Organisations sometimes get it wrong when they respond to a person’s request for their personal information. Information is sometimes lost, displaced or accidentally deleted. A recent privacy case dealt with by the Human Rights Review Tribunal considers when an organisation can call it quits when it comes to searching for personal information in responding to an access request.

We live in an age where agencies collect and hold a lot of information about us. When we then request access to that information, this places demands on the time and resources of agencies to meet their obligations under the Privacy Act. Agencies sometimes feel a bit overwhelmed when responding to requests for personal information -  especially where a high volume of information is held.

There has been a significant amount of media coverage about our investigation into Westpac bank disclosing journalist Nicky Hager’s bank account information to Police in 2014. In the course of that reporting, some misconceptions have emerged. Because of the interest in the case, and the potential implications for future practice, we have noted some points of clarification and context below.

A recent data breach involved a deliberate email phishing attack on an organisation. The email looked like it came from the chief executive and requested a copy of the membership list (names and email addresses).

Sir Bruce Houlton Slane KNZM, CBE, LLB practiced law in New Zealand for almost 50 years, including 11 years as the country’s first Privacy Commissioner.

This blog post was reviewed and some links updated in May 2025

Applying for a job can be a nerve-wracking ordeal and, more likely than not, it ends in disappointment. It can be devastating to miss out on that dream job and not knowing why you missed out can be incredibly frustrating.

Callers to our Enquiries service often start with “I need some legal advice”. If the caller means guidance on his or her Privacy Act rights or the obligations of an agency, then we can help. But if by “legal advice” he or she means a legal “opinion” about how the Privacy Act might apply, then this is something our Enquiries service can’t do.