Chapter 8
Privacy and dealing with information about people
The Government should respect privacy interests of people and ensure that the collection, use, and disclosure of information about identifiable people is done consistently with those interests. The unnecessary collection, misuse or perceived misuse, or unauthorised disclosure of personal information erodes the community’s trust in the Government and other institutions, and can make it harder to collect information in the future. Further, other countries may be reluctant to share information with New Zealand if our law does not give proper respect to privacy rights.
If new policy is being developed that proposes the handling of personal information (that is, information about a person that either identifies or is capable of identifying that person), officials must first consider whether the proposed action is governed by the Privacy Act 2020. That Act applies to both public sector and private sector agencies and establishes a set of information privacy principles for the handling of personal information. The two key concepts in the Act are purpose and transparency. If the personal information is already held by a public body for another purpose, officials must consider whether the proposed use falls within the purposes for which the personal information was originally collected, and whether those purposes have been communicated to the individuals concerned, before developing legislation that permits a new use or disclosure of that information.
Any policy development that affects personal information should include a Privacy Impact Assessment[1] at an early stage to assess the extent of the impact on privacy and how that impact can be managed in the policy development process.
If the proposed handling of personal information is not authorised by the Privacy Act 2020 or other legislation (and authorisation under an approved information sharing agreement under that Act would be insufficient or inappropriate),[2] new legislation may be required. In designing legislation, officials must know what they want to do and what personal information is required to do it. Legislation relating to personal information needs to clearly set out the particulars of the information to be collected, the purpose or purposes for which the information may be used, and to whom the information may be disclosed and why.
While this chapter focuses on how public sector agencies handle personal information, the Privacy Act 2020 and codes of practice also apply to private sector agencies. This chapter will therefore be relevant to legislation that affects or authorises the handling of personal information by private sector agencies.
[1] Privacy Commissioner Privacy Impact Assessment Toolkit (2015).
[2] A more detailed discussion of approved information sharing agreements appears later in this chapter at 8.3.
- Part 1: Is the legislation consistent with the requirements of the Privacy Act 2020 and that Act’s 13 information privacy principles?
- Part 2: Does the new legislation comply with any relevant code of practice issued by the Privacy Commissioner?
- Part 3: Does the legislation authorise personal information sharing?
- Part 4: Does the legislation require a complaints process?
- Part 5: Have the Privacy Commissioner, the Ministry of Justice and the Government Chief Privacy Officer (GCPO) been consulted?
Part 1
Is the legislation consistent with the requirements of the Privacy Act 2020 and that Act’s 13 information privacy principles?
Legislation should be consistent with the requirements of the Privacy Act 2020, in particular the information privacy principles.
The 13 information privacy principles are the cornerstone of the Privacy Act (and can be found in section 22). They address how agencies may collect, store, use, and disclose personal information. They also allow a person to request access to and correction of their personal information. Many of the information privacy principles have in-built exceptions, and Part 6 of the Privacy Act has further exemptions.
The policy objective will sometimes justify an inconsistency with the privacy principles. Section 24 of the Privacy Act provides that nothing in information privacy principle 6 (access to personal information), 11 (limits on disclosure), or 12 (disclosure of personal information outside of New Zealand) limits or affects:
- a provision contained in New Zealand legislation that authorises or requires personal information to be made available; or
- a provision contained in any other New Zealand Act that imposes a prohibition or restrictions in relation to the availability of personal information or regulates the manner in which personal information may be obtained or made available.
For information privacy principles 6, 11 and 12 there is then no need for legislation overriding the Act to contain an express override provision. However, any override of the Act requires careful consideration and the reasons should be clearly identified in relevant decision making documents.
If that occurs, the policy should be developed so as to minimise the inconsistency. If there is any ambiguity regarding an inconsistency with the Privacy Act, the courts may prefer an interpretation of the legislation that involves the least impact on the privacy interests of individuals.
The design of any legislative provision that overrides the privacy principles, in particular principles 10, 11 and 12 (relating to the use and disclosure of personal information), should reflect as necessary the principles of specificity, proportionality, and transparency. Consultation with the Office of the Privacy Commissioner and the Ministry of Justice will help to identify the necessary design features.
The Cabinet Manual requires Ministers to draw attention to any aspects of a bill that have implications for, or may be affected by, the principles in the Privacy Act 2020, when submitting bids for bills for the legislative programme. Similarly, it requires Ministers to confirm compliance with those principles when subsequently submitting the bill to the Cabinet Legislation Committee for approval for introduction.[1]
[1] Cabinet Office Cabinet Manual 2017 at 7.65 – 7.66.
Part 2
Does the new legislation comply with any relevant code of practice issued by the Privacy Commissioner?
The design of new legislation must take account of any applicable code of practice.
The Privacy Commissioner issues codes of practice, which may modify or apply the information privacy principles to any specified information, agency, activity, industry, profession, or calling (or class of such thing). Codes of practice are disallowable instruments and are enforceable through the Privacy Commissioner’s investigation and complaints process and proceedings in the Human Rights Review Tribunal.
A list of the currently applicable codes of practice can be found on the Privacy Commissioner’s website.
Part 3
Does the legislation authorise personal information sharing?
New legislation should only provide authority for personal information sharing where the sharing cannot be undertaken using one of the existing mechanisms in the Privacy Act 2020 (for example, an approved information sharing agreement), or where using those mechanisms is not sufficient for the policy purpose.
