Global Data and Cyber Handbook

New Zealand

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last review date: 20 December 2024

Yes.

The following are potential legal bases for processing personal data:

☒  appropriate notice has been provided to or made available to the data subject

☒  the data subject has provided consent to the processing for the identified purposes

☒  the personal data is necessary to perform a contract with the data subject

☒  the personal data is necessary to comply with a legal obligation

☒  the personal data is necessary to protect the vital interests of a natural person

☒  the personal data is necessary for a public interest

☒  the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)

☒  other

IPP 10 and IPP 11 provide other exemptions that an agency can rely upon to use or disclose personal information. These exemptions include (amongst others) where the agency believes that the:

  • Source of the information is a publicly available publication and that, in the circumstances of the case, it would not be unfair or unreasonable to use/disclose the information
  • Use/disclosure of information is necessary to prevent or lessen a serious threat to public health, public safety or the life or health of the individual concerned or another individual, or
  • Information will be used in a form that does not identify the individual concerned or for statistical research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned
Is an identified legal basis required in order to collect or process sensitive personal data?

Last review date: 20 December 2024

No

The Privacy Act does not make specific reference to "sensitive personal data." The same matters that apply to "non-sensitive data" will apply.

Are there special requirements that apply to the collection or processing of personal data from minors?

Last review date: 20 December 2024

There are no specific requirements regarding the collection of personal information from a minor under the Privacy Act, however, IPP 4 (which relates to the manner of collection of personal information) provides that an agency may collect personal information only:

  1. By lawful means, and
  2. By means that, in the circumstances of the case (particularly in circumstances where personal information is being collected from children or young persons) –
  1. is fair, and
  2. does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

The Privacy Act does not provide a definition for children or young persons.

The OPC has launched a "Children and Young People's Privacy Project" to evaluate the effectiveness and adequacy of current laws in protecting children's privacy rights. The project focuses on ensuring that children's personal information, such as names, addresses, ages, photos, videos, and whakapapa, is respected.

In April 2024, the OPC released a report entitled Safeguarding children and young people’s privacy in New Zealand, which summarizes the responses received by the OPC through the consultation. The Report identified the need for:

  • clearer guidance on children’s privacy issues for parents, children, and professionals
  • regulatory reforms to strengthen children's privacy protections
  • risk mitigation for children's use of social media

The next phase of the project involves the OPC developing guidance based on key themes identified during its engagement. The OPC has indicated that its first detailed best practice guide will focus on the education sector and will be issued in 2025. The guidance will cover areas such as:

  • Responsibilities under the Privacy Act 2020
  • Privacy, security and confidentiality
  • Collecting, using and sharing information
  • Keeping students and parents and caregivers informed
  • Consent
  • Special categories of information
  • Accuracy of information
  • Keeping information safe and secure
  • Retaining and disposing of information
  • Wellbeing and safety (including online/digital safety)
  • Managing requests for information
  • Managing privacy breaches and near misses
  • Education technology
  • Managing privacy complaints
In what circumstances do these special requirements apply?

Last review date: 20 December 2024

Generally

What are the special requirements that apply to collecting or processing personal data from minors?

Last review date: 20 December 2024

Under the Privacy Act, there are no express requirements for the collection and/or processing of minors' personal data.

However, agencies must give special consideration to children and young persons to ensure that the collection of personal information is fair and does not excessively intrude upon their personal affairs.

{{ $store.state.loadingScreen.message }} ...