Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

At the core of the Privacy Act are 12 information privacy principles that set out how agencies may collect, store, use and disclose personal information.

The Privacy Act uses the term "agency". An agency is any individual, organisation or business, whether in the public sector or the private sector. There are a few exceptions such as MPs, courts, and the news media. Generally, though, if a person or body holds personal information, they have to comply with the privacy principles. See the Privacy Act, section 2, for the full definition of "agency".

"Personal information" is any information about an individual (a living natural person) as long as that individual can be identified.

The privacy principles

Principle 1: Purpose of collection of personal information

Personal information must not be collected unless:

  • the collection is for a lawful purpose connected with a function or activity of the agency collecting the information; and
  • it is necessary to collect the information for that purpose.

Principle 2: Source of personal information

Personal information must be collected directly from the individual concerned.

The exceptions to this are when the agency collecting the information believes on reasonable grounds that:

  • the information is publicly available; or
  • the individual concerned authorises collection of the information from someone else; or
  • the interests of the individual concerned are not prejudiced; or
  • it is necessary for a public sector agency to collect the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings; or
  • complying with this principle would prejudice the purposes of collection; or
  • complying with this principle would not be reasonably practical in the particular case; or
  • the information will not be used in a form that identifies the individual; or
  • the Privacy Commissioner has authorised collection under section 54.

Principle 3: Collection of information

When an agency collects personal information directly from the individual concerned, it must take reasonable steps to ensure the individual is aware of:

  • the fact that the information is being collected;
  • the purpose;
  • the intended recipients;
  • the names and addresses of who is collecting the information and who will hold it;
  • any specific law governing provision of the information and whether provision is voluntary or mandatory;
  • the consequences if all or any part of the requested information is not provided; and
  • the individual¬ís rights of access to and correction of personal information.


These steps must be taken before the information is collected or, if this is not practical, as soon as possible after the information is collected.

An agency is not required to take these steps if they have already done so in relation to the same personal information, or information of the same kind, on a recent previous occasion.

It is also not necessary to comply with this principle if the agency collecting the information believes on reasonable grounds that:

  • collection is already authorised by the individual concerned; or
  • it is not prejudicing the interests of the individual concerned; or
  • it is necessary for a public sector agency to collect the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings; or
  • complying with this principle will prejudice the purposes of collection; or
  • complying with this principle is not reasonably practical in the particular case; or
  • the information will not be used in a form in which the individual concerned is identified.

Principle 4: Manner of collection of personal information

Personal information must not be collected by:

  • unlawful means; or
  • means that are unfair or intrude unreasonably on the personal affairs of the individual concerned.

Principle 5: Storage and security of personal information

An agency holding personal information must ensure that:

  • there are reasonable safeguards against loss, misuse or disclosure; and
  • if it is necessary to give information to another person, such as someone working on contract, everything reasonable is done to prevent unauthorised use or unauthorised disclosure of the information.

Principle 6: Access to personal information

Where personal information is held in a way that it can readily be retrieved, the individual concerned is entitled to:

  • obtain confirmation of whether the information is held; and
  • have access to information about them.


An agency may refuse to disclose personal information for a range of reasons, including that it would:

  • pose risks to New Zealand's security or defence;
  • breach confidences with another government;
  • prevent detection of criminal offences or the right to a fair trial;
  • endanger the safety of an individual;
  • disclose a trade secret or unreasonably prejudice someone's commercial position;
  • involve an unwarranted breach of another individual's privacy;
  • breach confidence where the information has been gained solely for reasons to do with the individual's employment, or to decide whether to insure the individual;
  • be contrary to the interests of an individual under the age of 16;
  • breach legal professional privilege;
  • reveal the confidential source of information provided to a Radio New Zealand or Television New Zealand journalist; or
  • constitute contempt of court or the House of Representatives.


Requests can also be refused, for example, if the agency does not hold the information or if the request is frivolous or vexatious.

Principle 7: Correction of personal information

Everyone is entitled to:

  • request correction of their personal information;
  • request that if it is not corrected, a statement is attached to the original information saying what correction was sought but not made.


If agencies have already passed on personal information that they then correct, they should inform the recipients about the correction.

Principle 8: Accuracy of personal information to be checked before use

An agency must not use or disclose personal information without taking reasonable steps to check it is accurate, complete, relevant, up to date, and not misleading.

Principle 9: Personal information not to be kept for longer than necessary

An agency holding personal information must not keep it for longer than needed for the purpose for which the agency collected it.

Principle 10: Limits on use of personal information

Personal information obtained in connection with one purpose must not be used for another.

The exceptions include situations when the agency holding personal information believes on reasonable grounds that:

  • the use is one of the purposes for which the information was collected; or
  • the use is directly related to the purpose the information was obtained for; or
  • the agency got the information from a publicly available publication; or
  • the individual concerned has authorised the use; or
  • the use is necessary for a public sector agency to collect the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings; or
  • the use is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of any individual; or
  • the individual concerned is not identified; or
  • the use is authorised by the Privacy Commissioner under section 54.

Principle 11: Limits on disclosure of personal information

Personal information must not be disclosed unless the agency reasonably believes that:

  • the disclosure is in connection with, or directly related to, one of the purposes for which it was obtained; or
  • the agency got the information from a publicly available publication; or
  • disclosure is to the individual concerned; or
  • disclosure is authorised by the individual concerned; or
  • it is necessary for a public sector agency to disclose the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings; or
  • disclosure is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of any individual; or
  • disclosure is necessary to facilitate the sale of a business as a going concern; or
  • the information is to be used in a form in which the individual concerned is not identified; or
  • disclosure has been authorised by the Privacy Commissioner under section 54.

Principle 12: Unique identifiers

Unique identifiers - such as IRD numbers, bank customer numbers, driver/s licence and passport numbers - must not be assigned to individuals unless this is necessary for the organisation concerned to carry out its functions efficiently. The identifiers must be truly unique to each individual (except in some tax related circumstances), and the identity of individuals must be clearly established. No one is required to disclose their unique identifier unless it is for, or related to, one of the purposes for which the identifier was assigned.

The Government is not allowed to give people one personal number to use in all their dealings with government agencies.

Exceptions to the principles

Many of the principles have built-in exceptions. It's important to read the principles together with their exceptions to see how they relate to particular circumstances. The exceptions to principle 6 are set out in sections 27-29 of the Act.

It's up to the person wanting to claim that an exception applies to prove that the exception applies.

Section 7 of the Privacy Act states, in effect, that if another statute is contrary to the privacy principles, that other statute will 'trump' the Privacy Act.

The privacy principles do not cover an individual who collects or holds personal information solely or principally for personal, family or household reasons.

This fact sheet is designed to provide general information about the Privacy Act 1993. It is not a detailed legal analysis. If you need more specific information, please see the Privacy Act in full, contact the Office of the Privacy Commissioner on 0800 803 909, email enquiries@privacy.org.nz or seek legal advice.

Contact us.

Reprinted by the Office of the Privacy Commissioner, March 2006.