Reading time: 6 minutes

As an agency that handles personal information, your business must uphold its obligations under privacy law. Among these obligations is granting customers access to the personal information you hold about them if they request access. Every individual has the right to privacy protection under the law. This right includes knowing what personal information of theirs your business collects. In most cases, you should comply with a customer’s wishes, for example, to request access to their own personal information. However, there are some exceptions to this rule when you are legally allowed to refuse a customer’s request for information access. This article will detail these exceptions. 

Personal Information at Your Business 

Your business will likely deal with personal information, such as customer names and financial details. According to the Privacy Act, as an agency that collects personal information, you must deal with this information in a certain way

You can only collect personal information in an unobtrusive way. Likewise, you must let customers know why you are doing so. You also need to make sure you store and protect that information safely and retain it for as long as it fulfils its purpose. Once that purpose is complete, you must get rid of the information.

Customer Access

Every individual in New Zealand has a right to ask any agency with personal information about them to access that information. They can ask you to:

  • confirm whether you have their information; and
  • show them that information.

Importantly, the information they request must be about them, or they have the written consent of the individual they are asking on behalf of.

Once you receive an access request, you must investigate it as soon as practicable and reply within 20 working days. If you need to delay, you need to let the requester know. Further, if you operate in the private sector, you can charge customers for these access requests.

Refusing Customer Access

The first questions to ask yourself is whether the customer requesting the information is entitled to access the specific information in the first place. However, be wary when refusing customers access to personal information as they can make a complaint to the Privacy Commission if they think you have denied this right.

There are, however, some instances where you can legally refuse a customer’s access request. You may be able to refuse this request for the personal information your business holds for the following reasons. 


If you cannot easily retrieve the requested information, then you may be able to refuse information access. However, the obstacle to access must be a legitimate reason, rather than an arbitrary one, such as having disorganised systems.

Negative Effect on Health

If the information is likely to impact a person’s physical or mental health negatively, you may not have to release it. You need to consult with the individual’s medical practitioner to rely on this.


If you think that the information’s release would pose a serious threat to someone’s safety, you may be able to refuse.

Breaching Another’s Privacy

Here, you must weigh up the individual’s right to access against another’s right to privacy. Where you think the other’s right to privacy is more important, you may be able to claim the individual’s access request is unwarranted. It is best to consider the full context of the information and request at hand.

Given in Confidence 

If someone gives you information in confidence, you may be able to rely on this ground for refusal. That party trusted you when giving you the information, so you need to protect it. For example, if someone gave you that information in confidence for a person’s employment suitability, you can refuse to release it.

You Do Not Have It

If you do not have the information, then you cannot give it to the requester. However, if you know who does have the information, you should forward it to that agency within ten working days. Note that you may be breaching your privacy obligations to store information securely if you cannot find information that you should be holding.


If the information the requester wants is trivial, you may be able to refuse giving it. However, what may seem trivial to you may not be trivial to the individual. The request for information may be trivial if it is:

  • a very small piece of information;
  • not associating any meaningful information with the requester;
  • seemingly innocuous, or you have already given the information to the requester.


If a request for information is vexatious or frivolous without any real purpose or value, you may not need to comply with it. You could do so if the individual has made the request in bad faith or through a clear abuse of process. Note that this characteristic only applies to the request itself, not the individual. 

For example, a vexatious request may be one where you have already given the information requested, and the individual is asking again without any apparent reason. Another case is where the individual has only requested the information knowing that you will refuse so that they will have grounds to make a complaint.

Key Takeaways

If a customer wants to see any personal information you hold about them, you generally have to comply with this wish. However, you may refuse if you have a legitimate reason. You will need to provide proof of that reason and not refuse arbitrarily. If you would like more information or help with information access requests at your business, contact LegalVision’s IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is any data about an identifiable individual. If someone were to look at this data, they would be able to identify who it is about. Examples include customer names or photos.

What is an ‘agency’?

An agency is any organisation that collects or deals with an individual’s personal information. Your business likely classifies as an agency, so make sure you know your privacy law obligations.

When can customers ask to see any personal information I hold?

Any customer can ask to confirm whether you hold personal information about them, and they can ask you to show them that information. However, they must be the individual that the information is about. Alternatively, they may have the written consent of the individual if they are a third party.

Can my business refuse a personal information access request?

You can refuse a personal information access request if you have a legitimate and legal reason to refuse. Some examples of these reasons include if someone gave the information to you in confidence or if the information’s release would breach a third party’s privacy.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards