Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It's easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Privacy Act 2020 for sharing information

The Privacy Act is the main legislation governing the sharing of personal information in New Zealand.

Information Privacy Principles 2 and 11

Disclosures and collections

Sharing personal information with another agency is a ‘disclosure’ under the Privacy Act. An agency can only disclose personal information if the proposed disclosure satisfies one of the exceptions listed in Information Privacy Principle (IPP) 11.

Receiving personal information that another agency shares is a ‘collection’ under the Privacy Act. An agency should generally collect personal information from the person concerned — but there are exceptions in IPP 2 that allow agencies to collect personal information indirectly.

It does not matter how that information is shared. Information may be physically sent, transmitted digitally, your agency may allow another agency to extract information from your systems or view and use information within your systems. All of these are disclosures and collections.

Principle 11 - Disclosure of personal information — Office of the Privacy Commissioner

IPP 11 exceptions

Commonly used exceptions include where the:

individual gives authorisation
disclosure is one of the purposes for which the information was collected
disclosure is for one of the purposes, or a directly related purpose, for which the information was initially collected
information is used in a form that does not identify the individual
information is used for research and statistical purposes and will not be published in a form that could reasonably be expected to identify an individual
disclosure is necessary to prevent or lessen a serious threat to health and safety, or to avoid prejudice to the maintenance of the law.

You will need to assess the circumstances of your sharing activity to determine whether an exception applies.

The collecting agency has to ensure that it genuinely needs the information and that it’s allowed to collect it. However, there is a higher risk associated with disclosing information, as it is important to make sure people’s information is not improperly exposed. The agency disclosing the information should therefore check carefully that one of the exceptions is satisfied before sharing any personal information either in response to a request or proactively.

Example 1 — Threat of harm

You’re a case manager for a government agency. You’re working with an individual who has recently been made redundant to identify appropriate government agency services that may be able to support the individual and their family through this rough time. In a meeting with the family, an adult family member makes a comment about his anger at the individual’s employer and that he intends to make them pay for the harm they have caused the family. You’re concerned that the family member will carry out his threats.

Can you share your concerns with anyone?

You should always inform and talk to your manager in the first instance. The IPP 11(1)(f) ‘serious threat’ exception permits you to share information to lessen or prevent a serious threat to the life or health of another person, or to public health and safety. When using this exception, you should believe on reasonable grounds that the sharing is necessary to lessen or prevent the threat, and only share relevant information with a person or agency that is able to do something to lessen the threat.

In this case, you could share information with Police about the family member who made the threatening comments, the threat that was made, and about whom the threat was made.

Example 2 — Police investigation into criminal offending

Police have approached your agency seeking information about a 30-year-old individual. Police have advised that they are undertaking an investigation into allegations of criminal offending. They have requested contact information your agency holds in relation to the named individual.

Can you share the individual’s contact information with the Police?

The IPP 11(1)(e) ‘maintenance of the law’ exception permits you to share personal information if you believe on reasonable grounds that the disclosure of the personal information is necessary to avoid prejudice to the maintenance of the law.

Before you can disclose personal information, you must be satisfied that Police are investigating a potential breach of the law, and that the disclosure of the personal information is necessary for the purpose of maintaining that particular law. For example, if the contact details you hold about the individual are several years old and potentially out of date, it may be harder to say it’s necessary in the circumstances to disclose that information.

Example 3 — Student conducting research for their thesis

A university PHD student has approached your agency requesting a data set containing personal information to enable the student to undertake data analysis to support their thesis.

Can you share the data set containing personal information with the student?

The IPP 11(2)(g) ‘research and statistics’ exception permits the sharing of personal information where you believe on reasonable grounds that the information will not be used in a form in which individuals could be identified or will be used for research and statistical purposes and will not be published in a form that could reasonably be expected to identify the individuals.

You should satisfy yourself that the conditions of IPP 11(2)(g) will be met by the student before you disclose the personal information. You should also determine whether the needs of the student can be met by providing non-identifying information. You should consider documenting the sharing in an information sharing agreement and include controls such as rules about storage or retention of the information. Depending on the type of research being undertaken, you may also want to confirm whether the student has obtained ethics approval to complete the research.

Approved information sharing agreements

The Privacy Act enables the development of approved information sharing agreements (AISAs). AISAs are a legal instrument, as they are approved by an Order in Council. AISAs provide the legal authority for the sharing of specified information between specified agencies for specified purposes.

