The Privacy Act governs how individuals, organisations and businesses collect, use, disclose, store and give access to personal information.
The core of the Act is the 12 information privacy principles. These give individuals important rights to control what is done with information about them.
However, the principles have some exceptions. The Act balances privacy needs with other important social needs, such as public safety or prevention or detection of crime.
Sometimes other statutes will override the Privacy Act.
The Privacy Commissioner has broad powers to enquire into any matter if she believes that the privacy of the individual is being, or is likely to be, infringed.
The Commissioner's responsibilities include:
Yes. Anyone can complain to the Privacy Commissioner that an action by another person or organisation is an "interference with privacy" under the Privacy Act.
An "interference" with privacy is a legal term that involves two aspects. First, there must be a breach of the law and, second, there must be some harm that arose from it.
The breach may be of:
The breach must have led to (or may lead to):
Importantly, there is no requirement to show harm in a complaint about access to or correction of personal information.
For real examples of complaints that have been considered by the Privacy Commissioner, see our case notes.
Absolutely. The Privacy Commissioner encourages people to try to resolve matters themselves before making a complaint to her Office. An early and informal resolution can save time, stress and money.
First, you should ask the individual or organisation who you think is at fault to put the matter right. You should also say what you want it to do - for instance, make an apology, or give an assurance it will not happen again.
If you don't think you know enough about privacy yet to resolve things yourself, give us a call on 0800 803 909 and we'll try to give you information to help you.
As long as the complaint involves a Privacy Act matter, the Commissioner will often try to settle the complaint by conciliation and mediation. Many privacy complaints can be solved without a formal investigation.
An investigation involves gathering the relevant facts from the parties and, if necessary, other people too. This can take some time, depending on how complex the complaint is.
We need to receive copies of all relevant documents and information. The earlier this is done, the quicker the investigation process will be. Throughout the investigation, we try to make sure that all parties know what is going on, and that they have a chance to comment.
Many complaints are settled during the course of an investigation, without the need for the Commissioner to form an opinion on how the law applies in the particular case.
If the complaint is not settled during the investigation, the Privacy Commissioner will form a provisional opinion on how the law applies to the complaint. She sends it to the affected party and seeks their comments.
Once she has taken those comments into account, and if the matter is still not settled or withdrawn, the Commissioner will form her final opinion.
Her opinion is not legally binding, but it is taken seriously.
We may not always investigate a complaint, or we may not investigate it fully. For example, this might be because:
We are impartial and do not take the side of either party. Also, we are independent of Government.
No. The Privacy Commissioner cannot fine or prosecute anyone. Instead, the Privacy Act aims to settle privacy disputes, often after investigation, and aims to educate people on how to comply with the Act.
We cannot make the parties settle, or settle on particular terms, for example by paying money. We also cannot make an agency give a complainant particular information. We cannot force an agency to comply with the Privacy Act, nor do we make rulings or determinations.
Our opinion, though, is an important indication of whether there has been a breach of the Privacy Act. Our views are taken seriously.
Communications with us are protected by law. Usually, we do not share the actual correspondence that we receive, but we do ensure that each party knows what we are investigating and why, so that they have a chance to tell us their views. We have to maintain secrecy in handling complaints. This ensures that people can talk openly and frankly to us. This in turn makes sure that we can get the information we need to investigate properly and help you to settle the problems.
If the Privacy Commissioner forms the opinion that there is an interference with privacy, she may refer the matter to the Director of Human Rights Proceedings.
The Director will decide whether to take the complaint to the Human Rights Review Tribunal.
If the Commissioner forms the opinion that there has not been an interference with privacy, the complainant can still take the matter to the Human Rights Review Tribunal.
The Tribunal makes a legally binding decision about the Privacy Act complaint. It hears the complaint afresh - it is not bound by the Privacy Commissioner's opinion.
The Tribunal can award various remedies including:
It can also make an award of costs against the losing party in a case.
Every organisation, from small private sector companies to large government departments, is responsible for ensuring that it has a privacy officer.
In most businesses an existing staff member should be able to act as the privacy officer.
A large company with offices in different cities may need a privacy officer in each location, while a large government department may need several full-time privacy officers.
Privacy officers encourage compliance with the Privacy Act, train staff in privacy matters, monitor the agency's policies to check compliance, handle requests for and general issues about personal information, and work with the Privacy Commissioner when she is investigating a privacy complaint against the organisation.
No special training or qualification is required to be a privacy officer, but you do need to understand the Privacy Act's privacy principles.
The Privacy Commissioner arranges seminars for privacy officers from time to time, and can supply information explaining what organisations need to know to comply with the Privacy Act.
Nominate someone to be your privacy officer to deal with the complaint. They should try and resolve it in-house first. They can do this by:
We can provide information about the Privacy Act, if you need it. Call our freephone number: 0800 803 909 or email firstname.lastname@example.org.
No. All personal information is covered, including personal information about employees.