Privacy for agencies

A white woman with long red hair wearing a blue shirt stands next to a lundia filing unit. Once you’ve collected people’s personal information you need to keep it safe. You also need to be able to give people access to their own information when they ask for it.

Store personal information securely

Securely storing the information you’ve collected is important. That means using password protected files and devices, or locked cabinets. It also means looking after information when it’s in transit – whether that’s staff accessing files out of the office, information being sent across payment channels online, or provided to third party service providers like your payroll platform or cloud storage provider.

Māori Data Sovereignty has a preference for agencies to store data locally rather than overseas. Read more about sharing and storing Māori data.

Make sure your staff understand information security

You need to make sure that only the right people have access to the personal information your agency holds. Clear policies and guidelines, and communicating those, will help staff understand what’s acceptable.

Depending on the sensitivity of the information, it may be necessary to set up systems that limit or keep track of who accesses it.

Give people access to their personal information

The Privacy Act gives everyone in New Zealand the right to ask almost any business or organisation for the information they have about them. As an agency, you need to be able to handle those requests, and the requests a person may make to correct that information.

Your agency should store personal information in a way that’s also easily retrievable. Your agency needs to be able to:

confirm that you hold a person’s information if they ask for access.
give them access to it, or explain why you might be withholding any information.

Timeframes for giving access to information

If someone asks for access to their personal information, your agency must respond as soon as you reasonably can within 20 working days of receiving the request. Your agency’s response should include a decision about whether you will be providing the requested information. It doesn’t necessarily have to include the information, but you should provide it as soon as possible afterwards.

Be prompt

It’s best to provide the information promptly unless there’s a reason you can withhold it under the Privacy Act. Part 4 of the Privacy Act has a full list of the reasons for refusing access to personal information. If you can’t release all the information someone is asking for, you may be able to release a summary or an extract so provide what you can.

Charging for access to personal information

Charges should be the exception, not the rule. In most circumstances, an agency shouldn’t be charging a fee to people for accessing or correcting their personal information. The spirit of the Privacy Act is to allow people to access and correct their own information. This means ensuring as few barriers as possible – including cost.

However, there are some circumstances where it may be okay for an agency to charge people to access or correct their information and there are special rules that apply to health or credit agencies.

Read details about who can and can’t charge, and how much.

Let people correct their personal information

People can ask agencies to correct their personal information if they think it’s wrong.

If an agency doesn’t think they need to correct the information, they must still record that the person asked for the information to be corrected. A note should be made of exactly what the person thought was wrong. Agencies need to attach that record to the person's file in a way that keeps everything together, regardless of whether it’s a paper or digital file . Knowing what the person thinks is wrong will help anyone else who looks at the record to make good decisions.