Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

About OPC

Print | Email this page

Our privacy toolkit

A grey haired woman in a beige blazer stands and writes with a pencil in a notebook Agencies (businesses and organisations) operating in New Zealand must comply with the Privacy Act and its Codes of Practice

We monitor compliance with the Privacy Act through a range of channels: public inquiries, media reports, privacy complaints, Commissioner-initiated inquiries and investigations, the exercise of the Commissioner’s oversight and monitoring functions, privacy breach reporting, and referrals from other regulators both within New Zealand and internationally. 

On this page:

Working with agencies we regulate 

Our approach is to try and get agencies to voluntarily comply. We do that by working with them to set expectations of best practice, so they know how to reduce potential harm to people. 

Regardless of how we heard about a privacy issue, we’ll always consider:

  • the steps a business or organisation took to comply with their privacy obligations
  • the seriousness of the issue
  • whether the matter is systemic, ongoing or isolated
  • any other factors

This approach is often efficient and effective. Our other tools are outlined below. We will be as open as possible about our compliance and regulatory work when we are dealing with an agency faced with a compliance issue.

Return to top of page

The tools we use in our compliance and regulatory work

The diagram below shows the tools we use in our compliance and regulatory work. We encourage non-compliant organisations to move down the pyramid to less costly initiatives that are easier for agencies to achieve. 

The most efficient and effective way to protect people’s privacy is by helping agencies to understand how to do privacy well. That means helping educate them about their obligations and providing guidance and advice to support them to do that.

It’s easier, more cost-effective, and brings less reputational risk for businesses and organisations to operate in the bottom areas of our regulatory action and compliance diagram. Download a copy of the diagram below (opens to PDF, 139KB).

A diagram of a pyramid showing how regulatory action and compliance happens

Regulatory Action and Compliance diagram

Direct and enforce

We take enforcement action where appropriate

OPC has three direction and enforcement tools:

  1. Compliance notices
  2. Access Directions
  3. Prosecution (in specific instances of non-compliance).

Compliance notices

Compliance issues can arise from a specific incident or from repeated or systemic issues. Once becoming aware of a compliance issue, the Privacy Commissioner may consider issuing a compliance notice. 

A compliance notice is a written notice from the Privacy Commissioner to an agency advising them they are in breach of their statutory obligations. A compliance notice will specify the nature of the breach and require the agency to remedy the breach, by taking certain action or discontinuing certain actions, so that they comply with their statutory obligations.
Sometimes they will be required to do this with a specified timeframe.

Compliance notices are enforceable in the Human Rights Review Tribunal if the agency does not comply with the notice or fails to appeal it. The Tribunal may make an order that the agency comply with the notice by a specified date.

Failure to comply with a Tribunal order is an offence, and if prosecuted, an agency could be fined for non-compliance.

Read our Compliance Notice guidelines (opens to PDF, 388KB).

Access directions

The Privacy Commissioner frequently investigates complaints about businesses or organisations failing to give people access to their personal information. After an investigation, the Privacy Commissioner will be able to make binding decisions on these complaints and issue an access direction to the business or organisation concerned.

An access direction is a binding written notice issued to a business or organisation by the Privacy Commissioner. The notice directs the business or organisation to release personal information to an individual.

Read more about Access directions

Prosecution

OPC can bring prosecutions under the Privacy Act in limited circumstances. This is rare and primarily relates to how people and agencies engage with us. These are:

  • Obstructing the Commissioner
  • Failing to comply with a lawful requirement of the Commissioner.
  • A person representing that they hold any authority under the Privacy Act when they do not.
  • Making false representations to the Commissioner.
  • Failing to report a notifiable privacy breach to the Commissioner.

There are only two offences that relate to personal privacy:

  1. Where a person impersonates someone else (or falsely pretends to be acting under their authority), to access that individual’s personal information, or to have it used altered or destroyed.
  2. Where anyone destroys personal information knowing that a request has been made for that information.

These offences carry a maximum fine of $10,000 on conviction.

Prosecutions are not an enforcement tool we use lightly. There are strict evidential and public interest considerations we must consider when deciding whether to prosecute, as well as several other factors. 

Read more detail about prosecution decisions in OPC’s Prosecution Policy (opens to PDF, 192KB).

Return to top of page

Advise 

We work with parties to resolve disputes early, improve privacy practice and advocate for the right to privacy of information

Privacy issues and concerns come to our attention from a range of sources, including:

  • individual complaints and enquiries
  • agency enquiries and engagement
  • privacy breach notifications
  • media enquiries
  • referrals from other regulators both within New Zealand and internationally. 

We encourage agencies to use our website to read guidance and understand how to do privacy well. If they’re still unsure, or would like advice they can email enquiries@privacy.org.nz 

People looking for general privacy advice should search our website or use Ask Us, our database of more than 600 privacy questions and answers. People can also contact us if they can’t find their answer.

 

People from our Office, including the Privacy Commissioner also speak to businesses and organisations about privacy topics. If you’d like to request a speaker please use our request form on our events page.

