Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Regulated data services - Main obligations - Designated actions

20: Data holder may or must refuse to perform actions in certain circumstances

You could also call this:

“When a company can or must say no to sharing your information”

You should know about when a data holder can or must refuse to do certain actions. This is part of the Customer and Product Data Act 2025 in New Zealand.

A data holder can say no to doing something if:

It might seriously hurt someone or put people’s health or safety at risk.

They think it could cause serious money problems for someone.

They think someone is trying to trick them into doing it.

They think it could harm their computer systems or the register.

The customer or accredited requestor owes them money for responding to requests.

They think the accredited requestor has broken rules in this law.

There are other reasons listed in the rules.

A data holder must say no if they think someone is threatening to hurt them physically or mentally to make them do it.

Remember, a data holder is someone who holds information, and an accredited requestor is someone allowed to ask for that information.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS922210.

Topics:
Money and consumer rights > Consumer protection Rights and equality > Privacy Business > Industry rules
Previous

19: Data holder must perform certain actions on accredited requestor’s request if customer’s authorisation is confirmed, or

"Data holder must follow verified customer requests from approved requestors"

Next

21: How data holders and accredited requestors must deal with joint customers, or

"Rules for sharing information when you have a joint bank account or loan"

Part 2 Regulated data services
Main obligations: Designated actions

20Data holder may or must refuse to perform actions in certain circumstances

  1. Despite sections 18 and 19, a data holder may refuse to perform any action requested under either of those sections—

  2. if performing the action would be likely to pose a serious threat to the life, health, or safety of any individual, or to public health or public safety (see section 16(3)); or
    1. if the data holder reasonably believes that performing the action would create a significant likelihood of serious financial harm to any person; or
      1. if the data holder reasonably believes that it is likely that the request was made (wholly or in part) as a consequence of deception; or
        1. if the data holder reasonably believes that performing the action would be likely to have a materially adverse effect on the security, integrity, or stability of either or both of the following:
          1. the data holder’s information and communication technology systems:
            1. the register; or
            2. in the case of section 18, if the customer owes a debt to the data holder in relation to charges imposed for responding to the request; or
              1. in the case of section 19, if the accredited requestor owes a debt to the data holder in relation to charges imposed for responding to the request or providing any other regulated data services; or
                1. in the case of section 19, if the data holder reasonably believes that the accredited requestor has contravened any obligation under this Act in connection with the request; or
                  1. in the circumstances prescribed in the regulations or standards.

                    1. Despite sections 18 and 19, a data holder must refuse to perform any action requested under either of those sections if the data holder has reasonable grounds to believe that the request is made under the threat of physical or mental harm.