Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
Updated by our Guidance team in March 2025.
The Privacy Act gives people the right to access their information. When a person requests their information, the organisation or business must respond to the request within 20 working days. However, sometimes an organisation wants proof that a person is who they say they are, before they action the request. These cases come to us from time to time, so we thought it would be helpful to explain why an organisation needs to be able to verify a person’s identity.
Under Section 45 of the Privacy Act, when an agency receives an access request for personal information, it must take steps to verify the identity of the requestor, or the person who is acting for the requestor.
A person complained to us that it was unreasonable that Police ask for photo ID in order to comply with an access request. We said we considered Police’s policy of requiring photo ID an acceptable way of meeting its obligations under section 45 of the Act. We agreed with Police that the purpose of photo ID was to satisfy the officer receiving the access request that the requester was who they claimed to be. Photo ID was the quickest and most accurate way to confirm the identity of a person.
A woman requested a copy of her file from a hospital. The hospital told her they had the file ready, but they would not send it until she completed a form, even though she had already sent her details, a copy of her driver’s licence, and a copy of her name change certificate. She was also told that her signature would be required.
The woman believed the hospital’s refusal to send her information until it had received a completed form was an unnecessary step causing undue delay. We contacted the hospital who said they had told the woman they needed the completed form to make sure there was a record of her request.
Our view was that an agency is entitled to set its own administrative process to make sure it has records of information requests. An agency is also required under the Privacy Act to take appropriate steps to ensure that information intended for a certain person is only received by that person.
A New Zealander living in another country emailed a request to a New Zealand government agency asking for all the information it held about her. She received a reply that her information was ready to be sent to her, but it could only be delivered by registered mail and only after the woman confirmed in an email that she would not hold the government agency liable or responsible if the information was signed for and opened by another person at her address.
The agency explained to us that it just wanted to ensure the information was sent to the right person because the nature of the information was very sensitive. The agency checked a requestor’s ID carefully before any information was handed over and was cautious in mailing the information out, so we thought that was fair enough.
It is understandable many organisations are risk averse when responding to requests for personal information. Responding to access requests is an obligation that every organisation has to meet, but we’ve seen many examples where organisations haven’t made the necessary checks. The Privacy Act also says organisations have to keep personal information safe, and that has to be balanced with making it accessible to the right person.
You can find more information in our guidance on responding to requests and complaints well.
Back