LAC Guidelines Chapter 15: Privacy and the fair handling of personal information
Part 1: Does the proposed legislation affect the privacy of personal information?
Part 2: What specific matters need to be considered under the Privacy Act?
Part 3: How is privacy dealt with in the Official Information Act 1982?
The Privacy Act 1993 protects an individual’s privacy interest in their personal information. The focus of this Chapter is on providing practical guidance for policy advisers, so they can ensure that new legislation affecting personal information is consistent with the principles and guidelines in the Act. Policy advisers are required to do this by paragraphs 5.35–5.36 and 6.44–6.53 of the Cabinet Manual and Chapter 7 of the Step by Step Guide.
Policy advisers need to justify any departures from the Privacy Act framework, particularly if the policy will result in the collection, use or disclosure of personal information in a way that is inconsistent with the Act, or if the policy will deny individuals the right to access or correct personal information.
What is the purpose of the Privacy Act?
The Act gives effect to the Organisation for Economic Co-operation and Development (OECD) Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data 1980. The Act establishes legally enforceable principles relating to the collection, use, and disclosure of personal information by public and private sector agencies in New Zealand. The Act enables an individual to access and correct their personal information held by these agencies.
What is ‘personal information’ under the Privacy Act?
The concept of ‘personal information’ is central to the Privacy Act. Section 2 of the Act defines ‘personal information’ as information about an identifiable individual (including information contained in any register of deaths held under the Births, Deaths, and Marriages Registration Act 1995). There is no requirement that the information be in any particular form in order to be ‘personal information’ under the Act, provided it is information that is about a natural and identifiable person.
The following issues are discussed in this Chapter:
- Consistency with the Information Privacy Principles;
- Personal information in a register that the public can access;
- Codes of Practice;
- The transfer of personal information outside of New Zealand; and
- The Privacy Commissioner’s Role.
Part 3: How privacy is dealt with under the Official Information Act 1982.
If proposed legislation deals with the handling of personal information then it must be considered for compliance with the Privacy Act. The following list suggests some triggers that might alert policy advisers to a privacy issue.
These triggers indicate when proposed legislation may impact on the privacy of personal information. This is not to say that there will necessarily be a privacy problem, but does indicate that further work and thinking will be required. Policy advisers should note that the references to the Act, made in the list below, are discussed in more detail in Part 3 of this Chapter.
The triggers are:
- Does the proposed legislation deal with information about an identifiable individual that is collected or held by a public or private sector ‘agency’ (as defined under section 2 of the Act)? If so, the Act generally will be relevant;
- Does the proposed legislation require the collection of such personal information? If so, refer to Information Privacy Principles (IPPs) 1 to 4 of the Act;
- Does the proposed legislation contain a secrecy provision limiting access to personal information by the individual concerned? If so, refer to IPP 6 of the Act;
- Does the proposed legislation allow an agency to use personal information for a variety of different purposes? If so, refer to IPPs 8 and 10 of the Act;
- Does the proposed legislation require an agency to retain personal information? If so, refer to IPP 9 of the Act;
- Does the proposed legislation authorise an agency to disclose personal information? If so, refer to IPP 11 of the Act;
- Does the proposed legislation establish or regulate a system for uniquely identifying individuals—perhaps using a number? If so, refer to IPP 12 of the Act;
- Does the proposed legislation affect personal information in an area that is covered by a Privacy Commissioner’s code of practice? If so, refer to current codes in force;
- Does the proposed legislation create a register or database of personal information that is accessible to the public? If so, refer to Part 7 of the Act on public registers;
- Does the proposed legislation allow one agency to match personal information with another agency? If so, refer to Part 10 of the Act;
- Does the proposed legislation allow one agency to share personal information with another agency? If so, refer to IPP 11 of the Act;
- Does the proposed legislation deal with the sharing of law enforcement information? If so, refer to Part 11 of the Act; and
- Does the proposed legislation allow for the movement of personal information across national borders? If so, refer to section 10 of the Act and the general material on transborder information flows later in this chapter.
