This is a single section from Chapter 7. Read the full chapter here.

Is the legislation consistent with the requirements of the Privacy Act 1993 and its 12 Information Privacy Principles?

Legislation should be consistent with the requirements of the Privacy Act 1993, in particular the Information Privacy Principles.


The two key concepts in the Privacy Act are purpose and transparency. You must know what you want to do and what personal information you need to do it, and you must clearly communicate both those aspects to those whose information is involved. Where relevant, legislation should clearly state its relationship with the Privacy Act and explicitly address whether the Privacy Act does or does not apply, or where parts of the Privacy Act do not apply.

The personal information that is required may already be held by a public body for another purpose. Whether the proposed use falls within the purposes for which the personal information was originally collected, and whether those purposes have been communicated to the individuals concerned, should be considered before developing legislation that permits a new use or disclosure of information that is already held.

The 12 Information Privacy Principles are the cornerstone of the Privacy Act (and can be found in s 6). They address how agencies and private sector bodies may collect, store, use, and disclose personal information. They also allow a person to request access to and correction of their personal information. Many of the Information Privacy Principles have in-built exceptions, and Part 6 of the Privacy Act has further exemptions for them. For more guidance, consult the Privacy Commissioner’s website.

Legislation may be inconsistent with the Privacy Act, but this must be explicit in the legislation. A full explanation will also need to be provided to the relevant Cabinet Committee as to why the inconsistency with the Privacy Act in the proposed legislation is necessary to achieve the policy objectives.

Where the policy objective requires an inconsistency with the Privacy Act, the legislation should be drafted so as to minimise the inconsistency. If there is any ambiguity regarding an inconsistency with the Privacy Act, the courts may prefer an interpretation of the legislation that involves the least impact on the privacy interests of individuals.

This page was last modified on the