Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
Personal information is any information that is about you or could identify you. Your name is the most basic example, but that’s just the beginning.
Other examples include your address, your contact details, your employment or medical records, bank details, a picture of your face, your NHI number, or sometimes even your opinions on social media. All sorts of things can contain personal information, including notes, emails, recordings, photos and scans, whether they are in hard copy or digital.
The Privacy Act 2020 rules how organisations, government departments and businesses can collect, store, use and share your information. It ensures that:
Almost all organisations and businesses must follow the Privacy Act. This includes hospitals, government departments, clubs, schools, churches, shops and more. In most cases, the Privacy Act does not apply to domestic affairs. This changes when the collection, use, or disclosure of personal information involved is highly offensive.
The Privacy Act has thirteen principles that businesses and organisations must follow when collecting, using, and storing your personal information. The principles are designed to ensure your personal information is protected and respected.
Under the Privacy Act, you can ask any organisation or business for information they hold about you and to correct it if it’s wrong. This right extends to small and large businesses, government departments, schools, sports clubs, charities, and community groups.
Asking for your information
You can request your information via email, letter, phone, or in person. You can also use our easy AboutMe tool to ask for your personal information from any organisation, business, or government agency in New Zealand. Keep a record of what you asked for, when you asked, and who you asked for it from.
They must respond to your request for information within 20 working days. Any organisation or business may, in limited circumstances, extend the 20 working day timeframe, but they must tell you why and when they will give you the information. They can withhold information about you in limited circumstances, but they must tell you why.
You can make an urgent request, but you must explain why it is urgent. Even then, the organisation or business can refuse the request for urgency. If it does, it must give reasons why. They may transfer your request for information if they aren't the right place to help you. If they do this, they must inform you within 10 working days.
If they don't respond, contact their privacy officer. If the privacy officer can't resolve the issue, you can make a complaint to the Privacy Commissioner.
An organisation or business needs to ensure the information they hold about you is accurate. If you think information held about you is wrong (for instance, if they listed an incorrect date of birth), you can ask them to correct it.
If they decline to correct the information, they must explain why and attach a statement of correction from you if you ask them to. A statement of correction should be brief and clear to ensure it can be understood in context.
If an organisation or business refuses to correct your information or attach your statement of correction, you can complain to our office.
Download a PDF factsheet of this information here.