DSAR Requirements Under the New Zealand Privacy Act 2020

Individual Rights That Trigger Access Requests

Under the New Zealand Privacy Act 2020, individuals can request:

• Access to their personal information held by any agency (Information Privacy Principle 6)
• Correction of personal information that is inaccurate, incomplete, misleading, or out of date (Information Privacy Principle 7)
• Confirmation of whether an agency holds personal information about them
• Information about the purposes for which their personal information is held and how it has been used

The Privacy Act 2020 does not grant standalone rights to deletion, portability, or opt-out of sale. However, agencies must not retain personal information for longer than necessary (IPP 9), and must only use or disclose information for the purpose it was collected (IPPs 10 and 11).

Response Deadline

20 working days from receipt of the request. This is one of the shorter response deadlines internationally. The agency must make a decision on the request and communicate it to the requester within this timeframe, even if the decision is a refusal.

There is no standard extension mechanism equivalent to those found under the GDPR or PIPEDA. If an agency cannot comply within 20 working days, it must still notify the requester of the reason for the delay and provide an estimated timeframe. However, the 20-working-day deadline remains the statutory obligation.

If a request is made to the wrong agency, that agency must transfer it to the correct agency promptly and notify the requester that the transfer has been made.

Identity Verification

Agencies may ask requesters to provide sufficient information to confirm their identity before releasing personal information. The Privacy Act does not prescribe a specific verification method, but the process must be reasonable and proportionate. Agencies should not require excessive documentation for straightforward requests, and should not use identity verification as a barrier to discourage access.

Where a request is made by an authorized representative (such as a parent on behalf of a child, or a legal representative), the agency may request evidence of authority.

Cost

Public-sector agencies cannot charge a fee for processing access requests.

Private-sector agencies may charge a reasonable fee for providing access to personal information. However, the fee must not be set at a level that would discourage individuals from exercising their access rights. The Privacy Commissioner has indicated that fees should reflect the actual cost of locating and retrieving the information, not a deterrent amount.

The 13 Information Privacy Principles

The Privacy Act 2020 is built on 13 Information Privacy Principles (IPPs) that govern the full lifecycle of personal information:

1. IPP 1 — Purpose of collection: Personal information must only be collected for a lawful purpose connected with the agency's function, and the collection must be necessary for that purpose.
2. IPP 2 — Source of personal information: Personal information must be collected directly from the individual concerned, unless an exception applies.
3. IPP 3 — Collection of information from the individual: When collecting personal information directly, the agency must take reasonable steps to ensure the individual is aware of the fact of collection, the purpose, the intended recipients, the name of the collecting agency, the consequences of not providing the information, and the individual's rights of access and correction.
4. IPP 4 — Manner of collection: Personal information must not be collected by unlawful means, or by means that are unfair or that unreasonably intrude upon the personal affairs of the individual.
5. IPP 5 — Storage and security: Agencies must ensure that personal information is protected by reasonable security safeguards against loss, unauthorized access, use, modification, or disclosure.
6. IPP 6 — Access to personal information: Individuals have the right to obtain confirmation of whether an agency holds personal information about them, and to have access to that information. This is the principle that underpins access requests.
7. IPP 7 — Correction of personal information: Individuals can request correction of personal information held about them that is inaccurate, incomplete, misleading, or not up to date.
8. IPP 8 — Accuracy of information to be checked before use or disclosure: Agencies must take reasonable steps to ensure personal information is accurate, up to date, complete, relevant, and not misleading before using or disclosing it.
9. IPP 9 — Retention of personal information: Agencies must not keep personal information for longer than is necessary for the purposes for which it may lawfully be used.
10. IPP 10 — Limits on use of personal information: Personal information obtained for one purpose must not be used for another purpose, unless an exception applies.
11. IPP 11 — Limits on disclosure: Personal information must not be disclosed to another agency or person unless an exception applies (such as the individual's authorization, or where disclosure is necessary to prevent a serious threat to health or safety).
12. IPP 12 — Disclosure of personal information outside New Zealand: Agencies must not disclose personal information to a foreign person or entity unless the recipient is subject to adequate privacy protections, or the individual authorizes the disclosure after being informed that protections may not be comparable.
13. IPP 13 — Unique identifiers: Agencies must not assign unique identifiers to individuals unless it is necessary for the agency's functions. Agencies must not require individuals to provide a unique identifier assigned by another agency unless this is authorized by law.

