Email this page

Send this page to a friend.

This page is printer friendly.

Frequently asked questions

How does the Privacy Act work?

The Privacy Act governs how individuals, organisations and businesses collect, use, disclose, store and give access to personal information.

The core of the Act is the 12 information privacy principles. These give individuals important rights to control what is done with information about them.

However, the principles have some exceptions. The Act balances privacy needs with other important social needs, such as public safety or prevention or detection of crime.

Sometimes other statutes will override the Privacy Act. 

What does the Privacy Commissioner do?

The Privacy Commissioner has broad powers to enquire into any matter if she believes that the privacy of the individual is being, or is likely to be, infringed.

The Commissioner’s responsibilities include:

  • investigating complaints;
  • monitoring proposed legislation;
  • considering and commenting on government policy;
  • making statements on privacy issues;
  • issuing codes of practice;
  • reviewing authorised data matching programmes; and
  • promoting understanding of privacy principles.

Can I make a complaint to the Privacy Commissioner?

Yes. Anyone can complain to the Privacy Commissioner that an action by another person or organisation is an “interference with privacy” under the Privacy Act. 

What does “interference with privacy” mean?

An “interference” with privacy is a legal term that involves two aspects. First, there must be a breach of the law and, second, there must be some harm that arose from it.

The breach may be of:

  • one of the Privacy Act’s 12 privacy principles, which govern how people and organisations collect, use, disclose, store and give access to personal information; or
  • a Privacy Code of Practice that governs a specific area, such as the Health Information Privacy Code; or
  • the privacy provisions relating to data matching between government agencies.


The breach must have led to (or may lead to):

  • financial loss or other injury; or
  • adverse effect on a right, benefit, privilege, obligation or interest; or
  • significant humiliation, significant loss of dignity, or significant injury to the feelings of the individual.


Importantly, there is no requirement to show harm in a complaint about access to or correction of personal information.

For real examples of complaints that have been considered by the Privacy Commissioner, see our case notes. 

Do I have to pay to make a complaint?

No. 

Can I resolve the problem myself?

Absolutely. The Privacy Commissioner encourages people to try to resolve matters themselves before making a complaint to her Office. An early and informal resolution can save time, stress and money.

First, you should ask the individual or organisation who you think is at fault to put the matter right. You should also say what you want it to do – for instance, make an apology, or give an assurance it will not happen again.

If you don’t think you know enough about privacy yet to resolve things yourself, give us a call on 0800 803 909 and we’ll try to give you information to help you.

How do I make a complaint?

Contact the Office of the Privacy Commissioner enquiries team on (09) 302 8680 if in Auckland, or in other areas 0800 803 909, or email enquiries@privacy.org.nz.

It’s often helpful if you fill in a complaint form. We also have guidelines for people filling in the form. 

What happens after I’ve made a complaint?

As long as the complaint involves a Privacy Act matter, the Commissioner will often try to settle the complaint by conciliation and mediation. Many privacy complaints can be solved without a formal investigation. 

What happens during a complaint investigation?

An investigation involves gathering the relevant facts from the parties and, if necessary, other people too. This can take some time, depending on how complex the complaint is.

We need to receive copies of all relevant documents and information. The earlier this is done, the quicker the investigation process will be. Throughout the investigation, we try to make sure that all parties know what is going on, and that they have a chance to comment.

Many complaints are settled during the course of an investigation, without the need for the Commissioner to form an opinion on how the law applies in the particular case. 

What happens when the investigation is finished?

If the complaint is not settled during the investigation, the Privacy Commissioner will form a provisional opinion on how the law applies to the complaint. She sends it to the affected party and seeks their comments.

Once she has taken those comments into account, and if the matter is still not settled or withdrawn, the Commissioner will form her final opinion.

Her opinion is not legally binding, but it is taken seriously. 

Are all investigations completed?

No.

