All questions

Data protection

i Requirements for registration

The Privacy Act governs data protection. Employers, as agencies, are subject to this Act. While employers are not required to register with a data protection agency or other government body, they are under a duty to appoint a privacy officer, whose responsibilities include encouraging the employer's compliance with the Privacy Act and working with the Privacy Commissioner in relation to investigations.

Under the Privacy Act, employers are bound to comply with 12 information privacy principles (IPPs), which conform to a number of international agreements. The IPPs are rules about the collection, retention, use and disclosure of personal information. In accordance with the IPPs, personal information relating to an employee must be collected directly from that employee (unless an exception applies), providing that it is collected for a lawful purpose that is connected with a function of activity of the employer and the collection of information is necessary for that purpose. The employer must take reasonable steps to ensure, among other things, that the employee knows the information has been collected, why it has been collected and that he or she has the right to correct the information. Further, the employer must reasonably secure the information against loss and unauthorised access or misuse.

ii Cross-border transfers

The Privacy Commissioner has discretion to prohibit cross-border transfers of personal information. To exercise this discretion, the Commissioner must be satisfied on the following reasonable grounds: first, that the information is likely to be transferred from the receiving state to a third state that does not have information safeguards similar to those in New Zealand; second, that the information transfer would likely lead to a contravention of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Commissioner cannot exercise discretion to prohibit the transfer if the information is required by legislation or any obligation at international law.

iii Sensitive data

The term used in New Zealand law is personal information, as there is no separate definition for sensitive data. Personal information is defined in the Privacy Act as information about an identifiable individual. Requests for personal information by individuals about themselves are governed by the Privacy Act, but the IPPs do not apply to personal information held solely or principally in connection with an individual's personal, domestic or family affairs.

iv Background checks

Generally, offers of employment are made to prospective employees on the condition that the employer is satisfied with any background checks that the employer requires. If an employer is not satisfied with a background check, it may withdraw the offer.

Employers may check a prospective employee's references with the employee's consent. The prospective employee is deemed to give consent where he or she provides a prior employer's name and contact details in an application for employment.

Employers may also check an employee's criminal records with his or her consent. However, in certain circumstances, employees do not have to declare criminal convictions. Under the Criminal Records (Clean Slate) Act 2004, if an individual satisfies relevant eligibility criteria, they will be deemed to have no criminal record for the purposes of any question asked about their criminal record. This scheme, known as the 'clean slate scheme', applies to every question asked about and every request made for the disclosure of the individual's criminal record, including questions asked and requests made by prospective employers. The relevant eligibility criteria include, among other requirements, having completed a rehabilitation period of at least seven years since the date of sentencing, never having had a custodial sentence imposed and never having been disqualified from driving (or subject to an alcohol interlock sentence) in respect of certain serious driving offences. The clean slate scheme does not apply to individuals applying for employment in a position that involves national security, in the justice sector, as a law enforcement officer or in a role involving the care and protection of children.

Under the Credit Reporting Privacy Code 2004, employers can only access credit information about a prospective employee with his or her consent and for the purpose of a pre-employment check for a position involving significant financial risk.