AISAs are used when a modification to the IPPs is required to enable the information sharing activity. Schedule 2 of the Privacy Act 2020 lists:

all AISAs
the agencies that are party to the AISAs
the information that can be shared
the purpose for sharing under the AISA.

Schedule 2 Privacy Act 2020 — New Zealand Legislation

Privacy Act codes of practice

The Privacy Commissioner has the power to issue codes of practice. These codes modify the operation of the Privacy Act and set rules for specific industries, organisations, or types of personal information.

Health Information Privacy Code

If you are wanting to share health information about an individual, you will need to consider whether the Health Information Privacy Code (HIPC) 2020 applies. The HIPC sets specific rules for agencies in the health sector, including rules for sharing health information.

Heath Information Privacy Code 2020 — Office of the Privacy Commissioner

The HIPC applies to:

agencies providing personal or public health or disability services such as primary health organisation, rest homes, supported accommodation, doctors, nurses, dentists, pharmacists, and optometrists
listed agencies that do not provide health services to individuals, but which are part of the health sector, such as ACC, Ministry of Health, Te Whatu Ora, Health Research Council, health insurers and professional disciplinary bodies.

The HIPC rules align closely with the Information Privacy Principles. So, for example, a health agency can only disclose health information if the proposed disclosure satisfies one of the exceptions listed in Rule 11. While it’s not always required, authorisation plays a stronger role in the health sector than it does in non-health contexts.

Example 4 — Researcher seeking health information

A researcher has approached your agency seeking health and wellbeing information about a cohort of individuals to enable research into the impacts of physical activity on the health and wellbeing of children at school. The research project has ethics approval as information will also be collected directly from the children and their parents.

Can you share this information with the researcher?

Rule 11(2)(c)(iii) permits a Health Agency to disclose health information if it believes on reasonable grounds that the information will be used for research purposes (for which ethics approval has been provided if required) and will not be published in a form that could reasonably be expected to identity individuals. If you’re not a health agency but hold health information in relation to the cohort of individuals, you cannot use the HIPC exceptions. You’ll need to consider the IPP 11 research exception. You may also want to consider documenting the sharing of the information in an information sharing agreement.

Example 5 — Doctors sharing with other health providers

An individual has suffered an injury to their ankle. They have an appointment with their GP (doctor) where the GP collects information about the injury.

Can the GP pass this information on to an orthopaedic specialist?

Section 22F of the Health Act 1956, supported by rule 11(1)(c) of the HIPC, permits the disclosure unless the GP considers that the patient would not want that information to be disclosed. The GP will not generally need to seek the permission of the patient to disclose the information to the specialist as the referral was one of the purposes for which the information was collected and the specialist is providing health services to the patient. However, at the time of the consultation, the GP should advise the patient what information will be provided to the specialist for the purposes of supporting the referral (Rule 3).

Agencies not covered by the HIPC rules

Many agencies hold health information but are not ‘health agencies’ as defined by the HIPC. If you’re not a health agency, then the HIPC rules are not relevant to you.

Instead, you’ll need to consider the exceptions in IPP 11 or other legal authorities such as the Oranga Tamariki Act or Family Violence Act before you share health information.

Note: You should seek advice from your privacy, information sharing or legal teams if you think your information sharing activity could be authorised by the HIPC, so that you can be aware of any special obligations that may apply.

Other codes of practice

There are 5 other codes of practice:

Codes of practice — Office of the Privacy Commissioner

Civil Defence National Emergencies (Information Sharing) Code 2020

This code provides agencies with a broader discretion to collect, use and disclose information provided that a state of national emergency is in place (and for 20 working days after the state of national emergency is lifted). It facilitates the sharing of information to assist in the response to the national emergency.

For example, it permits sharing information to help:

identify individuals who are caught in the emergency
identify people that may need specialist assistance
coordinate the management of the emergency.

Telecommunications Information Privacy Code 2020

This code applies specific rules to telecommunications agencies to better ensure the protection of individual privacy. The code applies to telecommunications information collected, used, and disclosed by telecommunications agencies.

Most of the code is not relevant to public sector agencies, except for the purposes of general knowledge. However, relevant agencies should be aware of the provision that allows sharing of emergency location information to facilitate a response to an emergency call or to prevent or lessen a serious threat to an individual’s life or health.