Below is an introduction to the specific areas of the Act that policy advisers may need to consider when developing legislation. The following areas of the Act are discussed in this Part:
A. The Information Privacy Principles;
- Storage and security;
- Accuracy and retention;
- Disclosure; and
- Unique identifiers;
B. Public registers;
C. Information matching;
D. Codes of practice;
E. Transborder information flows; and
F. The roles of the Privacy Commissioner.
A) Is the proposed legislation consistent with the Information Privacy Principles?
The twelve IPPs are the cornerstone of the Privacy Act (see section 6 of the Act). They address all aspects of information handling: from collection through storage, retention, use and disclosure, to accuracy and access by the individual concerned. In addition to the following material, policy advisers should refer to the full text of the IPPs set out in the Act. All the IPPs are subject to statutory exceptions.
|IPP 1 provides that an agency must not collect personal information unless the information is collected for a lawful purpose connected with a function or activity of the agency, and the collection of the information is necessary for that purpose.|
|IPP 2 provides that, subject to the exceptions in IPP 2, when an agency collects personal information it must be collected directly from the individual concerned.|
|IPP 3 provides that, subject to several exceptions in IPP 3, when collecting personal information directly from the individual concerned, the agency must take reasonable steps to ensure that the individual is notified of certain matters, including the purpose of the collection, the intended recipients of the information, and the rights of access and correction.|
|IPP 4 provides that an agency must not collect personal information by unlawful, unfair, or unreasonably intrusive means.|
Together these four collection principles place limits on the information that may lawfully be collected, and ensure that the means of collection are fair. They promote transparency and accountability by requiring agencies to tell the subject what they are doing by specifying relevant matters such as the purpose of collection, and intended recipients at the point of collection.
Issues with these collection principles commonly arise when personal information is being gathered for statutory purposes, for example, through the use of forms (electronic or otherwise) developed by regulation. It is crucial that agencies focus on what personal information they need to carry out their functions and limit their collection to that information. Collection methods need to comply with principle 3 (when collecting directly from the individual concerned) and principle 4, so that the collection process is transparent and is not unfair or unreasonably intrusive.
Legislation allowing the covert surveillance or the collection of personal information without the individual’s knowledge can also encounter issues with the Act. A key consideration with this kind of legislation is that it needs to be a proportionate response to the risk being addressed and that the downstream uses and disclosures of information gathered through surveillance need to be clearly prescribed.
Storage and security
|IPP 5 provides that an agency that holds personal information must employ reasonable security safeguards to protect the information against loss and unauthorised access, use, modification, or disclosure.|
IPP 5 relates to an agency’s internal, as well as external, security safeguards for stored personal information. This principle will be important when, for example, proposed legislation:
- introduces new technologies to store personal information;
- includes system specification and design;
- enables personal information to be held on a register or database accessible by the public (see discussion below on public registers).
|IPP 6 provides that, where an agency holds personal information that is readily retrievable, the individual is entitled to access that information. Good reasons for agencies to refuse such requests are outlined in Part 4 of the Act.|
A clear justification must be made if proposed legislation is to restrict or remove individuals’ right to access their personal information. The right of access is a fundamental privacy protection and must not be limited in the absence of compelling policy justifications. Non-disclosure provisions, which are also known as secrecy provisions, need to be clearly expressed and tightly defined so that the restriction on individual’s right of access to their personal information is as small as possible.
|IPP 7 entitles the individual concerned to request the correction of personal information held by an agency.|
When new legislation includes system specification and design, the specific capacity to add correction statements should be part of that design. There may however be appropriate limits placed on the ability of an individual to correct information that exists as part of the public record. Separate statutory regimes often exist for that type of correction.
Accuracy and retention
|IPP 8 provides that an agency that holds personal information must not use that information without taking reasonable steps to ensure it is accurate, up to date, complete, relevant, and not misleading.|
If legislation is proposing that personal information be held, then these two IPPs require consideration. IPP 8 requires agencies to take care with data quality and verification.
|IPP 9 provides that an agency that holds personal information must not keep that information for longer than is required for the purposes for which the information may lawfully be used.|
IPP 9 may conflict with proposals to retain personal information for a lengthy or indefinite period. All retention periods must be linked to an identifiable purpose.
|IPP 10 provides that personal information obtained in connection with one purpose must not be used for any other purpose unless the agency believes, on reasonable grounds, that one of the listed exceptions in IPP 10 applies.|
If the proposed legislation will allow an agency to use personal information for a purpose which differs from the purposes for which the information was originally obtained, this may conflict with IPP 10. Difficulties can often be avoided through clearly identifying, at an early stage of the policy and legislative development, the purpose for which the information is being obtained.
