Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Privacy Act & codes

Section 26 of the Privacy Act requires the Privacy Commissioner to review the operation of the Act as soon practicable after it had been in force for three years. The first review was completed in November 1998 and resulted in a 420 page report Necessary and Desirable: Privacy Act 1993 Review (generally referred to as Necessary and Desirable). This contained 154 recommendations for amendment or further study.

You can read the Privacy Commissioner's latest report on the current operability of the Act here.

In the 2016 update report, Mr Edwards notes privacy law reform has been under consideration since 1998, including the wide-ranging Law Commission review from 2008-2011. These reviews and the government response have formed the basis for the proposed modernisation of the Privacy Act, as led by the Ministry of Justice.

But he notes there are apparent gaps and weaknesses in the Privacy Act’s enforcement framework that need to be addressed if the reforms proposed are to introduce an effective and modernised form of privacy regulation.

The Commissioner is proposing six recommendations:

  • empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate)
  • an update to protect against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised
  • introducing data portability as a consumer right
  • an additional power to require an agency to demonstrate its ongoing compliance with the Act which would enable the Privacy Commissioner to proactively identify and respond to systemic issues
  • narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner; and
  • reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.

Mr Edwards says these recommendations will help to ensure that New Zealand’s privacy framework will be fit for purpose in the current environment and for foreseeable developments in the future.

To download documents please click the following links:

  • Necessary and Desirable - highlights document (PDF file 42 pages 3.61MB)
  • Necessary and Desirable  - the 1998 report (Warning: large document, PDF file 434 pages, 2.44MB)
  • Necessary and Desirable - the 1998 report in separate chapters:
Content Preface Introduction
Background Part I Part II
Part III Part IV Part V
Part VI Part VII Part VIII
Part IX Part X Part XI
Part XII Schedules Summary of Recommendations
Appd A Appd B Appd C
Appd D Appd E Appd F
Appd G Appd H Appd I
Appd J    

Section 26 also requires further periodic reviews. The Commissioner has submitted several short supplementary reports noting developments that might affect the recommendations. These reports included a number of supplementary recommendations.


Necessary and Desirable made some recommendations in relation to information matching but anticipated that a further specialised review of the information matching rules would be needed. The Commissioner undertook a supplementary review and submitted a further report on information matching in June 2001, and a supplementary report in 2003.

Other material on the 1998 review

The 1998 review involved a series of stages of research, consultation and analysis. In the public phase of the review, the Office of the Privacy Commissioner released 12 discussion papers:

DP1 Structure and Scope DP 2 Information Privacy Principles
DP 3 Access and Correction DP 4 Codes of Practice and Exemptions
DP 5 Public Register Privacy Issues DP 6 Complaints and Investigation
DP 7 Information Matching DP 8 Law Enforcement Information
DP 9 Compliance and Administration Costs DP 10 Interaction with other Laws
DP 11 Intelligence Organisations DP 12 New Privacy Protections

Four volumes of submissions:
volume 1 : DP1, DP2, DP3, DP4, DP5
volume 2 : DP6, DP7, DP8, DP9, DP10, DP11, DP 12
volume 3 : Part 1, Part 2, Part 3
volume 4 : Part 1, Part 2 were received.

The Office of the Privacy Commissioner has compiled complete sets of all the submissions and some specialist compilations in particular areas (such as complaints, compliance costs, public registers and intelligence organisations).

Journal articles

In December 1998 the journal Privacy Law & Policy Reporter devoted a special issue to the Privacy Commissioner's report: