Plain language law

New Zealand law explained for everyone

This page is about a bill. That means that it's not the law yet, but some people want it to be the law. It could change quickly, and some of the information is just a draft.

Customer and Product Data Bill

Regulated data services - Main obligations - Designated actions

20: Data holder may or must refuse to perform actions in certain circumstances

You could also call this:

“When companies can say no to sharing your information”

The new law proposes that companies holding your data can refuse to share or act on your data in certain situations. They can say no if sharing your data might put someone’s life or health at risk, or if it could cause serious money problems for anyone. They can also refuse if they think someone is trying to trick them into sharing the data.

The companies can also say no if they think sharing the data might harm their computer systems or a special register. If you owe the company money for asking about your data, they might not share it. The same goes for companies that ask for data on your behalf - if they owe money, your data might not be shared.

There are some cases where the company must refuse to share your data. If they think someone is being threatened to ask for the data, they have to say no.

The law also explains that ‘tricking’ means the same thing as it does in another law called the Crimes Act 1961.

Remember, this is just a proposed law. It’s not in effect yet, but it shows how the government is thinking about protecting your data and the companies that hold it.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on 11 December 2024

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS922210.

19: Data holder must perform certain actions on accredited requestor’s request if customer’s authorisation is confirmed, or

“Data holder must act on approved requests when customer gives permission”

21: How data holders and accredited requestors must deal with joint customers, or

“Rules for dealing with customers who share accounts or products”

Part 2 Regulated data services
Main obligations: Designated actions

20Data holder may or must refuse to perform actions in certain circumstances

Despite sections 18 and 19, a data holder may refuse to perform any action requested under either of those sections—
if performing the action would be likely to pose a serious threat to the life, health, or safety of any individual, or to public health or public safety (see section 16(3)); or
if the data holder reasonably believes that performing the action would create a significant likelihood of serious financial harm to any person; or
if the data holder reasonably believes that it is likely that the request was made (wholly or in part) as a consequence of deception (see subsection (3)); or
if the data holder reasonably believes that performing the action would be likely to have a materially adverse effect on the security, integrity, or stability of either or both of the following:
1. the data holder’s information and communication technology systems:
2. the register; or
in the case of section 18, if the customer owes a debt to the data holder in relation to charges imposed in connection with the request; or
in the case of section 19, if the accredited requestor owes a debt to the data holder in relation to charges imposed in connection with the request or any other regulated data services; or
in the circumstances prescribed in the regulations or standards.

Despite sections 18 and 19, a data holder must refuse to perform any action requested under either of those sections if the data holder has reasonable grounds to believe that the request is made under the threat of physical or mental harm.
In subsection (1)(c), deception has the same meaning as in section 240(2) of the Crimes Act 1961.