The difference between use in IPP 10 and disclosure in IPP 11 is important. Use of information in IPP 10 refers to how an agency itself makes use of the personal information. Conversely disclosure, although it may be closely aligned to use, refers to the release of the personal information to another agency, body, or person.
|IPP 11 provides that an agency holding personal information must not disclose that information to a person, body, or agency, unless it believes on reasonable grounds that one of the listed exceptions in IPP 11 applies.|
If the legislation will authorise or require an agency to disclose personal information to another person, body, or agency, then policy advisers must consider the requirements of IPP 11.
‘Disclosure’ as it is used in the Act includes the ‘sharing’ of personal information. It is becoming increasingly common for legislation to include a power for public sector agencies to disclose personal information to other agencies. Policy advisers should consider whether this disclosure is permitted by IPP 11, or whether a specific information sharing regime needs to be established.
If the proposed legislation wants to promote the sharing of personal information, it must be precise about who makes the decisions on the release of the information, and should limit the sharing to specific types of personal information, being disclosed for a specific purpose, to a specific agency.
Special care is required where the legislation proposes the mandatory collection of personal information. With such mandatory collection, careful limits should be placed on the use of the information and disclosure of that information to other agencies.
Lastly, when proposed legislation includes the sharing of personal information, consideration should also be given to the use of the other disclosure mechanisms in the Act. The main example relates to law enforcement information, which is discussed in Part 11 and Schedule 5 of the Act, and which allows certain law enforcement agencies to share certain information despite the restrictions in the IPPs. (See also Information Matching under D) below)
|IPP 12 imposes four requirements relating to unique identifiers:
If the legislation proposes assigning an identifier to an individual—usually in the form of a customer or agency number—and that identifier will be unique to that individual, then consideration must be given to IPP 12. IPP 12 provides a valuable privacy safeguard against any unique identifier potentially amounting to a de facto universal identifier.
Policy advisers developing legislation should:
- strive to develop legislation that is compliant with the IPPs;
- consider, if an aspect of the proposed legislation appears to be inconsistent with an IPP, whether one of the exceptions contained in the IPPs themselves or one of the exemptions included elsewhere in the Act to the IPPS might apply;
- consider, if no exception or exemption in the Act applies to the inconsistent provision,—
- using an alternative measure in the legislation which will better protect privacy interests through complying with the IPPs; or
- making the inconsistency with the IPP as narrow as possible, and preparing a full explanation for the relevant Cabinet Committees why an inconsistency with an IPP might be necessary in the proposed legislation in order to achieve the policy goals.
B) Does the proposed legislation put personal information in a register that the public can access?
Registers (or databases) holding personal information are often created for official administrative purposes and use. The information held on such registers is sometimes open to all or a section of the public to search. This may involve personal information about a large number of people, which can be searched electronically. The Privacy Act therefore places particular safeguards around the personal information held on these ‘public registers’.
Policy advisers should note that a register with personal information, which gives the public a right to search, should be created as a ‘public register’ under Part 7 of the Act. This will mean that the protections in the Act’s four Public Register Privacy Principles (PRPP) will apply (see section 59). These principles address search references, uses for the information (including its electronic transmission), and charging for register access. In addition, public registers are subject to Part 6 of the Domestic Violence Act 1995, which covers the non-publication of certain personal information on public registers.
Proposed legislation containing a public register should address the following matters:
- Purposes: Include in the legislation statements of purpose—for creating the register and for making it open to search by the public—to guide the operation of the register and assist in reconciling privacy with desired policy objectives;
- Include necessary personal information only: Take care to ensure that only necessary information is both placed on the register and accessible to the public (there may be no need, for example, to provide unlimited public access to any or all personal information held);
- Search references: Ensure that personal information will be made available from the public register only by appropriate search references—which should be included in the legislation (see PRPP 1);
- Control bulk access: Consider how accessible the register should be to requests from agencies for many or all of the entries on the register—this is a major privacy concern as the personal information may then be used for secondary purposes, such as direct marketing (Section 52(1)(f) of the Rating Valuations Act 1998 provides a useful example of a way to restrict the bulk provision of information from a register);
- Other safeguards: If the public can search a register in an unrestricted manner, then consider incorporating other safeguards in the legislation, such as allowing certain people to have some personal details suppressed (residential addresses, for example), and placing controls on the subsequent use of personal information that an agency has obtained from a public register.
