AskUs

How specific does my purpose for collecting and using information need to be?

Under the Privacy Act, when collecting personal information, you should only collect the personal information which you need in order to carry out lawful functions connected with your organisation. This is principle one of the Privacy Act. It can sometimes be difficult to know exactly how precise you need to be when deciding what your purposes for collecting the personal information are. You don’t want to make your purpose so narrow that it means you can’t use the personal information you’ve obtained, but, at the same time, you don’t want to make your purpose so broad as to be meaningless. For example, saying you’re going to collect information for ‘business purposes’ doesn’t really explain how you intend to use it at all. 

When working out what your purpose for using personal information is, it's important to remember:

  • When you collect personal information, you should only collect the information which you need in order to carry out lawful functions connected with your organisation.
  • Make sure you only collect the information you need, as opposed to gathering a large amount of personal information on the off-chance you might need it.
  • It’s important to know what your purposes for collection are because this is something you will need to tell people about when you collect information from them.

When using information there is a general obligation not to use or disclose personal information, unless an exception applies.
 
One of the main exceptions which allows you to use or disclose personal information is where that use or disclosure was the purpose for which you obtained the personal information (or was directly connected to one of your purposes for obtaining the personal information).
 
In other words, if, when you collected the personal information, you told the individual concerned that you would be using or disclosing their personal information in a certain way, you are entitled to go ahead and do so.
 
However, you will need to keep in mind how specific you were about what your purpose or purposes were when you collected the information(external link).
 
A good test to keep in mind is the ‘no surprises’ test. In other words, would the way in which you’re planning to use or disclose personal information come as a surprise to the person you collected it from? If the answer is yes, that might be a sign that your intended use or disclosure is for a new purpose, in which case you’ll need to find another exception you can rely on to use or disclose the information.
 
It may also be a good sign that it’s time for you to review what you tell individuals when you collect their information. If you are considering introducing a new policy in terms of the information you’re collecting, or changing the personal information you currently collect, you may want to consider doing a privacy impact assessment(external link) to help you identify what your purposes are for collecting personal information, and exactly what information you need to fulfil these purposes.

You might also want to try our Priv-o-matic privacy statement generator. It is designed to help you generate a ‘principle 3’ statement. These are minimal compliance statements that you need to show people when you collect their personal information. We also have wider guidance for organisations on how to manage and asses your use of personal information in the Know Your Personal Information pou of Poupou Matatapu.

Updated October 2025