Privacy Act 2020 — IPP 6 and IPP 7

Individual access and correction rights — Privacy Act 2020

Individuals can ask to see their own personal information and request correction of errors. Here's how agencies must respond.

📋 Privacy Act 2020, IPP 6 (access) + IPP 7 (correction)

Right of access (IPP 6)

Anyone can request access to personal information held about them — in any format (paper, digital, email, recordings). Requests can be verbal or written. No special form required.

Response timeframe

20 working days

Confirm whether you hold the information and either provide access, or give reasons for refusal. Can extend by 20 more working days for complex requests — with written notice to the requester.

Permitted grounds for refusal

  • Would endanger someone's safety
  • Would disclose another individual's private information
  • Subject to legal professional privilege
  • Contrary to an enactment
  • Frivolous or vexatious request
  • Information doesn't exist or can't be found
  • Would prejudice a law enforcement investigation

Cannot refuse simply because the information is embarrassing or inconvenient.

Right of correction (IPP 7)

If an individual believes information is inaccurate, they can request correction. If you agree: correct it. If you disagree: attach a statement of correction. Take reasonable steps to notify anyone to whom you disclosed the incorrect information.

Fees

Can charge a reasonable fee — but not so high as to discourage access. Disclose upfront and give the requester the option to agree before proceeding.

Complaints

Failure to respond within 20 working days or wrongful refusal can be complained to the Privacy Commissioner, who can investigate and direct the agency to provide access.

Source: Privacy Act 2020, IPP 6–7. privacy.org.nz. General information only.

Frequently asked questions

Can we ask why they want the information?
You can ask, but cannot refuse access because you dislike the reason.
What if records contain third-party information?
Redact or withhold parts identifying another individual. Provide the rest. Document your reasoning.
Can we require written requests?
No. The Act doesn't require it. You can ask for written requests, but cannot refuse verbal ones.
Do health records have special access rules?
Same 20-working-day timeframe applies under the HIPC. Health agencies can charge a fee. Access can be refused if likely to endanger the requester's health.

Health and social service providers: manage your privacy obligations

Workstep gives your team instant answers from the Privacy Act and your own privacy policies — with exact IPP references.

Try Workstep free → Book a 20-minute demo