The Office of the Privacy Commissioner has prepared a document entitled Drafting Suggestions for Departments Preparing Public Register Provisions, which is available at www.privacy.org.nz.
C) Does the legislation propose information matching (data matching)?
Information matching involves the comparison of one set of computerised records held by one agency with those held by another, to find records in both sets of data that belong to the same person. Parliament decided that government information matching should be monitored to ensure continued public trust in government and to prevent abuses. The Privacy Act, to address these risks, regulates the practice of information matching in the public sector. It does this through controls directed at:
- Authorisation—requiring the Privacy Commissioner to weigh proposed programmes against public interest criteria (see section 13(1)(f) of the Act);
- Operation—imposing statutory rules ensuring that programmes are operated fairly and accurately (see sections 99 to 103 and Schedule 4 of the Act);
- Monitoring—subjecting programmes to periodic reviews and possible cancellation. Agencies must report on their matching operations to the Commissioner, who in turn reports on the results to Parliament. The Commissioner periodically assesses whether an information matching provision should be allowed to continue (see sections 104 to 106 of the Act)
Agencies who undertake information matching that is not authorised under the Act may run the risk of being found non-compliant with the Act, as information matching often breaches IPPs 2, 10 and 11. Authorisation places a matching programme under the controls of Part 10 and Schedule 4 of the Act.
Government data matching programmes must be established in legislation. The provision establishing the information matching programme must be specified in Schedule 3 of the Act (as an “information matching provision”), and the agencies involved in the matching must be listed within section 97 of the Act (as a “specified agency”).
Policy advisers proposing legislation that involves information matching should address the following:
- The legislation should state explicitly that personal information will be disclosed for a specific purpose e.g. “to enable the (specified department) to disclose (specified information) to verify the entitlement to (a particular benefit or service);
- The type of personal information to be disclosed should be clearly defined, for example, “an applicant’s full name, date of birth, residential address, and tax file number”. The meaning of agency or industry specific key terms should be made clear;
- Where a generic term such as “beneficiary information” is used, there should be a further description of what that information includes. Note that the least amount of personal information should be disclosed in order to fulfil the purpose of the matching programme.
For further details on information matching, refer to the Office of the Privacy Commissioner’s Guidance Note for Departments Seeking Legislative Provision for Information Matching, which is available at www.privacy.org.nz.
D) Are Codes of Practice relevant to the proposed legislation?
The Privacy Commissioner issues codes of practice, which modify or replace the application of the IPPs to personal information in certain areas, such as health or credit reporting. Codes do this by, for example:
- prescribing more stringent standards than the IPPs;
- exempting a particular action from the IPPs (see Part 6 of the Privacy Act); or
- prescribing how an agency is to comply with an IPP (see sections 46 and 50 of the Act).
Codes can be found on the Privacy Commissioner’s website (at www.privacy.org.nz).
When policy advisers are developing legislation, as well as having regard to the IPPs, codes should be checked to see whether they are relevant to the subject matter of the proposed legislation. If a code is relevant, then compliance with that code will be the first step (see section 53 of the Act).
Legislation can also make reference to codes. For example, codes are referred to in section 35(5)(f) of the Dog Control Act 1996, and section 22C(1)(b) of the Health Act 1956. Policy advisers should also consider whether a new code might be an appropriate response to a policy issue.
E) Does the legislation propose to transfer personal information out of New Zealand?
Occasionally legislation expressly authorises the transfer of categories of personal information about New Zealanders to another country. If a case has been made to transfer the personal information overseas, the personal information will have lost the protections of the Privacy Act. Additional safeguards should therefore be incorporated into the authorising legislation, especially if there is no equivalent privacy law in the receiving jurisdiction.
