Privacy Act & codes
Personal information held by agencies
The Privacy Act controls how 'agencies' collect, use, disclose, store and give access to 'personal information'.
The privacy Codes of Practice do the same, but they apply to specific areas - particularly health, telecommunications and credit reporting.
Personal information is information about identifiable, living people.
Almost every person or organisation that holds personal information is an 'agency'. So, for example, the Privacy Act covers government departments, companies of all sizes, religious groups, schools and clubs.
Exemptions from the Act
Only a few organisations and people are not 'agencies'. Other rules exist to govern how they manage personal information, so the Privacy Act does not cover what they do. Organisations that aren't covered by the Privacy Act include:
- Members of Parliament, when they are acting as MPs. It's up to Parliament or political parties to discipline MPs for breaches of privacy
- courts and tribunals, in relation to their judicial functions. You have to challenge judicial decisions through the normal processes, such as an appeal
- The news media when they are conducting their news activities. The Press Council, the Broadcasting Standards Authority and the courts govern the news media.
- if another law is inconsistent with the Privacy Act, that other law will 'trump' the Privacy Act
- individuals who collect or hold personal information for their own personal, family or household affairs are exempt -- although this ceases to apply once the personal information concerned is collected, disclosed, or used, if that collection, disclosure, or use would be highly offensive to an ordinary reasonable person.
- in special circumstances, the Commissioner can authorise agencies to collect, use or disclose information even when that would usually breach principles 2, 10 or 11.
The privacy principles
At the heart of the Privacy Act are twelve privacy principles. The privacy principles cover:
There are also four principles covering public registers.
These principles reflect internationally accepted standards for good personal information handling.
The Privacy Commissioner
The current Privacy Commissioner is John Edwards.
The Office of the Privacy Commissioner is an Independent Crown Entity. It is funded by the State, but is independent of government or Ministerial control.
What the Privacy Commissioner does
The Privacy Commissioner has many responsibilities. These include:
- monitoring proposed legislation to see if it affects the privacy of individuals, and commenting on any privacy problems
- being consulted on policy developments that have an impact on privacy
- providing education about privacy
- overseeing information matching programmes
- being aware of technological developments that can affect privacy
- issuing codes of practice, which modify the privacy principles and which apply to a particular industry or topic
- investigating complaints about interferences with privacy. An interference with privacy can occur when:
(a) an agency wrongfully refuses to give an individual access to information about them, or wrongfully refuses to correct information about them, or
(b) an individual suffers some form of harm as a result of a breach of a privacy principle, rule, or a code of practice or information matching provision.
Contact usor if you have a complaint about privacy that you have not managed to resolve with the agency, you can make a formal complaint to us.
The Access to Information and Protection of Privacy Office, within the Department of Justice and Public Safety, oversees the implementation and coordination of the Access to Information and Protection of Privacy Act. This legislation is designed to create a culture of openness and accountability in the public sector while protecting the personal information of citizens and commercially sensitive information of businesses.
It applies to all public bodies (defined in the ATIPP Act), including government departments, agencies, health boards, school boards and municipalities. The ATIPP Act does not apply to the private sector.
The purpose of the ATIPP Act is
- to provide the public with the right of access to records; and
- to protect the privacy of individuals whose personal information is collected, used and disclosed by public bodies.
The ATIPP Act came into force on January 17, 2005 with the exception of Part IV (protection of privacy provisions) of the Act. The protection of privacy provisions came into force on January 16, 2008. As required by the legislation, the ATIPP Act was reviewed in 2010. The Act was subsequently amended in 2012 and the new provisions came into force on June 27, 2012.
The ATIPP Act is required to be reviewed every five years. On March 18, 2014, a three-person independent review committee was appointed to undertake the statutory review, including the June 2012 amendments. The ATIPP Act, 2015 came into force on June 1, 2015 replacing the previous Act.
FeaturesCompleted Access to Information Requests
Searchable completed access to information requests as of Jan 1, 2013. ATIPPA Review Committee
The final report of the ATIPPA Review Committee ATIPPA Implementation Team
The Terms of Reference for the team implementing the ATIPPA recommendations Data Privacy Day 2016
Privacy tips to help keep your info safe