Penalties

The Privacy Act 2020 uses a layered enforcement model:

Criminal offenses:

• NZD 10,000 per offense for obstructing, hindering, or deceiving the Privacy Commissioner, or for destroying documents that are the subject of an access request
• Failure to comply with a compliance notice issued by the Privacy Commissioner is also an offense

Human Rights Review Tribunal:

• Where the Privacy Commissioner finds an interference with privacy, the affected individual (or the Director of Human Rights Proceedings on their behalf) can bring proceedings before the Human Rights Review Tribunal
• The Tribunal can award damages up to NZD 350,000, including for humiliation, loss of dignity, and injury to feelings
• The Tribunal can also issue declarations, restraining orders, and orders requiring specific actions

Compliance notices:

• The Privacy Commissioner can issue compliance notices directing an agency to take specific actions to comply with the Act
• This was a new enforcement power introduced by the 2020 Act that did not exist under the 1993 law

No administrative fines:

• Unlike the GDPR, the Privacy Act does not provide for large-scale administrative monetary penalties. Enforcement operates through the complaint and investigation process, with escalation to the Tribunal for serious matters.

Enforced by the Office of the Privacy Commissioner (OPC).

When You Can Refuse Access

The Privacy Act provides specific grounds on which an agency may refuse an access request. These include:

• Disclosure would endanger the safety of any individual
• Disclosure would prejudice the maintenance of the law, including the prevention, investigation, and detection of offenses
• The information is subject to legal professional privilege
• Disclosure would reveal a trade secret
• The information does not exist or cannot be found
• Disclosure would involve the unwarranted disclosure of the affairs of another individual
• The request is frivolous or vexatious, or the information requested is trivial
• The information is held by the Department of Corrections and disclosure would be likely to prejudice the safe custody or rehabilitation of an individual
• The information is evaluative material and disclosure would breach a promise of confidentiality made to the person who supplied the information

When refusing access, the agency must:

1. Notify the requester of the refusal within 20 working days
2. State the specific reason and the provision of the Act relied upon
3. Inform the requester of their right to complain to the Office of the Privacy Commissioner

The Privacy Commissioner will investigate complaints about refusals and can issue access directions where the refusal is not justified. If the matter remains unresolved, it may be referred to the Human Rights Review Tribunal for a binding determination.

Mandatory Breach Notification

The Privacy Act 2020 introduced mandatory breach notification for the first time in New Zealand. Agencies must notify the Office of the Privacy Commissioner and affected individuals when a privacy breach has caused, or is likely to cause, serious harm to an affected individual.

Notification must be made as soon as practicable after the agency becomes aware of the breach. The notification must include:

• A description of the breach
• The personal information involved
• What the agency is doing in response
• Steps affected individuals can take to protect themselves

Failure to notify a notifiable breach is an interference with privacy and can result in enforcement action.

Who This Applies To

The Privacy Act 2020 applies to all agencies in New Zealand, including:

• Private-sector organizations of any size
• Government departments and public bodies
• Non-profit organizations
• Individuals acting in a professional or business capacity

There is no revenue threshold, no employee count minimum, and no small business exemption. If an organization handles personal information of individuals in New Zealand, the Privacy Act applies.

The Act also has cross-border reach. An overseas agency that carries on business in New Zealand or collects personal information from individuals in New Zealand may be subject to the Act. IPP 12 imposes additional obligations when personal information is disclosed to recipients outside New Zealand.

Related Guides

• New Zealand Privacy Laws Overview — framework summary and key features
• How to Respond to a DSAR — response process
• DSAR Response Deadlines — all deadlines
• DSAR Identity Verification — verification methods
• DSAR Exemptions — when you can refuse