Credit Reporting Privacy Code 2020

Applies to credit reporting companies to ensure the protection of individual privacy. Credit reporting companies must display a summary of the rights under this code on their websites and when responding to a person’s request for a copy of their credit report.

While the code does not apply to government agencies, finance and advisers in human resources (HR) may need to be aware of some of the rules so they are clear about what credit reporting companies can and cannot do.

Justice Sector Unique Identifier Code 2020

This code provides a partial exemption from IPP 13 for specific agencies within the justice sector when those agencies reassign a unique identifier to people proceeding through the justice system. It does not affect the operation of the other information privacy principles.

Agencies subject to the code include Police, Department of Corrections, New Zealand Transport Agency, Ministry of Social Development, Ministry of Justice, the Registrar of Motor Vehicles, and Road User Charges Collectors.

Superannuation Schemes Unique Identifier Code 2020

This code provides a partial exemption from IPP 13 for agencies with certain superannuation schemes. It does not affect the operation of the other information privacy principles.

Those who need to provide advice in this specialist area may need to consult the code.

Note: Seek advice from your privacy, information sharing or legal teams if you think your information sharing activity could be affected by a code of practice.

Law enforcement information

There are general exceptions in some of the information privacy principles (including IPP 11) that permit information sharing if the agency reasonably believes this is necessary for the maintenance of the law.

However, schedule 4 of the Privacy Act 2020 also authorises specified public agencies to have access to listed types of law enforcement information that is held by other specified agencies. This schedule covers some of the most common sharing needs, to make it easier to determine if the sharing is allowed.

Schedule 4 Privacy Act 2020 — New Zealand Legislation

Specified agencies include:

Police
Serious Fraud Office
Department of Corrections
Ministry of Justice
Ministry of Business, Innovation and Employment
NZ Transport Agency
Ministry for Primary Industries
NZ Customs Service
WorkSafe NZ

Each specified agency will have its own internal policy and procedures for accessing and sharing law enforcement information under the Privacy Act.

Guidance on health and safety and Maintenance of the law exceptions — Office of the Privacy Commissioner

Note: Seek advice from your privacy, information sharing or legal teams if you think your information sharing activity involves law enforcement information under section 172 and schedule 4 of the Privacy Act.

Identity information

The Privacy Act authorises specified public agencies to have access to identity information about individuals held by other agencies (holding agencies). Schedule 3 of the Privacy Act sets out which agencies can access specified types of identity information held by listed agencies for specific purposes. In most cases, the purposes for accessing identity information relate to verifying the identity of a person.

Schedule 3 Privacy Act 2020 — New Zealand Legislation

Each agency authorised to access identity information held by another agency will have its own internal policy and procedures for accessing that information.

Note: You should seek advice from your privacy, information sharing or legal teams if you think your information sharing activity involves accessing identity information under section 165 and schedule 3 of the Privacy Act.

Section 30: Privacy Commissioner authorisation to share

The Privacy Act provides the Privacy Commissioner with the power to authorise a one-off disclosure of personal information that would otherwise breach IPP 11, provided that either:

the public interest in the disclosure outweighs the privacy interests of the individual, or
the benefit of the disclosure to the individual outweighs the privacy interests of the individual — for example, where there’s a direct financial benefit associated with the disclosure to the individual.

Note: Seek advice from your privacy, information sharing or legal teams if you think your information sharing activity could be authorised by section 30.

Further information about how to make applications, and what information to include, is available on the Privacy Commissioner’s website — Section 30 authorisations.

Information matching programmes

All information matching programmes set out in schedule 5 of the Privacy Act 2020 are authorised under specific statutory provisions.[Footnote 1]Footnote

Schedule 5 Privacy Act 2020 — New Zealand Legislation

Since the new Privacy Act came into force in 2020, no new information matching programmes can be established. Other forms of information sharing, including AISAs, need to be considered instead.

However, there are still some programmes in operation. Those programmes are governed by the rules set out in the Privacy Act. Relevant staff in agencies (for example, staff who compile data to report to the Privacy Commissioner) need to be aware of those rules.

List of provisions and authorised information matching programmes: Information matching provisions — Office of the Privacy Commissioner.

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It's easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you're unable to turn on JavaScript — email your feedback to govt.nz@dia.govt.nz .

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 05 March 2024