Frequently Asked Questions (FAQ) about the Policy are answered below.
Data Protection and Use Policy
Why do we need this Policy?
Information collection and use play an important role in ensuring the most effective services are provided to the people who need them. At the same time, people who use services need confidence that the right processes are in place to ensure their personal information is being collected and used appropriately.
The Policy will make it easier for agencies and organisations to:
- be clear about the vital importance of purpose to collecting and using people's personal information
- enable people to understand what’s happening with their information and what choices they have
- make it easy for people to see and request correction of their information
- work together for better insights and outcomes.
It is essential that the Policy is delivered in a way that builds trust.
There seems to be some overlap between the Principles and Guidelines. Which type of Policy element (i.e. Principle or Guideline) should I choose when I need information in a hurry?
The overlap is intentional. The Principles are about articulating values and behaviours, and we anticipate these will become part of the culture of 'how your agency works', if they aren't already. The Guidelines bring the Principles to life by explaining key practices (those identified as the most important ones during engagement) that reflect the intent of the Principles. In time, more clarity will be provided as a Toolkit is developed to support the Policy. The Toolkit will provide specific examples to help agencies apply each Guideline.
How does the Policy relate to Māori protocols such as kawa, tikanga, rahui, mana, and tapu?
The Principles have been developed to respect and acknowledge cultural considerations and have been tested with a range of Māori stakeholders. There is a significant focus in this area led by Stats NZ in partnership with Māori, to understand this topic in greater detail and develop approaches that support good collaboration over Māori interests in data.
How does the Policy address the ‘life cycle’ of consent? How often do providers need to check back with people to get consent again for a new use of information?
The Policy reinforces existing obligations to ensure that people understand what their information is being used for at appropriate times, and to help them understand and act on their rights to access their information, request its correction (which may include deletion), or to change it themselves when appropriate. The Access to Information Guideline goes into this topic in greater detail.
How does the Policy make it easier to navigate the wide range of laws, guidelines and codes of practice that inform how and when personal information is collected, used and shared within the social sector?
Each Guideline makes it clear what the minimum legislative requirement is in the context of each Guideline topic, and the Policy provides links to further detail where relevant. Commonly applied codes of practice are also referenced. Where the Guidelines recommend good practices that are more than what the law requires, this is made clear.
Will funding and contracting models be changed?
We think this is likely. For example in the Sharing Value Guideline the Policy identifies contracting and funding processes as one place where the guidance will very likely change and evolve practices to be more inclusive. Other areas of the Policy, for example the Purpose Matters Guideline, also have implications for ensuring that contracting processes, by ensuring that information collection makes sense in the context of the services being considered.
Adopting the Policy
Is it compulsory to adopt the Policy?
Agencies and organisations are encouraged to adopt the Policy in a way that makes sense in their context and work towards maturing understanding and capability. For the most part, the Principles and Guidelines clarify what agencies and organisations should already be looking to achieve, including aspects of the Privacy Act. They also include ethical and human-centred considerations that the wider sector has described in terms of respectful and transparent use of people’s information. Some of these considerations are not required by law and it’s made very clear when this is the case.
My organisation is not in the social sector – can I still adopt the Policy?
Yes. While the Policy has been designed by the social sector for the social sector, the Principles are generally applicable to other contexts. The Guidelines were developed for the social sector environment but we would invite you to adapt these in a way that makes sense to your context.
How does the Policy address, and deliver on safe data storage?
The Kaitiakitanga Principle describes the value and behaviours needed to care for people's data but it was decided that specific guidance on safe data storage belongs more sensibly in the Toolkit rather than as a stand-alone guideline. We have received a number of offers from expert organisations to assist with developing Toolkit items to help agencies understand how to keep information safe from a technology perspective. It'll be one of the early things we focus on developing.
How long until the Toolkit elements are developed?
The initial implementation phase will include development of a foundational Toolkit. Early adopter agencies and social sector participants will work collaboratively to identify, develop and share examples and experiences on how best to implement the Policy in a range of different contexts.
How can I get further guidance and support to adopt the Policy?
Further guidance and resources on how to practically implement the Policy are available in the Adoption Toolkit — these will be added to over time.
We are interested in understanding how agencies and organisations are adopting the Policy, and the Social Wellbeing Agency has a role in supporting the foundational implementation group. Please email us using the Contact Us page to see if we can provide the assistance you need or connect you to others who are adopting the Policy. You can also signup to our newsletter to stay up-to-date with the Policy's adoption progress.
Working with government
How does the Policy work to achieve more transparency from government about the purpose of seeking data from service providers?
The Purpose Matters Guideline and to a lesser degree the Transparency and Choice Guideline address this topic. Social Wellbeing Agency has taken time to explore this subject with social sector agencies so that the intent and implications are understood. The outcomes of those discussions have been included within both the Principles and the Guidelines.
The Policy describes an expectation that we should all be able to understand and clearly and simply explain what people’s information will be used for. How can the Policy help address this?
As an NGO I want to know about the insights gained from the information that I am obligated to supply to government — how does the Policy ensure that our organisation will get these insights?
The expectation is the same for all organisations across the social sector, whether an NGO or government agency — the Sharing Value Guideline focuses on this topic. This Guideline sets out new expectations to share the value (and insights) of information with those who initially provide it, or to others who may have a legitimate interest in it. Funders and contractors may need to find new ways to work together collaboratively. It will take some time for capability and capacity to be built across the sector.
How does the Policy address the power imbalance between service users and providers, as identified during the engagement phase?
The Policy Guidelines have been carefully developed with insights from the engagement findings to strike the right balance between both parties. This starts with the Mahitahitanga Principle and is also woven through the Guidelines in various ways.