Privacy Act

Privacy in New Zealand is defined by the 12 privacy principles that are found in the Privacy Act.

Schools including kura must follow these as law, but they are designed to act as a guide to help schools and other agencies make the right decisions around the collection, storage, use and disclosure of private information.

All schools must have a privacy officer and this person is responsible for handling all privacy issues at the school. The Privacy Act, section 23 states that every agency must appoint a privacy officer. The privacy officer is responsible for:

  • Ensuring that the agency complies with the Act; and
  • Dealing with requests made to the agency for access to, or correction of personal information; and
  • Working with the Privacy Commissioner’s Office when it investigates complaints.

To do this, the privacy officer needs to be familiar with the Privacy Act and the school’s obligations under it.

In general terms, the privacy principles suggest schools should:

  • Only collect personal information they really need
  • Get it directly from the person where possible
  • Be open with people about what’s going to be done with it
  • Be fair about how you get it
  • Keep it secure
  • Let a person see it if they want to
  • Fix it if the person thinks it’s wrong
  • Take care that it’s accurate before using it
  • Dispose of it when it’s no longer needed
  • Use it only for the purpose for which you got it
  • Only disclose it if you have good reason to do so
  • Only use ‘unique identifiers’ where this is clearly allowed

Source: Office of the Privacy Commissioner

While the Privacy Act is law, it is subject to all other legislation, which means that its principles must be applied in relation to other laws which schools must follow. For example if the Official Information Act requires that you handle information in a specific way, then a school must follow this even if it breaches the Privacy Act.


The Office of the Privacy Commission suggest that a school should consider the privacy principles when considering the following functions:

  • Collecting personal information
  • Storing personal information
  • Use of personal information
  • Disclosure of personal information
  • Access to and correction of personal information

Personal information should be thought of as any information about a person that has their identity attached or that makes them identifiable. This ranges from the obvious name, address and phone numbers, right through to reports written about an individual or records of achievement.

If an individual believes that their privacy has been breached they may make a complaint to the Privacy Commissioner who can choose to investigate the complaint, make a ruling or seek redress for the affected party at the Human Rights Tribunal.

Schools should comply with the Privacy Act by seeking permission to use personal information, including photographs.

Many schools choose to do this at enrolment time with a blanket agreement. If you choose to do this, you should make it clear how you intend to use the information. If you then plan to use the information for a different purpose, you should again seek permission.

For example, if the agreement signed says that you may use images in a school yearbook, but you want them to use them for the school’s Facebook page, you should ask permission again for this new use.


Can I “stop” parents or whānau posting pictures from the school play / sports event on the internet as it breaches the privacy of the students?

There isn’t a simple answer to this question, except perhaps “It depends”. The privacy of the students is “interfered” with if the pictures are taken in a setting where they could reasonably expect privacy. So if for example the pictures were taken in the changing rooms at an athletics event then they would be seen as a breach of their privacy, whereas if the picture was taken at a public park during the athletics meeting then it is likely that they do not breach their privacy.

Can the school post images of students / student work on the internet?

This is partly a question of copyright as well as privacy. The privacy principles say that you should seek permission to use private information if it is being used outside of the purpose for which it was first collected. So for instance a photo taken for a school ID card can’t necessarily be used for the school’s website. In terms of student’s work, they “own” the copyright in that work and therefore you should seek their permission to publish it. Many schools will ask students (or parents) to sign a “permission to use images and work” declaration at enrolment to cover this kind of use. If in doubt, check with the students and/or parents.

A parent has asked me to remove a picture of a sporting event because it breaches their child’s privacy. Is this true?

If the sporting event was held in a place where an individual could “reasonably expect privacy” then this may be true. However, if the pictures are taken in a public setting then it is unlikely to be the case. Parents sometimes use privacy as a lever when their issues may be about other factors like protection or custody issues or religious sensitivities. Schools should seek permission to use images of students before using them, either on an individual basis or as part of a blanket “license” that parents are asked to sign. This gives parents an opportunity to raise their concerns around the use of images before they are published.

General Guidance

  • Schools must appoint a privacy officer.
  • Schools should develop privacy policies and procedures in line with the Information Privacy principles of the Privacy Act.
  • Make students and their caregivers aware of what information is being collected, for what purpose and how it will be stored.
  • Ensure individuals are aware of their rights to access personal information stored by the school.
  • Seek permission to “use” personal information especially when it is used outside of the purpose for which it was first collected.