Q13: Will privacy rights/personal information be managed properly?
Decisions involving individuals will almost always involve dealing with personal information. The collection, storage, use or disclosure of that information is all relevant to the process that you use and decision that you make.
Privacy was deliberately excluded from the Bill of Rights Act and New Zealand lacks a constitutional right to privacy, unlike other jurisdictions. However, you should still consider whether your decision will include personal, private or confidential information about individuals, whether it is necessary to disclose that information for the purpose of the decision you are making, and whether you can reduce the amount of personal information referred to in your decision. You should also consider whether your decision will involve personal information about other, identifiable, individuals.
The Privacy Act 1993 is the primary mechanism providing for the protection of the personal information of individuals (any information about an identifiable living person). It governs how agencies collect, store, use and disclose personal information. Section 6 of the Privacy Act sets out 12 “information privacy principles” for dealing with personal information. Those principles include:
- Personal information must be collected for a lawful purpose and that purpose must be connected with the function or activity of the agency;
- Personal information must only be collected by lawful methods, and not in a way that is unfairly intrusive;
- Personal information should be collected from the individual concerned, where possible;
- Personal information must be stored securely, and not for longer than is necessary;
- Individuals have a right to access to information held by an agency about them, and to request to correct any such information;
- An agency should check the accuracy of any information held before it is used;
- Personal information must not be disclosed except for a lawful reason, or with the permission of the individual concerned.
Individuals who think an agency has breached their privacy may make a complaint to the Privacy Commissioner. For more information on privacy obligations, see www.privacy.org.nz or speak to your in-house legal team or privacy officer. Annex 3 of this guidance contains more details about the Privacy Commissioner and the privacy-related role of the Human Rights Review Tribunal.
There is also a growing body of law enabling private law actions to sue and seek damages for breach of privacy. Your in-house team or Crown Law can provide more details.