Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Privacy Act 2020

Print | Email this page

Section 30 authorisations

A young woman with long dark hair holds a book to her chest. She is wearing a collared, short-sleeved shirt and blue jeans. She is standing in front of a bookshelf. Under section 30 of the Privacy Act 2020, an agency may apply to the Privacy Commissioner to authorise a one-off collection, use, retention, or disclosure of personal information in a way that would otherwise breach principle 2 or principles 9, 10, 11 or 12 of the Privacy Act 2020.

There are no current section 30 authorisations.

Guidance note to applicants seeking authorisation under section 30 of the Privacy Act 2020.

1.0 Introduction

1.1 Under section 30 of the Privacy Act 2020 (Act), an agency may apply to the Privacy Commissioner (Commissioner) for authorisation to do any of the following in the circumstances of a particular case:

  • collect personal information even if the collection of that information would otherwise be in breach of information privacy principle (IPP) 2
  • keep personal information even if the keeping of that information would otherwise be in breach of IPP 9
  • use personal information even if the use of that information would otherwise be in breach of IPP 10
  • disclose personal information even if the disclosure of that information would otherwise be in breach of IPP 11 or 12.

1.2 Before granting an authorisation under section 30, the Commissioner must be satisfied, in the special circumstances of the case, that there is a clear public interest or benefit to the individuals concerned that outweighs the possibility of interfering with individuals’ privacy.

1.3 If the individual concerned has objected to the application (partially or in full), the Commissioner may not grant an authorisation in respect of that personal information. The Commissioner may also impose conditions on any authorisation.

1.4 The Office of the Privacy Commissioner has prepared this guidance note to help potential applicants with the purpose and process of a section 30 application, including the sort of information that an applicant should supply to the Commissioner in support of an application.

2.0 Changes from the 1993 Act

2.1 Section 30 of the Act re-enacts section 54 of the Privacy Act 1993. However, section 30 is slightly different to the old section.

2.2 Section 30 now extends the power of the Commissioner to authorise the retention of personal information in breach of IPP 9. This power was previously not present in the old section 54.

2.3 Section 30 also sets out an express process for making an application for authorisation. An application must be made in the manner required by the Commissioner (which this document sets out at paragraph 5.0 below), and the Commissioner may redirect the applicant to take certain steps before proceeding with the application (such as giving public notice or giving notice to affected individuals). The Commissioner may, in considering whether to grant an authorisation, now also consider any objections to the application received from individuals concerned.

2.4 Finally, the Commissioner must now also maintain a list of current authorisations granted under section 30 on the Commissioner’s website.

3.0 Before making the application

3.1 An agency should first be aware that section 30 is primarily designed for ‘one-off’ situations. If the circumstances giving rise to an application are likely to arise frequently, or are a routine part of an agency’s activities, a section 30 authorisation is unlikely to be appropriate. The agency should instead consider using an exception to the information privacy principles (such as seeking the individual’s authorisation), relying on a new or existing approved information sharing agreement (see Part 7 of the Act), consider whether any statutory authorities apply, or request or amending a code of practice (see sections 32-38 of the Act). See for example, Schedules 3 (identity information) and 4 (law enforcement information) of the Act.

3.2 An agency should also consider whether relevant provisions in other Acts or in secondary legislation (such as regulations) may take precedence over the relevant privacy principle (see section 24 of the Act).

3.3 Once the agency has considered that a section 30 application is appropriate, it should consider contacting the Office of the Privacy Commissioner. It should also take sufficient steps to contact to the individuals concerned (if that is possible or practicable in the circumstances). If the Commissioner isn’t satisfied that the applicant has done this, the Commissioner may require the applicant to:

  • give public notice of the application in a manner specified by the Commissioner and/or
  • give sufficient opportunity to individuals concerned to object to the application.

In considering whether to grant an authorisation, the Commissioner must take into account any objections to the application from individuals concerned.

4.0 What an application must include

Which authorisation is the applicant seeking?

4.1 The applicant should first make clear whether an authorisation of personal information is sought for:

  • collection
  • use
  • retention
  • disclosure or
  • a combination of the above.

On which ground does the applicant seek the authorisation?

4.2 The applicant should also identify the purpose of the authorisation and whether it is seeking authorisation under section 30(6)(a) or (b).

  • If the application is made under section 30(6)(a), the applicant should explain what it believes the ‘public interest’ is in the collection, use, retention, or disclosure of the personal information.
  • If the application is made under section 30(6)(b), the applicant should explain what it believes is a ‘clear benefit to the individual concerned’.

4.3 The first ground stresses the public interest outweighing to a substantial degree any interference of the privacy of the individual. For example, would the authorisation of the personal information clearly promote public health and safety (more so than an individual’s privacy)?

