Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Regulated data services - Additional obligations - Secondary users

25: Regulations may require requests to be made or authorisations to be given only by secondary users

You could also call this:

“Rules can limit who can ask for or allow access to certain information”

The law says that rules can be made about who can ask for or allow someone else to ask for certain information. These rules are about ‘secondary users’.

If these rules say that only secondary users can make requests or give permission for a certain type of customer, then that’s how it must be done. If someone tries to make a request or give permission in a different way, it won’t count.

For example, if the rules say that only a parent can ask for information about their child’s account, then the child can’t make that request themselves. If the child tries to make the request, it won’t be accepted.

Remember, these rules only apply if they are specifically mentioned in the regulations. If there are no special rules about secondary users for a certain type of customer, then the normal rules for making requests or giving permissions apply.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS920920.

Topics:
Money and consumer rights > Consumer protection Rights and equality > Privacy
Previous

24: How data holders and accredited requestors must deal with secondary users, or

"Rules for companies dealing with people who can act for you when it comes to your data"

Next

26: When request is valid, or

"Rules for making a valid request for information or action"

Part 2 Regulated data services
Additional obligations: Secondary users

25Regulations may require requests to be made or authorisations to be given only by secondary users

  1. This section applies if the regulations provide that a particular kind of customer may make a request or authorise an accredited requestor to make a request under subpart 1 only if that is done on their behalf by 1 or more secondary users.

  2. A request or an authorisation in respect of the customer is of no effect under subpart 1 if it is made or given otherwise than in accordance with those regulations.