(a) the information is collected for a lawful purpose connected with a function or activity of the agency; and
(b) the collection of the information is necessary for that purpose.
Agencies need to carefully consider the purpose for which they collect personal information. If an agency defines its purpose too narrowly, it may be unable to use information in the way that it wants to in the future. But, if its purposes are too broad, they risk becoming meaningless - the agency could be collecting information it has no real need for and people could be confused.
Having a clearly defined purpose will make it much easier for an agency to respond to its obligations under the other principles of the Act.
If you're collecting personal information, check these questions:
1) Do I have a lawful purpose for collecting this information?
2) Is that purpose connected with one of my agency's functions or activities?
3) Do I really need to collect this information to achieve that purpose?
Is there a 'lawful purpose' for collecting the information?
The first thing to figure out is what information is being collected. Then you can ask what the purpose is for collecting that information. Are there any laws that require the agency to collect the information? For example, tax law requires employers to collect certain information about their employees.
What would be an unlawful purpose?
Something that is prohibited by law, or that is outside an agency's legal power. For example, collecting information in order to carry out a criminal activity would clearly be an unlawful purpose. And collecting information in breach of another statute is also unlawful.
What purposes are connected with the agency's functions or activities?
The information must be relevant to and closely linked with the agency's activities or functions.
How do I decide if the information is 'necessary'?
An agency does not need to show that it absolutely must collect the information in order to achieve its purpose. But it does have to show that it is reasonably necessary to collect it. Collecting this particular information must support the agency's business, in a clearly defined way. The wider the information the agency collects, the more difficult it can be to show that the collection really is necessary.
What if someone gives me information that I haven't asked for?
Principles 1-4 only relate to information that an agency 'collects'. If someone gives the agency information that it hasn't asked for, the agency hasn't 'collected' it.
However, if it holds on to the information, the agency will be responsible for managing that information properly. So, for instance, it will need to keep the information secure, give the person concerned access to it and be careful about using and disclosing it.
See Case Note 18302  NZPrivCmr 8
Case Note 22856  NZPrivCmr 12
Case Note 24242  NZPriv Cmr 13
Case Note 71808  NZPrivCmr 14
See the Human Rights Review Tribunal case: Lehmann v Canwest Radioworks Ltd  NZHRRT 35 - when is collection reasonably necessary?
See also the Privacy Commissioner's investigation into insurers and health information.