New Zealand is committed to protecting the privacy of individuals. It recognises both the “Universal Declaration of Human Rights” and “International Covenant on Civil and Political Rights” that each contain protection of a person’s right to privacy.

Since 1993 we have had a law that upholds these rights in the form of the Privacy Act, which focus specifically on information privacy.

At the heart of the Act are twelve privacy principles that outline how we can expect our private information to be handled by anyone who collects it. The principles state that anyone who collects private information about you should;

  1. Only collect personal information they really need
  2. Get it directly from the person where possible
  3. Be open with people about what’s going to be done with it
  4. Be fair about how you get it
  5. Keep it secure
  6. Let a person see it if they want to
  7. Fix it if the person thinks it’s wrong
  8. Take care that it’s accurate before using it.
  9. Dispose of it when it’s no longer needed.
  10. Use it only for the purpose for which you got it.
  11. Only disclose it if you have good reason to do so.
  12. Only use ‘unique identifiers’ where this is clearly allowed.

Source: Office of the Privacy Commissioner

The Act often talks about an “agency” that collects information. While this can sound like a term that applies to companies or government department, an agency is infact anyone.

“agency means any person or body of persons, whether corporate or unincorporate, and whether in the public sector or the private sector”

If you think that an agency isn’t playing fair with your information, you can ask the Privacy Commissioner to decide whether that agency has carried out “interference with privacy”.

Even though the Privacy Act is part of New Zealand law, it isn’t enforceable in a court, and the Privacy Commissioner cannot prosecute or fine an agency directly for not sticking to the privacy principles. There is a specific exception to this in cases where a public sector agency (for example a Minister, a Government department or a local authority) refuses to give someone access to information stored about them.

However, if you make a complaint to the Privacy Commissioner and they decide that someone is interfering with your privacy they may take action on your behalf through the Human Rights Commision which has a number of options open to it in terms of settlement, including the award of damages of up to $200,000.

The Act originally specifically excluded information that was collected, stored or used entirely in relation to “domestic affairs”. This meant that the privacy principles didn’t apply to people who were in a relationship, were members of the same family or shared a house.

However, changes to the Act that came about as part of the Harmful Digital Communications Act, now mean that this exclusion no longer applies, if the way that the information is collected, stored or used is likely to be “highly offensive to an ordinary reasonable person”


  • Am I an”agency”?
    Any individual, company or department can be an agency
  • What are the Privacy Principles?
    The Privacy Act list 12 privacy principles which outline the way in which an agency should handle anyone’s private information
  • Who will investigate if someone breaches my privacy?
    The Office of the Privacy Commisioner can carry out investigations to see whether an agency has “interfered with privacy” for any individual
  • Is posting a picture of me a breach of my privacy?
    The quick answer is “perhaps but not necessarily.” If a picture is taken in a setting where someone could reasonably expect privacy then publishing it could be a breach of your privacy if they have not sought your permission to do so. However, if your picture is taken in a public place, like a park or on the street, then it is not likely to be seen as a breach of your privacy.

How to respond

  • If you think an agency has breached your privacy contact them to discuss this. If that agency is a company or a government department, try contacting their Privacy Officer first.  Be prepared to discuss which of the Privacy Principles you think has been breached, how you are aware of the breach, and what harm you have suffered as a result.If the agency is an individual you can try approaching them directly and ask them if they are prepared to do something to remedy the situation. Don’t threaten or abuse them.
  • Collect evidence of where you think your privacy has been breached, including screenshot and full URL and the dates when they were captured.
  • If the direct approach doesn’t work, you can make a complaint to the Office of the Privacy Commissioner (OPC).
  • If the OPC does not think that your case warrants action, you can take a case to the Human Rights Review Tribunal yourself. However you can only do this after the OPC investigates your complaint. Be sure to get a “Certificate of Investigation” from the Privacy Commissioner before contacting the Human Rights Review Tribunal.

More advice and information