  • Sometimes a complaint is settled before the investigation is completed.
  • Sometimes it becomes clear that the complaint cannot be dealt with under the Privacy Act.
  • Sometimes the Commissioner may decide to discontinue the investigation, because further investigation is not necessary or is inappropriate. A complainant is given a chance to comment before a complaint is discontinued.

Does the Privacy Commissioner have to investigate my complaint?

No. Sometimes the Privacy Commissioner will decide not to investigate a complaint or not to investigate it fully.
For example:

  • The law may say that an internal complaints procedure must be followed before making a complaint to the Commissioner; or
  • another law may override the Privacy Act; or
  • the incident happened too long ago (so we cannot investigate properly); or
  • the complaint does not involve a potential breach of one of the Privacy Act’s privacy principles; or
  • the complaint relates to what someone did in relation to their personal, family or domestic affairs; or
  • the complaint may be vexatious.

Is the Privacy Commissioner on my side?

No. The Privacy Commissioner does not take the side of either party. She is also completely independent of the government. 

Can the Privacy Commissioner fine or prosecute anyone?

No. The Privacy Commissioner cannot fine or prosecute anyone. Instead, the Privacy Act aims to settle privacy disputes, often after investigation, and aims to educate people on how to comply with the Act. 

Can the Privacy Commissioner order an organisation to pay me money?

No. The Privacy Commissioner cannot make the parties to a complaint settle. Nor can she order a compensation payment.

However, the Commissioner’s opinion is an important indication of whether there has been a breach of the Privacy Act and her views are taken seriously. 

Can I see everything on my complaint file?

No. The Privacy Commissioner has to maintain secrecy in handling complaints. This is so that matters can be freely investigated and people are willing to cooperate freely and frankly.

You can see copies of anything that you wrote to us, or that we wrote to you. But you can’t see copies of what the other party wrote to us, or what we wrote to them. 

What happens if a complaint can’t be resolved?

If the Privacy Commissioner forms the opinion that there is an interference with privacy, she may refer the matter to the Director of Human Rights Proceedings.

The Director will decide whether to take the complaint to the Human Rights Review Tribunal.

If the Commissioner forms the opinion that there has not been an interference with privacy, the complainant can still take the matter to the Human Rights Review Tribunal. 

What can the Human Rights Review Tribunal do?

The Tribunal makes a legally binding decision about the Privacy Act complaint. It hears the complaint afresh – it is not bound by the Privacy Commissioner’s opinion.

The Tribunal can award various remedies including:

  • a declaration that the agency breached the law;
  • an order preventing repetition of the breach;
  • an order to do something to rectify the breach;
  • damages.


It can also make an award of costs against the losing party in a case. 

What is a Privacy Officer?

Every organisation, from small private sector companies to large government departments, is responsible for ensuring that it has a privacy officer.

In most businesses an existing staff member should be able to act as the privacy officer.

A large company with offices in different cities may need a privacy officer in each location, while a large government department may need several full-time privacy officers.

Privacy officers encourage compliance with the Privacy Act, train staff in privacy matters, monitor the agency’s policies to check compliance, handle requests for and general issues about personal information, and work with the Privacy Commissioner when she is investigating a privacy complaint against the organisation. 

I’ve been appointed Privacy Officer – where do I go for help?

No special training or qualification is required to be a Privacy Officer, but you do need to understand the Privacy Act’s privacy principles.

The Privacy Commissioner arranges seminars for privacy officers from time to time, and can supply information explaining what organisations need to know to comply with the Privacy Act. 

We’ve received a complaint but didn’t know we should have a Privacy Officer – what do we do?

Nominate someone to be your privacy officer to deal with the complaint. They should try and resolve it in-house first. They can do this by:

  • talking to the complainant;
  • investigating as appropriate; and
  • determining what action needs to be taken;
  • keeping the complainant informed about what is happening during this process.


We can provide information about the Privacy Act, if you need it. Call our freephone number: 0800 803 909 or email enquiries@privacy.org.nz

Does the Privacy Act only apply to information about clients and customers?

No. All personal information is covered, including personal information about employees.