What agencies must do with your personal information (IPP 4 – 7)

Once an agency has collected personal information, it must:

  • Store it safely and secure it from loss, unauthorised access, use, modification, disclosure or any other misuse. Rules around the storage and security of personal information are set out in Information Privacy Principle 4 (IPP 4).
  • Tell people whether it holds any personal information. IPP 5 requires that agencies take reasonable steps to ensure an individual can find out whether the agency holds documents containing personal information, the type of information held, the purposes for which the information is used and what the individual should do to obtain access to a document containing their personal information. Some agencies will publish this information in the form of a privacy policy which should be accessible from the agency in hardcopy, or may be accessible through the agency’s website.
  • Accept requests for access to, and amendment of, personal information, under IPP 6 and IPP 7.