We proactively engage with agencies to provide advice where an issue has been raised. We seek to understand the issue and provide advice or guidance to help resolve issues or address any non-compliance.

We advocate for the protection of privacy rights through our media statements, research activities and submissions on matters of public importance such as draft legislation and government policy.

We undertake assurance reporting activities, where we ask agencies to report on their compliance with certain obligations. These activities help provide transparency about sectors activities and information sharing arrangements. For example, the Credit Reporting Privacy Code requires credit reporters to submit annual reports to provide assurance about their compliance with aspects of the Code. 

Return to top of page

Encourage compliance

We investigate matters affecting the privacy of individuals and make recommendations and public statements about best practice

OPC has two main regulatory tools that encourage compliance:

  1. Investigations of individual complaints,
  2. Public interest investigations (inquiries) and public statements. An investigation or Inquiry can result in further compliance or regulatory action being taken by our Office.

When we look at issues raised with us, we consider the steps taken by an agency to comply with its privacy obligations, as well as the factors outlined on this page.

Investigations into individual complaints

The Privacy Act provides the Privacy Commissioner with the role of receiving, investigating, and conciliating complaints about privacy. An individual, or their authorised representative, can make a complaint to OPC if they believe their privacy has been breached

We will attempt to resolve disputes early but if we can’t we’ll launch an investigation

The Privacy Act gives everyone in New Zealand the right to ask almost any business or organisation for the information they have about them. Small and large businesses, government departments, schools, sports clubs, charities, and community groups all need to comply with this right. Access to that information is our most common privacy complaint. During an investigation, the Commissioner has powers to require any person to provide any relevant information to OPC. The Commissioner also has powers to summons individuals and question them under oath.

Read more about how we settle complaints.

Public interest investigations

The Privacy Commissioner can undertake investigations into matters where the privacy of individuals is being, or may be, infringed (these are sometimes called inquiries). The Commissioner may initiate an investigation where:

  • there are systemic issues occurring within an agency or sector
  • general issues of non-compliance
  • the matter has failed to be resolved through other means
  • affected a large number or a vulnerable group of individuals and/or
  • where there are matters of public importance.

Read some examples of public inquiries we have completed

These investigations may use the Commissioner’s powers to require information to be provided and to summons individuals and question them under oath.

The Commissioner can choose to initiate a public interest investigation following a complaint, enquiry, data breach notification or based on their own choice.

Many of these public interest investigations also result in the publication of a report or outcome statement, which is shared. These are designed to provide lessons for others across sectors and agencies, not just to the agency/s involved. Reports can also be sent to any relevant Ministers or the Prime Minister if the agency involved is a public one.

Public statements 

Section 206 provides discretion for the Commissioner to make disclosures where they consider that information should be disclosed to give effect to the Privacy Act. 
Read our media releases.

Making public statements can include press statements, blog posts, case studies and speeches.

To encourage compliance with the Privacy Act, the Commissioner may also choose to name an agency publicly. Naming will mainly happen when we become aware of non-compliance that is significant. Our naming policy lists the considerations we make before naming an agency

If a statement would amount to an adverse comment about an agency or its practices the Commissioner will consult with that agency prior to making any publication. 

We are committed to acting fairly with any entity that may be the subject of our regulatory powers, including public statements. We are mindful of the reputational impacts that statements from our Office can have.

Return to top of page

Educate 

We encourage compliance through advice, education and promoting good privacy practice

We provide agencies with guidance and tools to promote best practice and to identify and address privacy concerns as they arise. Our preferred approach is to facilitate voluntary compliance with the Privacy Act, and we provide a range of education tools and resources to encourage this.

OPC encourages agencies to seek out the tools and resources available on the OPC website to improve their understanding and compliance with the Privacy Act. 

OPC also supports agencies and individual’s understanding of the Privacy Act through:

  • delivering education and outreach seminars
  • attending privacy conferences and events
  • conducting Commissioner visits throughout the country
  • developing free educational modules
  • the ongoing development of our AskUs knowledge base tool
  • writing timely and relevant blog posts and case notes
  • publishing guidance
  • engaging with media and social media
  • making written and oral submissions on important privacy issues.

Return to top of page

Adverse comments 

Sometimes the Commissioner will want to publish, or speak publicly, about compliance actions that we have taken against a specific named agency. These statements are intended to help agencies learn from what others have done so that people’s privacy is better protected. 

Before we publish these, the agency named will have a chance to see what we’re planning to say about them. That’s because the Commissioner must not make any comment that is adverse to any person or agency unless that person has been given an opportunity to be heard. 

As well as being a statutory obligation, this is also a matter of natural justice and fairness.

This applies to:

  • Notification and results of an investigation.
  • Publishing general reports and case notes.
  • Reports to the Prime Minister.
  • Public statements about privacy issues.
  • Reports of a breach of duty or misconduct.

A comment made by OPC will not necessarily be ‘adverse’ just because it goes against the interests of an agency or rejects an allegation or legal argument they have put forward. 

Return to top of page

Back to top