Plain language law

New Zealand law explained for everyone

This page is about a bill. That means that it's not the law yet, but some people want it to be the law. It could change quickly, and some of the information is just a draft.

Customer and Product Data Bill

Regulated data services - Main obligations - Designated actions

19: Data holder must perform certain actions on accredited requestor’s request if customer’s authorisation is confirmed

You could also call this:

“Data holder must act on approved requests when customer gives permission”

This proposed law is about how a data holder must act when an accredited requestor asks them to do something for a customer. Here’s what it says:

If an accredited requestor (let’s call them A) asks a data holder to do something for a customer, the data holder has to do it if certain conditions are met. These conditions include:

The data holder has checked that the customer has given permission for this request.

The action A is asking for is on a special list of allowed actions.

The data holder usually does this kind of thing as part of their normal business.

A has made a proper request using the right system.

A is allowed to make this kind of request.

The data holder has made sure that the person making the request is who they say they are.

If all these conditions are met, then the data holder must do what A has asked them to do.

When deciding if the data holder usually does this kind of thing, they need to look at any rules set out in regulations and standards.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS710007.

Previous

18: Data holder must perform certain actions on customer’s request, or

“Data holders must follow customers' requests for certain actions”

Next

20: Data holder may or must refuse to perform actions in certain circumstances, or

“When companies can say no to sharing your information”

Part 2 Regulated data services
Main obligations: Designated actions

19Data holder must perform certain actions on accredited requestor’s request if customer’s authorisation is confirmed

  1. This section applies if—

  2. an accredited requestor (A) requests that a data holder perform an action in respect of a customer; and
    1. the data holder has carried out confirmation in relation to the request under section 38; and
      1. the requested action is a designated action; and
        1. the data holder would ordinarily perform actions to which the request relates in the course of the data holder’s business (see subsection (3)); and
          1. the request—
            1. is a valid request; and
              1. is made using the system described in section 27; and
              2. A is acting within the class of its accreditation; and
                1. the data holder has verified the identity of the person who made the request under section 44(2).

                  1. The data holder must perform the action.

                  2. When considering whether a data holder would ordinarily perform an action in the course of its business, regard must be had to the matters (if any) prescribed in the regulations and the standards.