How does this relate to the Privacy Act 2020 in New Zealand?

The Privacy Act 2020 sets out how agencies must handle personal information, including Information Privacy Principle 3A (IPP3A) when data is collected from third-party sources. DEIS helps NZ businesses record compliance pathways for each lookup.

Is DEIS a legal adviser?

No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

IPP6 explained: the individual's right to access their personal information

When someone asks to see what data you hold about them, you have 20 working days to respond. Here is how to handle it.

IPP6right of accessPrivacy ActDEISdeis.nzNew ZealandPrivacy Act 2020IPP3A

Frequently asked questions

What is the main takeaway from "IPP6 explained: the individual's right to access their personal information"?: When someone asks to see what data you hold about them, you have 20 working days to respond. Here is how to handle it.
How does this relate to the Privacy Act 2020 in New Zealand?: The Privacy Act 2020 sets out how agencies must handle personal information, including Information Privacy Principle 3A (IPP3A) when data is collected from third-party sources. DEIS helps NZ businesses record compliance pathways for each lookup.
Is DEIS a legal adviser?: No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

Information Privacy Principle 6 (IPP6) gives every individual the right to access the personal information that an agency holds about them. It is one of the most exercised privacy rights in New Zealand.

The obligation

When an individual requests access to their personal information, you must:

Decide whether to grant access within 20 working days.

If granting access, provide the information in a reasonable format.

If refusing access (there are limited grounds), explain the reason and advise the individual of their right to complain to the Privacy Commissioner.

Grounds for refusal

You can refuse access in limited circumstances, including:

Where disclosure would endanger someone's safety
Where disclosure would prejudice legal proceedings
Where the information is evaluative material used in a decision-making process (in limited circumstances)
Where disclosure would breach another person's privacy

The DEIS transparency portal

DEIS's transparency portal gives individuals proactive access to information about lookups performed on them through the platform. This goes beyond the minimum IPP6 requirement by providing access without the individual needing to make a formal request.

For businesses, this reduces the volume of formal IPP6 requests and demonstrates a commitment to transparency that the OPC views favourably.