The body corporate chair of a 34-unit Newmarket apartment building needed a quote for repainting the building's exterior. She emailed a spreadsheet of all owners' names, email addresses and phone numbers to three painting contractors, asking them to coordinate site access. One of the contractors — presumably trying to be helpful — emailed all 34 owners directly to introduce themselves and schedule access. The chair received a message from the Privacy Commissioner's office two months later.
The Privacy Act 2020 applies to body corporates. This isn't widely understood, and the consequences of not understanding it can range from embarrassing to genuinely serious. A body corporate collects, holds and uses personal information about its members as a matter of course — names, contact details, ownership records, correspondence — and it is obliged to handle that information in accordance with the Privacy Act's Information Privacy Principles.
The core principle is that personal information should only be used for the purpose for which it was collected. Owners provide their contact details so the body corporate can communicate with them about building matters. That doesn't mean their details can be shared with contractors, property managers, other residents, or anyone else without a clear reason directly connected to the body corporate's functions.
What the body corporate must hold: a register of unit owners is a legal requirement under the Unit Titles Act. The register has to be kept accurate and up to date. It records ownership details for each unit — who owns it, their contact information, and the ownership interest attached to each unit.
What can be shared from the register? Owners are entitled to access the register themselves. They can request information about other owners — for example, to contact someone directly about a shared issue — but the body corporate manager or secretary should handle that process carefully. Bulk sharing of owner contact details isn't the same as facilitating communication, and the difference matters.
The changes that took effect in May 2024 added requirements about what information bodies corporate and their managers must keep — and gave the regulator, MBIE, the power to request it. This is separate from the Privacy Act question, but it sits alongside it. More information is now being formally documented, which creates more privacy obligations around how it is stored and protected.
For committees: the practical rule of thumb is that owner information should only leave the body corporate's files for a direct body corporate purpose, and it should only go to people who need it for that purpose. Sending a full owner list to a contractor isn't necessary — you can arrange access without disclosing the contact details of 34 people who haven't consented to having their information shared.
For owners: you have a right to know what personal information the body corporate holds about you, and to request a correction if it is wrong. If you believe your information has been mishandled, you can raise it with the body corporate first, and with the Privacy Commissioner if the issue isn't resolved. The Commissioner can investigate complaints and make orders. It is a real accountability mechanism, not just a theoretical one.
Quarter is the new body corporate — transparent, owner-first, and built for the way people actually live together. See how it works at quarter.nz.