Plain language law

New Zealand law explained for everyone

This page is about a bill. That means that it's not the law yet, but some people want it to be the law. It could change quickly, and some of the information is just a draft.

Customer and Product Data Bill

Protections - Authorisation

38: Authorisation must be confirmed

You could also call this:

“Companies must check if you've said it's okay before using your data”

The proposed law says that when a company (called a data holder) gets a request from an approved asker to provide a service using your data, they need to check if you’ve said it’s okay first. This checking is called confirmation.

The company can’t start the service until they’ve done this confirmation. Once they’ve checked, they can keep providing the service until you change what you’ve allowed or stop allowing it completely.

If you change what you’ve allowed or stop allowing it, the company needs to check again before they can do anything else with your data.

For example, if you let your power company share information about how much electricity you use with another company that helps find good deals, your power company must check that you’ve said it’s okay before they share anything. They only need to check once, unless you change what you’ve allowed or stop allowing it.

The way companies do this confirmation check might be set out in rules that come with this law.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS710308.

Previous

37: Ending authorisation, or

“How your permission to share data can stop”

Next

39: Customer or secondary user must be able to control authorisation, or

“You can choose who sees your info and for how long”

Part 3 Protections
Authorisation

38Authorisation must be confirmed

  1. This section applies if a data holder receives a request from an accredited requestor to provide a regulated data service relating to a customer.

  2. The data holder must check that the service is within the scope of the authorisation given by the customer (or by a secondary user on their behalf) (confirmation).

  3. The data holder must not provide the regulated data service until confirmation has been completed.

  4. A confirmation is valid for any service within the scope of that authorisation until the time when the scope of the authorisation is modified or the authorisation ends (whichever is earlier).

  5. If the scope of the authorisation is modified or the authorisation ends, subsection (2) applies again.

    Example

    A customer authorises their electricity provider (a data holder) to provide details of their electricity usage to a company that makes recommendations about the best electricity deals in the market.

    Before sharing any of the customer’s data for the first time, the electricity provider must confirm the customer’s authorisation.

    However, it is not necessary to carry out confirmation for any subsequent actions performed within the scope of that authorisation. The electricity provider will only have to reconfirm the customer’s authorisation if the scope of the authorisation is modified or the authorisation ends.

  6. A person that carries out a confirmation must carry out the confirmation in the manner (if any) prescribed by the regulations and the standards.