in a different way later, you either have to go back to that person and get their permission to use it for that new purpose, or have another exception in principle 10 that you can rely on.

You may be able to use the information if it is for a purpose that is directly related to the one that you originally gathered the information for. For more information on what a directly related purpose is see Principle 10(e).

See Case Note 22171 [2001] NZPrivCmr 11
Case Note 15052 [1999]

Principle 3(1)(c) - say who is going to get the information

When an agency collects personal information from someone it must tell that person who it might give the information to. It does not have to list every possible person it might pass personal information to - it will be enough to give a general idea of who is likely to see the information and why they might see it.

An agency should be as open as possible about who it might give someone's personal information to, so there are no surprises later on. For example, a hospital patient should be informed who is likely to see their medical notes. Doctors and nurses are obvious recipients, so it may not be necessary to spell this out. But medical researchers or hospital chaplains would not be so obvious.

It is an important part of people's privacy rights to understand who will see their information. It is also important to tell people the reasons that an agency will or might give their personal information to other people, organisations or agencies.

Letting a person know why you want personal information and who you are likely to give it to allows them to make an informed decision about the information they supply.

I keep receiving marketing material from a company I've never even heard of. It says it bought my details from another company I dealt with once. Could it do that?
The original company you dealt with could sell your details to a direct marketing company if, at the time that it collected details from you, it told you and you agreed. If it did not tell you, then it should not have passed on your details without getting your permission to do so.

See Case Note 19399 [2002] NZPrivCmr 1
Case Note 2418 [1999]

Principle 3(1)(d) - contact details of agencies collecting and holding information
People have a right to know which agencies hold their personal information and where they can be contacted to ask for access to or correction of their information.

To help with this, agencies collecting personal information must give people their contact details and the contact details of any agencies that will hold the information.

The agency that collects the personal information and the agency that holds it may be the same. But, sometimes an agency will collect personal information on behalf of another one, which will then hold it. For example, a firm could be hired to conduct research on behalf of a client company. The firm will be the agency that collects the information directly but it will pass at least some information to the client company - the client is the agency that will hold that information.

Access to and correction of personal information are important rights, set out under principle 6 and principle 7 of the Privacy Act.

Principle 3(1)(e) - collection of information authorised or required by law
If the collection of personal information is required by law then individuals must be told which law authorises or requires the agency to collect the information, and whether the supply of the personal information is voluntary or mandatory.

What laws authorise agencies to collect personal information?
There are many statutes that allow agencies to collect personal information about individuals. Some examples include:
The Sale of Liquor Act 1989: Agencies holding liquor licences can sight evidence of the ages of people they are selling liquor to in order to make sure they are over 18 years of age.
The Social Security Act 1974: Work and Income can collect information about individuals who apply for benefits, to determine they meet the criteria to receive one.
The Police Act 2008: The Police have various powers to collect personal information for law enforcement purposes.

When is supplying information mandatory?
Some statutes require people to supply information, no matter what. For example, the Statistics Act 1975 requires every person in New Zealand to complete an individual form for the census (or have one filled in for them). The Tax Administration Act 1994 makes it compulsory for a taxpayer to supply IRD with certain information.

See Case Note 43927 [2003] NZPrivCmr 10

Principle 3(1)(f) - consequences of not supplying information
When an agency collects personal information from an individual, it must tell them the consequences (if any) of not supplying the information. For example, not supplying certain information could mean an agency will not able to carry out a service, or carry it out effectively.

Telling an individual about the consequences of not supplying information allows them to make an informed choice about supplying it or not.

I'm applying for a job and the employer says if I don't supply the name of a referee from my current employer I won't get the job. Can they do that?
Yes, they can. The employer has asked you for information and explained the consequences of not supplying it. It is up to you whether you wish to give this information. It also up to the employer to decide whether it will proceed with your job application if you do not supply it.

A form to apply for a shop loyalty card included all sorts of questions about my income and personal life. I felt uncomfortable about giving the information but wanted the card so I filled in the form. Can a shop ask for all that information?
Yes, it can. Again, if supplying certain information is a condition of receiving a service or benefit then you can choose whether you want to supply the information. The business is not breaching principle 3(1)(f) as long as it tells you the consequences of not supplying the information. However, if the business is collecting more information than it needs to fulfil its purpose(s) that may raise issues under principle 1.

See Case Note 43927 [2003] NZPrivCmr 10

Principle 3(1)(g) - access to and correction of personal information
When an agency collects personal information from someone it must tell them their rights of access to the information and to ask for it to be corrected if they think it is inaccurate.