Disclosing information about identifiable individuals between agencies for the purposes of delivering public services can be appropriate provided the privacy risks are managed well. However, information sharing to deliver public services must have clear legal authority. That authority may already be provided under the Privacy Act by the exceptions to the information privacy principles or by a code of practice.[1] For example, information may be disclosed for a purpose directly related to the purpose for which it was obtained or when disclosure is necessary to prevent or lessen a serious threat to public health or public safety. There may also be existing authority under Part 7 Subpart 2 (identity information), Part 7 Subpart 3 (law enforcement information), or Part 7 Subpart 4 (information matching) of the Privacy Act.
If there is no such authority, or the available authority is partial or uncertain, an approved information sharing agreement (AISA) under Part 7 Subpart 1 of the Privacy Act 2020 may provide the necessary authority without the need to resort to a new Act. AISAs are information sharing agreements approved by the Governor-General, by Order in Council on the recommendation of the relevant Minister. An AISA may grant an exemption to, or modify, one or more of the privacy principles or a code of practice (except in respect of principles 6 and 7 relating to access and correction rights). The Office of the Privacy Commissioner has published guidance for creating AISAs.[2] Departmental legal advisers, the Office of the Privacy Commissioner, and the Ministry of Justice should be consulted to ascertain whether there is already authority for information sharing or whether an AISA could provide that authority.
If there is no existing authority for proposed information sharing between agencies and an AISA would be insufficient or inappropriate, new legislation may be required. Generally, a new Act to authorise information sharing will only be required to overcome a statutory prohibition or restriction preventing it. However, in some cases, a new Act may be justified in other circumstances, for example where an Act would provide greater transparency than for the disclosure to be regulated under 1 or more AISAs. However, this should be weighed against the risk that a specific legislative disclosure regime will forgo the flexibility inherent in the Privacy Act, the safeguards provided by that Act, and the benefit of case law developed around it.
[1] Privacy Act 2020, Part 3.
[2] Privacy Commissioner An A to Z of Approved Information Sharing Agreements (AISAs) (2015).
Part 4
Does the legislation require a complaints process?
New legislation should rely on the existing complaints process under the Privacy Act 2020 unless there is a good reason not to do so.
The Privacy Act 2020 provides a comprehensive system for dealing with complaints arising from alleged breaches of the information privacy principles. This includes a complaints investigation process by the Commissioner and proceedings before the Human Rights Review Tribunal.
If the legislation needs to deal with complaints arising from alleged breaches of the information privacy principles, it should ensure the Privacy Act complaints procedure applies (see section 66 of the Human Assisted Reproductive Technology Act 2004). Good reasons must exist to create any new complaints and review procedures.
Part 5
Have the Privacy Commissioner, the Ministry of Justice and the Government Chief Privacy Officer (GCPO) been consulted?
The Privacy Commissioner, the Ministry of Justice and, when appropriate, the GCPO should be consulted when developing new policies and legislation that may affect the privacy of individuals.
The Privacy Commissioner and Ministry of Justice should always be consulted where policy and legislative proposals potentially affect the privacy of individuals.[1] In addition, the following uses of information raise specific issues on which further advice should also be sought from legal advisers, the Privacy Commissioner, and the Ministry of Justice:
- Public register— A database or register that contains personal information and that members of the public can search through.[2]
- Personal information sharing— including either approved information sharing agreements (under Part 7 Subpart 1 of the Privacy Act) or information matching programmes (under Part 7 Subpart 4 of the Privacy Act).[3]
- Transfer out of New Zealand— Information privacy principle 12 sets out when an agency may disclose information to a foreign person or entity in relation to information privacy principle 11. Information sent outside New Zealand may no longer have the protection of the Privacy Act 2020 or other New Zealand laws or values. Also, the receiving jurisdiction may not have comparable safeguards to those found in New Zealand law. An appropriate level of additional safeguards should therefore be provided after consideration of the grounds in principle 12.
If the proposed legislation involves the management and governance of privacy in the provision of State services, the GCDO[4] should be consulted.[5]
Statistics New Zealand, which leads the government’s work on data and analytics, should be consulted on proposed approved information sharing agreements.
If legislation is to propose sharing court information, the Ministry of Justice should be consulted and consideration given to consulting the judicial branch (through the Ministry of Justice).[6]
[1] The Privacy Commissioner has a number of functions in respect of privacy, including examining proposed legislation that makes provision for the collection of personal information by any public sector agency or the disclosure of personal information by one public sector agency to another: Privacy Act 2020, section 17(1). The Ministry of Justice administers the Privacy Act 2020.
[2] Privacy Commissioner What’s a public register? (2013)
[3] Privacy Commissioner Approved Information Sharing Agreements (2015)
[4] The GCPO leads an all of Government approach to privacy, including setting standards, developing guidance, building capability within agencies, and providing assurance to Government.
[5] Note the Cabinet Manual departmental consultation expectation: Cabinet Office Cabinet Manual 2017 at 5.19-5.20; Cabinet Office CabGuide ‘Cabinet paper consultation with departments’.
[6] “Court information” means information held by the Ministry of Justice on behalf of the Court, as described in Schedule 2 of the Senior Courts Act 2016 and in Schedule 1 of the District Court Act 2016.