Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

Website logo 275x60

About us

Print | Email this page

Compliance

This section explains how we collect, use and share personal information when we are carrying out our compliance related functions. These include considering and investigating privacy complaints, initiating our own investigations or inquiries, and handling privacy breach notifications.

The personal information we collect about you

Our compliance functions require us to collect more personal information than any of our other functions. We request, receive and use significant amounts of sensitive personal information, including health information and information about political opinions, religious beliefs, and criminal history.

The Privacy Act empowers us to demand the information we need to carry out investigations and inquiries (section 86-87) and also requires us to protect it and only disclose what we consider is necessary to give effect to the Act (section 206). We take care to exercise our information gathering powers appropriately and meet our secrecy obligations at all times.

From you directly

Most of the personal information we collect is provided directly by you, or your authorised representative, when you engage with us and ask us to investigate your complaint, or when we request it from you when you respond to a complaint or an inquiry.

You do not have to provide your personal information to us. However, we may not be able to effectively provide you with services (such as investigating your complaint) or carry out our functions if you do not provide us with the information we need. If you have information that is relevant to an investigation or inquiry, you will have to comply with a demand for that information if we use our statutory powers to request it.

The personal information we may collect from you directly includes:

  • your name
  • your contact details, including your address, email address or phone number
  • information about your authorised representative (if you have one)
  • the content of your complaint, including information about the harm it has caused you (which may be sensitive)
  • your response to a complaint
  • any documents or other information you provide to us as part of a complaint investigation or inquiry
  • correspondence from you about a complaint (we don't record phone calls, but we may keep a summary of our conversations with you)
  • your responses to satisfaction surveys we ask you to complete (these are usually anonymous).

From another person or agency

Our compliance related functions may also require us to receive or request personal information about you from other people or agencies. We have the power to require a person or agency to provide us with information to carry out an investigation or inquiry. Often agencies will provide us with personal information, for example where we are considering whether to investigate a matter, or where they are notifying us of a privacy breach.

We may collect personal information from the following people or agencies:

  • The agency that is the subject of a complaint – including their views about the complaint or copies of personal information they hold and have refused to release
  • Anyone we believe could provide information that is relevant to whether to investigate a complaint, or to an investigation or inquiry, including witnesses to complaint matters (please note that we will usually seek agreement to directly contact witnesses)
  • Anyone notifying us of a privacy breach who provides us with the identity of, or other information about, the individuals affected by the breach

We may also collect publicly available information about you – such as any media reports – where this is relevant to carrying out our compliance functions.

Generated by us as we carry out compliance related functions

In the course of determining whether to investigate a complaint, investigating and resolving complaints, handling privacy breach notifications, or running inquiries, we generate personal information about you.

The personal information we may generate about you includes:

  • correspondence (such as letters and emails), including between our staff or with the staff of other agencies
  • file notes, memoranda, meeting minutes or other records of actions taken
  • legal views or opinions.

What we do with your personal information

How we use it

In order to carry out our compliance functions, we need to use your personal information in the ways set out below. Where we need to use information in a way we have not anticipated here, we will only do so if required or permitted by law or with your authorisation.

We will use your personal information to:

  • contact you about a complaint, inquiry, or privacy breach notification.
  • decide whether to investigate a complaint
  • investigate and resolve a complaint
  • conduct an inquiry
  • communicate with an agency about a notified privacy breach
  • review and improve the delivery of our services, including conducting satisfaction surveys
  • conduct internal statistical analysis and meet our reporting requirements
  • educate others about complying with the Privacy Act, including by releasing de-identified case notes and in exceptional cases naming an agency which has breached the Act.

When we share it

We share personal information where necessary in order to give effect to the Privacy Act including properly carrying out our functions.

We may, for example, share personal information with:

  • another regulator, oversight agency, or complaints body to determine whether to transfer a complaint or where we need to consult on it, including:
    • Office of the Ombudsman, where a complaint relates to official information
    • Health and Disability Commissioner, where a complaint relates to medical treatment
    • Human Rights Commission, where a complaint relates to discrimination
    • Netsafe, where a complaint relates to an online safety or harassment issue
    • CERT NZ, where appropriate to assist with the management of a notified privacy breach
    • Overseas privacy regulator, where a complaint relates to the actions of an overseas agency
  • the Director of Human Rights Proceedings, for the purposes of referring a complaint or the Human Rights Review Tribunal, for the purpose of referring a complaint or assisting the Tribunal
  • the other party to a complaint, for the purpose of investigating and resolving the complaint
  • anyone we believe could provide information that is relevant to whether to investigate a complaint, or to an investigation or inquiry, including witnesses to complaint matters (please note that we will usually seek agreement to directly contact witnesses)
  • any person or agency we believe could assist in responding to a serious privacy breach.
  • the Office of the Ombudsman, where you have complained to that office about our process or actions
  • the Police or another government agency, if required by law (for example to assist with the investigation of a criminal offence), to report significant misconduct or breach of duty or where there is a serious threat to health or safety. If our staff are threatened or abused, we may refer this to the Police.
Back to top