Principle 6 gives individuals the right to ask for access to information that an agency holds about them. Principle 7 gives individuals the right to ask that an agency that holds personal information about them correct that information if they think it is inaccurate. These are important rights that individuals should know about at the time that information is collected from them.

Principle 3(4) - when is it ok not to tell the person these things?

Principle 3 contains exceptions that are very similar to principle 2(2)(d).

The exceptions mean that agencies do not have to comply with principle 3(1) - where an agency must let individuals know:
- that it is collecting personal information from them;
- why it's being collected;
- who will see it;
- the details of the agencies collecting and holding the information;
- any legal requirements for collecting the information; and,
- any consequences for not providing it.

An agency does not have to comply with the requirement to make an individual aware of the information set out in principle 3(1) in certain circumstances. These circumstances are set out in principle 3(4).

Principle 3(4)(a) - non-compliance authorised by the individual
This exception allows an agency to collect information from an individual without making them aware of the information set out in principle 3(1) in circumstances where the agency believes, on reasonable grounds, that the individual has authorised collection on these terms.

Authorisation is stronger than consent. Authorisation generally requires a positive action or decision by an individual, and they have to understand reasonably clearly what they're agreeing to. It is difficult for an agency to argue that an individual has given it implied authorisation to collect information from them.

See Case Note 2976 [1996] NZPrivCmr 1 (about principle 2(2)(b) but still relevant)
Case Note 19740 [2002] NZ PrivCmr 5

See the Human Rights Review Tribunal cases L v J (1999) Decision 9/99, CRT 21/98; L v L (2001) Decision 15/01, CRT 11/01 and L v L (High Court, Auckland, AP95-SW01, 31 May 2002, Harrison J) - implied authorisation to disclose information rather than collect it, but the concept of authorisation is the same.

Principle 3(4)(b) - non-compliance would not prejudice the interests of the individual
This exception allows an agency to collect information from an individual without making them aware of the information set out in principle 3(1) in circumstances where the agency believes, on reasonable grounds, that this would not prejudice the interests of the individual.

Again, this is not an easy exception for an agency to make out. It will generally be in an individual's interests to know what information is being collected from them and for what purpose, together with the other requirements of principle 3(1). Being kept in the dark is usually not helpful. So in order to rely on this exception an agency would need to clearly show that collecting information from an individual while keeping them ignorant of some or all of the requirements of principle 3(1) could have no negative impact on their interests.

See Case Note 60017 [2006] NZ PrivCmr 1

Principle 3(4)(c) - non-compliance is necessary
Principle 3(4)(c) allows an agency to collect personal information from an individual without informing them because in doing so it would prejudice the maintenance of the law.

Can any agency with a law enforcement function decline to explain the reasons why they are collecting personal information?
No. The agency would need to establish that doing so would prejudice the maintenance of the law in some way. It is not enough for the agency to simply show that it has a law enforcement function.

For example, in Case Note 43927, the Department of Conservation sought to rely on principle 3(4)(c)(iv) of the Act to ask an angler questions without advising him whether the information being requested was required by law or what the consequences were if it was not provided. The Privacy Commissioner accepted that the Department of Conservation had a law enforcement function but was not satisfied that informing the angler of his legal obligations or of the consequences of failing to observe them would prejudice the maintenance of the law.

Can agencies that do not have a law enforcement function rely on this exception?
Sometimes, provided that an agency can establish that non-compliance with Principle 3 is necessary to avoid prejudice to the maintenance of the law. A good example of this is using CCTV surveillance cameras to try and catch someone committing a crime. Such covert methods may be necessary to gather evidence to enable an offender to be prosecuted.

See Case Note 0632, where an employer used hidden cameras in a workplace locker room to find out who was stealing stock from the employer. Usually, principle 3 would require an agency using CCTV cameras to inform employees and/or members of the public that CCTV cameras were being used, the reasons why, how the footage would be used and who it would be shared with. However, if the cameras were being used to investigate a particular offence and people were informed about their use, it is unlikely they would be effective in catching criminals.

Given that CCTV cameras are a very intrusive method of investigation, an agency would have to make sure that they were absolutely necessary in the circumstances (to fit with principle 1). The cameras would also have to be removed as soon as their purpose was fulfilled.

Depending on where the cameras are pointed, this type of surveillance may also raise issues under Principle 4 of the Act.