4.4 The second emphasises a clear benefit to the individual concerned. For example, would the authorisation of the personal information enable an individual to receive financial compensation? For more details, please see the Office of the Privacy Commissioner’s blog post.

4.5 In either case, the ground of application must outweigh any interference with the privacy of the individual. The applicant’s views on why that public interest or personal benefit outweighs any interference with the privacy of the individual that could result from the collection, use, retention, or disclosure will assist the Commissioner in that decision. 

However, the Commissioner can still process the application even if no views are expressed as to the weight to be given.

What kind of personal information does the applicant require?

4.6 The applicant should particularise the personal information it needs to collect, use, retain or disclose. For instance, is health, financial or other sensitive information required? How many people does the authorisation cover? 

4.7 The sensitivity of the information required under the authorisation and its volume may be relevant to determine the strength of the public interest involved or benefit to
individuals, and the weight that should be given to individuals’ privacy.

Does the applicant have any supporting information that sets out the special circumstances of the case?

4.8 The applicant must also explain the ‘special circumstances’ of the case and why the other mechanisms, such as the IPPs, cannot be used. In other words, the applicant must be confident that the circumstances warrant the use of section 30. Section 30 requires the particular case to be ‘special’. An authorisation is not intended to cover an ordinary and routine collection, use, retention, or disclosure of information but rather one-off situations. Such routine matters are more appropriately dealt with under the privacy principles (for example, as being purpose related or with the individual’s authorisation), in a code of practice or approved information sharing agreement.

4.9 The applicant should provide sufficient supporting information (for example a privacy impact assessment) so that the Commissioner is satisfied, in the special circumstances of the case, that:

  • the public interest in granting the authorisation outweighs, to a substantial degree, the possibility of:
    • any loss, detriment, damage, or injury to the individuals concerned
    • any adverse effect on the rights, benefits, privileges, obligations, or interests of the individuals concerned or
    • any significant humiliation, significant loss of dignity, or significant injury to the feelings of the individuals concerned or
  • granting the authorisation would result in a clear benefit to the individuals concerned that outweighs the possibility of any of the matters listed in paragraph 4.9a above.

4.10 The Commissioner will consider those special circumstances on a case-by-case basis. If the applicant does not supply sufficient information, the Commissioner will request further details. If the applicant does not supply this information to the Commissioner, or if the Commissioner is not satisfied with the information, the Commissioner won’t grant the authorisation.

Should the Commissioner impose any conditions on the authorisation?

4.11 The Commissioner may impose conditions on an authorisation, so the applicant may also wish to explain what kind of conditions would be reasonable and acceptable in the circumstances. The applicant does not have to specify any conditions, but it will certainly assist the Commissioner.

4.12 Examples of the sort of conditions that may be considered by the Commissioner include:

  • limit on the duration of the authorisation;
  • notice to affected individuals (e.g. by letters or public notice);
  • a requirement to take steps to ensure that the special circumstances leading to the need for the authorisation are corrected and/or are avoided in the future
  • the adoption of arrangements which enhance privacy in a way that differs to that required by IPPs 2, or 9 to 12
  • where the authorisation will affect information relating to more than one person, a mechanism to enable individuals to ‘opt out’ of the collection, use, retention, or
    disclosure, and
  • a report to the Commissioner at some point concerning the exercise of the authorisation, in some cases including an audit of compliance with conditions.

Has the applicant contacted the individuals concerned?

4.13 The Commissioner is not permitted to grant an authorisation where the individual concerned has refused to authorise the collection, use, retention or disclosure. The
application should note whether any such indication has been given. Depending on the circumstances, it may also be appropriate for the applicant to indicate what steps have been taken to ascertain the views of the individual or individuals concerned if this is possible.

4.14 Where it is not possible to ascertain views in advance, an applicant should also indicate how any authorisation might apply to a person later objecting to the collection, use, retention or disclosure. (e.g. if such an individual can elect to have their information handled in a different way).

5.0 Manner required by the Privacy Commissioner for a section 30 authorisation

5.1 An applicant should set out the following information when making an application under section 30(1) of the Act. If your application contains the following information to our satisfaction, the application will be made in the manner required by the Commissioner for the purposes of section 30(2) of the Act.

Section 30 application requirements (section 30(2) of the Privacy Act 2020)

An application for a section 30 authorisation must:

  • Specify whether the authorisation is sought for the collection, use, retention, and/or disclosure of personal information;
  • State the purpose of the authorisation and whether authorisation is being sought under section 30(6)(a) (public interest) or (b) (clear benefit to the individual concerned) of the Act;
  • State what personal information the applicant requires
  • Outline any special circumstances of the case in support of sections 30(6)(a) or (b);
  • Explain why the applicant believes that either the public interest or the benefit to the individual concerned outweighs any resulting interference with the privacy of individuals;
  • Suggest any suitable conditions, if the applicant considers them to be appropriate; and
  • Explain whether:
    • any individual concerned has objected to the collection, use, retention, or disclosure; and\
    • (where it is possible or practicable to do so in the circumstances) the applicant has taken any steps to ascertain the views of any individuals who will be affected by the authorisation.

