Why a Guideline on Purpose Matters?
Clarity of purpose is vital to determining whether, in a given context, an agency needs to collect personal information and, if so, how much. It is also vital to determining whether the uses to which an agency may put information that has been collected are lawful and appropriate, and it can determine whether a proposed sharing of someone's personal information with another agency is lawful and appropriate.
Both prior to and during SWA's engagement on the Policy, NGOs, service users and the Office of the Privacy Commissioner (OPC) expressed concerns that are directly related to 'purpose'. Those concerns included:
- whether agencies are sufficiently clear about their purposes for collecting personal information, and in how they inform service users of those purposes
- whether, as a result of insufficient clarity of purpose, agencies are collecting more information than they need and therefore acting unlawfully and inappropriately in doing so
- whether, as a result of insufficient clarity of purpose, agencies that collect personal information from other agencies who collect it directly from service users, are unable to tell those other agencies what they need to know (this can put those other agencies in a difficult position as they may not know whether to provide the information to the agencies requesting it and what to tell their service users)
- whether insufficient thought is given to the appropriateness of collecting, using or sharing certain kinds of personal information, even where the law allows it.
This Guideline is one of the most important Guidelines in the Policy. This is because not understanding the centrality of 'purpose' and not approaching questions of purpose with sufficient precision can result in an approach to information collection that is not legally or ethically sound. The consequences of that may be:
- legal problems with otherwise sound policy or service initiatives
- failure to deliver intended wellbeing outcomes for people
- a loss of trust and confidence on the part of the people that agencies serve.
This Guideline recognises a range of factors.
- Service providers, including government agencies, NGOs, and other providers, view the transparent, respectful and trusted use of people’s personal information as a joint responsibility for collective benefit. A lack of understanding or clarity about the purposes of collection, use or sharing can undermine that responsibility.
- NGOs frequently voice ‘why this information?’ as the topic of greatest importance to them.
- Service users understand and support the need to collect and share information about them to benefit themselves and others in similar situations, but want to know ‘why’.
Understanding purpose and getting it right can help an agency earn people's trust and confidence and is vital to ensuring that what it's doing is both lawful and ethically justifiable.
Intent of this Guideline
This Guideline helps agencies who are considering the collection and use of people's personal information.
The first part of this Guideline explains important aspects of the law (particularly the Privacy Act) that are relevant to:
- purpose and collection of personal information;
- purpose and use of personal information; and
- purpose and sharing of personal information.
The Guideline then describes an approach to defining and assessing proposed purposes. The approach focuses on:
- being clear about the outcome(s) to be achieved;
- being clear about the method that will be used to achieve the outcome(s); and
- considering the context in which the information is being collected and used.
It also provides a range of checks and balances that can be worked through to help determine whether a proposed collection or use is lawful and appropriate, whether there's a need to obtain input from others, and when to seek such input.
The key concepts in this Guideline
Key concepts in this Guideline are that:
- social sector agencies must be clear about the purposes for which they collect personal information, whether that be directly from service users or from other agencies and organisations, and regardless of whether they are doing so under the general law or a specific statutory provision that authorises or requires the collection
- they can only collect personal information for lawful purposes connected with their functions or activities
- they can only collect personal information to the extent reasonably necessary for those lawful purposes, or as otherwise permitted by specific statutory provisions
- they should, when considering what’s reasonably necessary, look at the intended outcomes together with the methods of processing and the context of use
- in some cases, the context may suggest that, even where a purpose of collection is lawful and it’s reasonably necessary to collect personal information for that purpose, proceeding with the collection may be ethically questionable or otherwise undesirable
- social sector agencies can only use the personal information collected for the purposes for which it was collected, unless the law permits it to be used or disclosed for other purposes.
When to use the Purpose Matters Guideline
When collecting or using information that is or was about people
This Guideline should be used when a social sector agency is deciding whether to collect or use information, that is or was about people who use social services, for specific reasons.
From a privacy perspective, questions of 'purpose' most frequently arise in relation to the use of personal information. However, questions of purpose can also arise when personal information has been de-identified or anonymised. Full de-identification may result in a range of legal controls falling away (because, for example, the Privacy Act regulates what is done with personal information, not non-personal information), but ethical and other issues can still arise.
For these reasons, this Guideline is relevant to the collection and use of:
- personal information; and
- non-personal information that, prior to de-identification, was personal information.
- Personal information, in the form of information about identifiable individuals, may be removed from a dataset collected for one purpose but, if the dataset contains information that is culturally sensitive or otherwise specific to Māori, using it even in de-identified form for another purpose without involving Māori may not be appropriate.
- Personal information may be removed from the description of a serious offence against a child or another vulnerable member of society, resulting in there being no reasonable prospect of the child or other vulnerable person being identified, but that doesn't necessarily mean it's ethically appropriate to use the information for any other purpose, particularly if any form of publication is involved.
Purpose Matters' relationship with the other Guidelines
Elements of this Guideline inform the three other Guidelines, as follows:
Is about helping people understand why their information is needed and what their rights are. The purpose of collection is a key aspect of what collecting agencies need to tell people when collecting their personal information.
Is about helping people understand their rights of access, having control over their information where possible, and making it easy for them to exercise their rights. Understanding the purposes of collection, in the context of the intended outcomes and methods of processing, can influence how people are given access to their information and how they can request that inaccuracies be corrected.
Is about working together to develop valuable insights from information collected from or about service users and sharing the value of those insights with others. The involvement of others in the design and implementation of intended collection and use processes may influence how the purposes of collection are formulated and communicated to people and how much information needs to be collected.
Using the Policy Principles with the Purpose Matters Guideline
Because this Guideline flows in part from the Policy Principles, it's useful to read it with those Principles in mind. They can help to identify considerations relevant to understanding and framing purposes for collecting and using information about people, even where these considerations may exceed minimum legal requirements.
Are purposes of collection and use clearly focused on positive outcomes (whether for individuals, groups or wider society) and is the information to be collected or used necessary to achieve those outcomes?
Is the collection or use of people's information for particular purposes sufficiently respectful of them or the cultures, communities or groups to which they belong? Does it support or detract from their wellbeing?
To what extent, given the purposes of collecting personal information, can an agency allow people to opt out of providing their information?
How, as kaitiaki or stewards of people's information, can the purposes of collecting or using that information be framed in a manner that is easy to explain to people and that fosters their understanding and trust in what is being done with their information?
To what extent can involving others help to formulate and double-check the appropriateness of proposed collections and uses of people's information?