This page is about a bill. That means that it's not the law yet, but some people want it to be the law. It could change quickly, and some of the information is just a draft.

Customer and Product Data Bill

Protections - Authorisation

39: Customer or secondary user must be able to control authorisation

You could also call this:

“You can choose who sees your info and for how long”

If someone who holds your data confirms that you or someone you’ve allowed to act for you has given permission to use that data, they need to have a way for you to see or cancel that permission. This system must follow any rules set out in the regulations and standards.

If you or someone acting for you gives permission to a certified person who wants to request your data, that person must also have a way for you to see or cancel the permission. Their system also needs to follow any rules in the regulations and standards.

Both the person holding your data and the certified person requesting it must make sure that if you decide to cancel your permission, it happens right away.

These proposed rules are meant to give you control over who can use your information and for how long. They’re part of a new law being considered to protect your data and how it’s used.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS722015.


Previous

38: Authorisation must be confirmed, or

“Companies must check if you've said it's okay before using your data”


Next

40: Accredited requestor must comply with prescribed duties in respect of authorisation, or

“Special companies must follow rules when asking for your permission”

Part 3 Protections
Authorisation

39Customer or secondary user must be able to control authorisation

  1. If a data holder has confirmed an authorisation under section 38 given by a customer (or by a secondary user on their behalf), the data holder—

  2. must have systems in place to enable the customer or secondary user (as the case may be) to view or end the authorisation; and
    1. must ensure that those systems meet the requirements (if any) provided for by the regulations and the standards.
      1. If a customer (or a secondary user on their behalf) has given an accredited requestor an authorisation, the accredited requestor—

      2. must have systems in place to enable the customer or secondary user (as the case may be) to view or end the authorisation; and
        1. must ensure that those systems meet the requirements (if any) provided for by the regulations and the standards.
          1. The data holder or accredited requestor must ensure that the systems are able to give immediate effect to a withdrawal of an authorisation.