5.2 In considering a section 30 application, the Commissioner will consider the above information by factoring in the matters discussed in this document.

5.3 The application should be as precise as possible. If an applicant is having trouble framing its application, you can contact the Office of the Privacy Commissioner for assistance. You may also want to talk to your legal advisers about making an application.

6.0 Limits on scope of section 30 authorisations

Collection, use, retention and disclosure only

6.1 The Commissioner is only empowered to authorise an agency to collect, use, retain, or disclose personal information. The power does not, for instance, extend to the authorisation of the assignment of a unique identifier (IPP 13). See the unique identifier codes of practice to check if either is relevant.

IPPs 2, 9, 10, 11 and 12 only

6.2 The Commissioner may authorise an agency to collect, use, retain, or disclose personal information even though that collection, use, retention or disclosure would otherwise be in breach of IPPs 2, 9, 10, 11 or 12.

6.3 An authorisation granted under section 30 cannot authorise an agency to collect information which would otherwise be in breach of IPP 1, 3 or 4, or to use or disclose personal information in breach of IPP 5, 8 or 13. The authorisation process has no relevance to access or correction requests under IPPs 6 or 7, nor can an authorisation
validate actions which would be in breach of any other part of the Act.

Unavailable if individuals concerned have objected

6.4 The Commissioner may decide not to provide an authorisation under section 30 if he is not satisfied that the applicant has taken sufficient steps to give notice of the application to all individuals concerned, or if the applicant has given sufficient opportunity to individuals concerned to object to the application.

6.5 Section 30(7) also makes it quite clear that the Commissioner is not empowered to grant an authority where the individual concerned has refused to authorise the collection or, as the case requires, the use, retention, or disclosure of information for a particular purpose. 

7.0 Further information

7.1 The Commissioner is required to maintain a list of current authorisations granted under section 30 of the Act (at the top of this page).
7.2 An applicant may engage with the Commissioner’s office at any point in relation to a section 30 application. 

Appendix: Section 30

30. Commissioner may authorise collection, use, storage, or disclosure of personal information otherwise in breach of IPP2 or IPPs 9 to 12 

(1) An agency may apply to the Commissioner for authorisation to do any of the following in the circumstances of a particular case:

  • collect personal information even if the collection of that information would otherwise be in breach of IPP 2
  • keep personal information even if the keeping of that information would otherwise be in breach of IPP 9
  • use personal information even if the use of that information would otherwise be in breach of IPP 10
  • disclose personal information even if the disclosure of that information would otherwise be in breach of IPP 11 or 12.

(2) An application under subsection (1) must be made in the manner required by the Commissioner.
(3) If, on receiving an application, the Commissioner is not satisfied that the applicant has taken sufficient steps to give notice of the application to all individuals concerned, the Commissioner may require the applicant to give public notice of the application in a manner that the Commissioner specifies.
(4) If, on receiving an application, the Commissioner is not satisfied that the applicant has given sufficient opportunity to individuals concerned to object to the application, the Commissioner may require the applicant to give any further opportunity that the Commissioner specifies.
(5) In considering whether to grant an authorisation, the Commissioner must take into account any objections to the application received from individuals concerned.
(6) The Commissioner may grant an authorisation sought by an applicant only if the Commissioner is satisfied that, in the special circumstances of the case,—

(a) the public interest in granting the authorisation outweighs, to a substantial degree, the possibility of—
(i) any loss, detriment, damage, or injury to the individuals concerned; or
(ii) any adverse effect on the rights, benefits, privileges, obligations, or
interests of the individuals concerned; or
(iii) any significant humiliation, significant loss of dignity, or significant injury to the feelings of the individuals concerned; or

(b) granting the authorisation would result in a clear benefit to the individuals concerned that outweighs the possibility of—
(i) any loss, detriment, damage, or injury to the individuals concerned; or
(ii) any adverse effect on the rights, benefits, privileges, obligations, or interests of the individuals concerned; or
(iii) any significant humiliation, significant loss of dignity, or significant injury to the feelings of the individuals concerned.

(7) The Commissioner may not grant an authorisation under subsection (6) in respect of any specified personal information if the individual concerned objected.

(8) An authorisation granted under subsection (6) may be subject to any conditions that the Commissioner considers appropriate.

(9) The Commissioner must maintain on the Commissioner’s Internet site a list of current authorisations granted under this section.

Download a copy of this guidance (opens to PDF, 182KB).

Back to top