Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Privacy for agencies

Print | Email this page

Complying with the Privacy Act

A woman with long dark hair in a ponytail leans against a desk in a florist. There are flowers around her. She is on the phone and writing down notes. Agencies (businesses and organisations), that operate in New Zealand and collect personal information, need to follow the Privacy Act. This includes:

  • government departments and agencies
  • companies
  • Māori trusts and incorporations
  • small businesses and sole traders
  • social clubs
  • charities, societies, and community groups
  • other types of organisations. 

The Privacy Act has 13 privacy principles, which you can read about in our ‘Privacy Act 2020’ section. We also have case notes and other resources that show how the Privacy Act has been applied to real-life situations.

There are some exceptions

The IPPs do not generally apply to a person acting in their personal or domestic capacity (other than IPP 4(a) – lawful means of collection). The Privacy Act will generally only apply to them if they are acting in a way that would be considered “highly offensive to an ordinary reasonable” person.

The Privacy Act does not apply to:

  • courts and tribunals when they are doing their judicial tasks
  • news media when they are gathering and reporting news
  • Members of Parliament (MPs) when they’re acting in an official capacity.

The full list of exceptions is written out in section 8(b) of the Privacy Act.

What is covered by the Privacy Act?

Personal information, regardless of how it’s stored, is covered by the Privacy Act. Personal information is any information that tells someone something about a specific person. The information doesn’t need to name them; they can be identifiable in other ways, like through their home address. Examples of personal information include notes, emails, a watchlist of faces, whakapapa records, recordings, photos, or scans. 

Privacy rules for specific situations

Some industries and types of personal information have codes of practice that change how the Act applies to them. These are special regulations for specific agencies or types of activities. Our codes of practice are:

How other laws work with the Privacy Act

Other laws might specifically allow the use or disclosure of personal information, or might put limits on how personal information is used. 

If another law says something different to a privacy principle, that law can override the IPP (but the Privacy Act otherwise still applies).

For example, if another clause, section, or rule within a law (a statutory provision) clearly allows or requires you to disclose information, then you won't be breaching the Privacy Act regardless of what the Privacy Act’s disclosure of personal information principle (11) says.

All agencies need a privacy officer

The Privacy Act says that every New Zealand business or organisation needs a privacy officer. They don’t need to be a lawyer; they just need to be familiar with your privacy obligations and fulfil the role. They don’t need to be someone within your organisation – you can appoint someone else to act as your Privacy Officer, provided they are familiar with your business.

Back to top