You need to understand data privacy if you are working with data about people. The Privacy Act 2020 provides rules that you must comply with when collecting and using the data.
When you are collecting data or information about people, they have legal rights that you must respect. This means that, among other things, when you are collecting and using people’s information you must ensure the following:
Personal information is “information about an identifiable individual”. It covers both information that is simply about a person (e.g. eye colour) and information that may also identify them (e.g. their name). The information does not need to name the individual, as long as they are identifiable in other ways, like through their home address.
The Privacy Act 2020 provides the rules in New Zealand for protecting personal information and puts responsibilities on agencies and organizations about how they must do that. For example, people have a right to know what information your agency holds about them and a right to ask you to correct it if they think it is wrong.
Note: Some people use the term “PII = personally identifiable information” but that expression has no legal standing in New Zealand. The other expression you may see used is “personal data”. That comes from the EU General Data Protection Regulation (GDPR). The GDPR does not apply inside New Zealand but may be of interest if you are sending personal information outside New Zealand or doing business with citizens of the EU.
EU General Data Protection Regulation
The Privacy Act 2020 has 13 Information Privacy Principles which you are expected to comply with. There are also rules about what you must do if someone asks what information you hold about them or asks you to correct it. The 2020 Act also requires agencies to report to the Privacy Commissioner if they have a “notifiable privacy breach”.
Information Privacy Principles
Requests for access to personal information
Correction of personal information
Notifiable privacy breaches and compliance notices
The following organisations provide resources for learning about privacy.
The Privacy Commissioner has the responsibility and authority to give you detailed guidance on the rules. They provide excellent online resources for even complete beginners in privacy.
Resources for agencies
Resources for individuals
Free online training courses
They have an online tool you can use to assess or report something you think might be a notifiable privacy breach.
Online tool for organisations to report privacy breaches
For New Zealand government agencies (national & local), the Government Chief Privacy Officer also provides support and help.
Privacy standards and guidance
The New Zealand Privacy Foundation is an independent advocate for privacy in New Zealand publishing papers and expressing informed opinions on privacy and privacy law.
New Zealand Privacy Foundation
The International Association of Privacy Professionals put quite a bit of useful information on their website (N.B. It tends to be USA-oriented).
International Association of Privacy Professionals
If you need help, the first person to go to is your agency’s privacy officer.
If you’d like more information, have a question, or want to provide feedback, email datalead@stats.govt.nz.
Content last reviewed 13 April 2021.