The legislation should require that, if information is to be disclosed, it is disclosed subject to an agreement between the New Zealand agency and the foreign recipient agency. The legislation should specify the matters to be addressed in the agreement and require consultation with the Privacy Commissioner on the terms of the agreement.
The agreement should state:
- its purpose
- the information to be disclosed
- method and form of disclosure
- uses that can be made of the information by the receiving party
- conditions on which the receiving party may on-disclose
- the agencies that can receive the personal information.
The legislation should expressly state the information that may be disclosed pursuant to an agreement. The legislation can also state review requirements (i.e. the agreement must be subject to reviews or the Privacy Commissioner may be able to require reviews).
The Customs and Excise, Immigration, and Passports Acts provide examples of such provisions. All require departmental consultation with the Privacy Commissioner in certain cases before transborder information disclosure agreements are entered into.
If the proposed legislation is to transfer personal information to an overseas organisation, policy advisers should consider the inclusion of additional privacy safeguards. In some cases, these safeguards may include a specific role for the Privacy Commissioner.
F) What are the privacy commissioner’s roles?
Many of the Privacy Commissioner’s statutory functions—under Part 3 of the Act—are relevant to the development of legislation. For example:
- To examine proposed legislation that makes provision for the collection and disclosure of personal information, including where personal information is used for the purpose of an information matching programme (see section 13(1)(f) of the Act);
- To provide advice to a Minister or an agency on the operation of the Act (see section 13(1)(l));
- To examine proposed legislation or policy that may affect the privacy of individuals (see section 13(1)(o)); and
- To monitor the use of unique identifiers (see section 13(1)(c)).
The Office of the Privacy Commissioner has legal and policy advisers available to assist policy advisers from other organisations (subject to Office resource and timing constraints).
Is an additional role for the Privacy Commissioner required in the proposed legislation?
If the proposed legislation involves a matter with significant and ongoing privacy impacts so that special protections are warranted, then consideration should be given to a specific role for the Privacy Commissioner. To date, the Privacy Commissioner has been given functions under legislation (other than the Privacy Act) in six categories:
Scrutiny or approval of information sharing regimes / arrangements;
- Consultation on rule making or standard setting;
- A complaints investigation role;
- Consultation on privacy complaints handled by other agencies;
- Appointment to other bodies to provide a privacy viewpoint; and
- Audits of information practices.
A major source of these additional functions is currently in the area of information sharing between New Zealand agencies, and between New Zealand and overseas agencies (see above under E)).
Policy advisers should be aware of the role of the Privacy Commissioner in relation to proposed legislation which affects privacy. Given the Commissioner’s statutory functions, and the requirements set by the Cabinet Manual, the Privacy Commissioner would expect to be consulted by policy advisers developing new policies and legislation that may affect the privacy of individuals.
For a project with significant effects on privacy and the handling of personal information, consideration should be given at an early stage of policy development to conducting a Privacy Impact Assessment (PIA). PIAs can form the basis of consultation with the Privacy Commissioner. Publications offering guidance on how to carry out a PIA are available from the Office of the Privacy Commissioner.
The Office of the Privacy Commissioner can provide policy advisers with assistance, and also provides a variety of interpretative resources on the Act, provides training workshops, and runs a general helpline (0800 803 909 and see www.privacy.org.nz).
Proposed legislation which warrants special privacy safeguards may include an additional role for the Privacy Commissioner (see current examples in the Annual Report of the Privacy Commissioner on www.privacy.org.nz).
The Official Information Act 1982 provides that a good reason exists to withhold information if withholding is necessary to protect the privacy of natural persons, including that of deceased natural persons (see section 9(2)(a)). This is not a conclusive reason to withhold and may be outweighed by other considerations in the public interest.
The Office of the Ombudsmen has indicated that the key issue under the Official Information Act is to determine whether or not it is necessary to withhold the information in order to protect an individual's privacy. In making this determination, factors to be taken into account are:
- The nature of the information that would be disclosed;
- The circumstances in which the information was obtained and held;
- The likelihood of the information being information that the person concerned would not wish to be disclosed without consent;
- The current relevance of the information; and
- The extent to which the information at issue has already been made public.