This is a single section from Chapter 8. Read the full chapter here.

Is the legislation consistent with the requirements of the Privacy Act 1993 and that Act’s 12 information privacy principles?

Legislation should be consistent with the requirements of the Privacy Act 1993, in particular the information privacy principles.

The 12 information privacy principles are the cornerstone of the Privacy Act (and can be found in section 6). They address how agencies may collect, store, use, and disclose personal information. They also allow a person to request access to and correction of their personal information. Many of the information privacy principles have in-built exceptions, and Part 6 of the Privacy Act has further exemptions.

The policy objective will sometimes justify an inconsistency with the privacy principles. Section 7 of the Privacy Act provides that legislation that is inconsistent with the privacy principles will take precedence. There is then no need for legislation overriding the Act to contain an express override provision. However, any override of the Act requires a policy decision and the reasons should be clearly identified in the Cabinet papers.[1]

If that occurs, the policy should be developed so as to minimise the inconsistency. If there is any ambiguity regarding an inconsistency with the Privacy Act, the courts may prefer an interpretation of the legislation that involves the least impact on the privacy interests of individuals.

The design of any legislative provision that overrides the privacy principles, in particular principles 10 and 11 (relating to the use and disclosure of personal information), should reflect as necessary the principles of specificity, proportionality, and transparency. Consultation with the Office of the Privacy Commissioner and the Ministry of Justice will help to identify the necessary design features.

The Cabinet Manual requires Ministers to draw attention to any aspects of a bill that have implications for, or may be affected by, the principles in the Privacy Act 1993, when submitting bids for bills for the legislative programme. Similarly, it requires Ministers to confirm compliance with those principles when subsequently submitting the bill to the Cabinet Legislation Committee for approval for introduction.[2]

[1] Previously, the Guidelines indicated that if proposed legislation would be inconsistent with the information privacy principles that should be explicitly stated in the legislation. That advice has been amended because it could be misleading.

[2] Cabinet Office Cabinet Manual 2017 at 7.65 – 7.66.

This page was last modified on