Data Protection and Use Policy

Supporting the respectful, trusted and transparent use of people's data and information

Where the Policy goes beyond the Privacy Act 1993

This page summarises the good practice advice within the Policy that is additional to what the Privacy Act requires. The points of summary are grouped to reflect where they appear within the Policy's four Guidelines.

Purpose Matters Guideline

There is a focus in this Guideline on ensuring a clear line of sight to real social value (to individuals, groups or wider society) when defining the purposes for collecting people's information.

The Guideline states that, if you're collecting personal information from another agency, you need to inform the other agency, in clear terms, of your purpose of collection and whether you propose to share the information with anyone else. You need to tell them whether their provision of the information to your agency is voluntary or mandatory and, if mandatory, under what particular statutory provision.

The Guideline's suggested approach to assessing purpose and collecting only what's needed (which comprises being clear about the outcomes, the methods used to achieve the outcomes, and consideration of relevant context), encourages agencies to consider certain factors that do not feature in the Privacy Act's text. An example is considering whether different analytical techniques or processes can be used, with a view to collecting less personal information rather than more. Another example is asking whether, to achieve an outcome, it's necessary to collect personal information from every service user all of the time, regardless of their differences, or whether it may be feasible to allow some people to opt out.

The Guideline suggests a series of check and balances that agencies may find helpful when assessing the purpose, necessity and appropriateness of collecting people's information. Those checks and balances include seeking, where relevant, the views of various people, whether from within one's agency or from external sources (e.g., review groups, Māori groups, external reference groups, service users, OPC). The practice being described aims to ensure that, where appropriate, people and communities impacted by the proposed collection / use have their ideas and voices included within the process of defining the purposes of collection.

The Guideline includes consideration of ethical issues that may arise from the collection of people's information for particular purposes. For example, the suggested approach to assessing purpose, mentioned item 3 above, includes asking about the potential for adverse consequences (despite the lawfulness of collection), asking about how linking people's personal information with other data could be perceived, and asking about the potential impact that collection from other agencies could have on the trust relationships between those other agencies and their immediate service users. The checks and balances include, as some of the available forms of checks, applying a framework (if one is available to one's agency) like the Ministry of Social Development's Privacy, Human Rights and Ethics framework (PHRaE), or seeking advice from an appropriate review group or panel if ethical questions arise, for example, the Data Ethics Advisory Group

Transparency and Choice Guideline

In addition to emphasising the requirements of the Privacy Act's information privacy principle 3 (IPP3), this Guideline states it can also be good practice to explain to people:

  • how their information will be protected
  • how the information will be used to help them or people in similar situations to them
  • if matching or linking is occurring, the fact that it is, why, and what it could mean for them, and
  • if relevant, how particular information may be used in a form that doesn't identify them.

This Guideline notes that reliance on the IPP3 grounds for not being transparent with people is the exception rather than the norm and that the default is to provide people with the information required by IPP3. That reflects the legal position but note that the Purpose Matters Guideline feeds into this statement, to emphasise that reliance on a particular IPP3 exception may not be appropriate. It makes the important point that there is "nothing sufficiently unique about the collection of personal information for statistical or research purposes to justify not telling people [when this is occurring] that their personal information will be linked with other datasets to yield insights, even where a social sector agency can rely on the IPP3 exception".

The Guideline suggests that telling people about "the intended recipients of the information" (the IPP3 requirement) should include not only the other agencies with whom the information may be shared, but also the kinds of recipients within one's own agency (the Privacy Act is not clear on this distinction).

Picking up a theme from the Purpose Matters Guideline, this Guideline states that people involved in designing or communicating information collections need to help ensure that people all the way along the chain, including those dealing directly with service users, have a good understanding of the 'what and why' of collection. This fosters consistent understanding and legal compliance. In addition, those involved with collecting personal information from service users and, where relevant, those being asked to share it with other agencies, need to feel able to ask 'why', safely and confidently, and without fear of negative consequences.

The Guideline emphasises the importance of matching the approach to transparency of collection to the context people find themselves in. It encourages agencies to consider a range of methods, to respect cultural and language considerations, to provide multiple opportunities for people to understand if that's what people need, and to be as specific as they can.

The Guideline suggests that, when service users are told about what their information will be used for and who will see it, it may also be desirable to tell them what it won't be used for and who won't see it. This point is made in the Purpose Matters Guideline as well.

The Guideline emphasies the importance of people being able to obtain a good understanding of what’s being done with their personal information in a safe and responsive environment. That includes considering "how to ensure people feel safe to list and ask questions, and what kind of information will work best for them".

Access to Information Guideline

This Guideline has a strong focus on helping people to understand their access and correction rights. It recommends that service users should, from time to time, be proactively reminded about these rights, especially when that information was collected at a time when the service user was in crisis. The Guideline suggests practical and proactive ways to help.

The Guideline advises agencies to record information about people clearly, accurately and professionally, both as a matter of respect and because people are able to request access to and view what has been written about them. (Agencies cannot legally say no to a person's request for personal information merely because the information was poorly written or expressed with insufficient care.)

The Guideline stresses the importance of making it easy for people to access their personal information and to request corrections to it, and suggests a variety of means by which this can be done.

The Guideline explains how NGOs can act on behalf of their service users to obtain access to their personal information from government agencies. Examples might include: confirming details of benefits and entitlements; information about health or wellbeing; or information about a person's overall situation that they may prefer not to re-tell, given that doing so repeatedly can have negative impacts on a person's wellbeing.

The Guideline provides guidance on helping service users access and use digital channels to access their information. For example, helping them get set up on portals such as MyMSD and ManageMyHealth.

The Sharing Value Guideline addresses a range of subject-matter that is not dealt with by the Privacy Act at all. It deals with the stewardship roles that custodians of data have and how the data and insights they hold may be of use or interest to other groups, such as iwi, communities, service providers and others. It focuses on enabling appropriate organisations, with legitimate interest, to access non-personal forms of data, information, knowledge and insight, which have been derived from people's personal information.

The Guideline is about helping other organisations to use data / insights that may be useful to them, i.e., growing capability, so that the value of data is more accessible by more organisations.

The Guideline emphasises that, if an organisation or group collects information and provides it to an agency, the value of that information should at some point be returned to them. What this means will depend upon the purpose for which it was gathered. For example, if it's collected to develop insights about homelessness, financial hardship, stable employment challenges or the like, then those insights should be made available to the organisations that enabled the insights.

The Guideline recommends that, when new proposals to develop insights (analysis, research, studies, etc.) are being developed, collaboration with providers/communities/service users should occur to identify what the most useful information or method could be to support the development of those insights. Agencies are encouraged to identify organisations with a legitimate interest and/or experiences in relation to the areas being studied/analysed who can contribute to the work as it is carried out. Qualitative, narrative or interpretative information should also be sought to help provide context in relation to quantitative information. The Guideline recommends that the resulting insights are then shared with legitimately interested organisations who can apply them in their work.