Your responsibilities

Personal information is a useful and valuable commodity. Other people or organisations may want to use personal information you have collected through your organisation, rather than collecting it themselves.

Below are guidelines for using and disclosing personal information:

Make sure personal information is accurate

Before you use personal information, check that it’s accurate, up-to-date, complete, relevant and not misleading.

Incorrect information isn't any use to you, and it could lead you to make wrong decisions about the person involved.

Privacy principle 8 governs the accuracy of personal information.

Don’t keep personal information for longer than you need

The Privacy Act doesn’t specify how long you can keep personal information – only that agencies shouldn’t keep information for longer than they need it.

Your agency can set its own policies. It can be expensive to store and secure large quantities of information. Holding more information means a greater risk of a privacy breach. However, retaining key information can be helpful, for example if a customer returns to your service.

Privacy principle 9 governs the retention of personal information.

Disposing of personal information

Dispose of personal information securely so that no-one can retrieve it.

For example:

remove names, addresses and birthdates from documents before you dispose of them
use shredders and secure destruction services
wipe hard drives fr machines – including photocopiers – before you sell or decommission them
delete back-up files as well as originals.

Use information for the purpose you got it

Generally, only use personal information for the purpose for which you collected it. People get upset if you use their information without their knowledge or permission, and you risk losing their trust.

There are circumstances under which you may be able to use personal information for a new purpose, for example:

when you have the permission of the person the information is about
if it’s directly related to the purpose for which you gathered the information
if it’s necessary to uphold or enforce the law.

Privacy principle 10 governs the use of personal information.

Only disclose personal information if you have a good reason

Be careful about disclosing personal information to people, both inside and outside your agency. You can only do this in some situations, such as when:

you have the permission of the person the information is about
another law requires you to disclose it
it’s one of the purposes for which you got the information
it’s necessary to uphold or enforce the law
it’s necessary for court proceedings
you disclose it in a form that doesn’t identify the person it’s about.

Privacy principle 11 governs disclosure of personal information.

Sending personal information overseas

A business or organisation may only disclose personal information to another organisation outside New Zealand if the receiving organistion:

is subject to the Privacy Act because they do business in New Zealand
is subject to privacy laws that provide comparable safeguards to the Privacy Act
agrees to adequately protect the information, e.g. by using model contract clauses.
is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government.

Privacy principle 12 governs sending information overseas.

Unique identifiers

A business or organisation may only use a unique identifier (such as a driver licence number) where it is necessary. They must take reasonable steps to protect unique identifiers from misuse.

Privacy principle 13 governs unique identifiers.