Information & Privacy

Data privacy and the law

Privacy Act 1993, s 2

All organisations, businesses and individuals, whether in the government or private sector, must follow the rules in the Privacy Act. This includes companies and organisations of all sizes, religious groups, schools and clubs. (In setting out the different privacy rules, the Act uses the word “agency” as a general term to refer to all bodies and individuals that have to follow those rules.)

What does the law say about privacy?

Under the Act, “personal” means that it is information about any individual person, not that it’s particularly private or sensitive. If you are going to be collecting personal information there are rules about when you can collect information, how and when that information can be used or given out and requirements about storing the information and keeping it secure.

The Privacy Act has 12 information privacy principles which set out how your agency should handle personal information.

The first four principles

Govern how you can collect personal information. This includes when you can collect it, where you can collect it from, and how you can collect it.

Principles five, six, and seven

Govern how you store personal information. Make sure it’s secure and you let individuals access and correct their personal information.

The rest of the principles

Govern how you use and disclose personal information. Make sure information is accurate, and you use and disclose it appropriately.

A full guide to the 12 Privacy Principles can be found here.

Storage and security of information

Privacy Act 1993, s 6, principle 5

If your organisation holds personal information about individuals, you must make sure that reasonable security safeguards are in place to protect the information against:

  • being lost
  • being accessed, used, changed or released without the organisation’s permission
  • being misused in any other way.

If your organisation needs to give the information to a contractor or someone else who provides a service to the organisation, the organisation must also make sure everything reasonable is done to prevent the information being used or disclosed without authorisation.

The steps that an organisation will need to take to keep information secure will usually depend on the type of information. For example, an organisation will usually need to protect its databases with anti-virus software, and protect its physical premises from burglary or theft by having a monitored alarm.

Useful Links and Resources