Be clear about purpose and collection
About this page
This page explains how 'purpose' helps agencies understand what's appropriate when considering the collection of people's personal information. Other sections of the Guideline look at the role of 'purpose' in relation to use, and in relation to sharing people's information with others.
Purpose and Collection is explained in the following sections:
- Clarity of purpose required regardless of the particular legal basis for collection
- Clarity of purpose required regardless of whether collecting from individuals or from other agencies
- If you're collecting information from other agencies, they need to understand your purpose of collection
- If identifying information isn't required, don't ask for it
Social sector agencies must be clear about the purpose for which they collect personal information. Agencies must be clear about this, before collecting the information, because:
- where the Privacy Act's information privacy principle 1 (IPP1) (Purpose of collection of personal information) applies, they should not be collecting personal information unless the collection is for a lawful purpose connected with their functions or activities and, importantly, the collection is reasonably necessary for that purpose; and
- where they are collecting personal information under a specific statutory power that authorises or requires the collection, they need to be clear on the purpose of collection to ensure the statutory power covers the information they propose to collect and the reason for collecting it.
Purpose will always be relevant. Assessing and articulating it properly is vital to both legal compliance and guarding against indiscriminate or excessive collection of people's information.
Clarity of purpose required regardless of whether collecting from individuals or from other agencies and organisations
Clarity of purpose is vital regardless of whether information is to be collected directly from service users or from other agencies and organisations. The reasons for that go beyond ensuring that a collection is lawful under either IPP1 or a specific statutory collection power:
- Where information is to be collected from individuals, clarity of purpose is vital to helping people understand why their information is being collected, as is usually required by the Privacy Act's IPP3 (Collection of information from subject). As the OPC has observed, "it is fundamental to people's right to privacy that, when providing information about themselves, individuals know why the information is being collected and what it is going to be used for". This topic is discussed further in the Transparency and Choice Guideline.
- Sometimes, providing people with details about the collection of their information, who will receive it, the reasons for doing so and other matters listed in IPP3, could undermine the reason for collection and justify not telling them. However, the relevant exception in IPP3 that would justify not telling them applies where telling them would "prejudice the purposes of the collection". If the purpose(s) of collection haven't been clearly articulated, it will be difficult to rely on this exception. Without clarity of purpose, it may also be difficult to rely on other exceptions in IPP3.
- Except where an agency is authorised or required by a specific statutory provision to collect personal information from another agency, the information needs to be collected from the relevant individuals unless an exception in the Privacy Act's IPP2 (Source of personal information) applies. One of those exceptions is that collection directly from the individuals concerned would "prejudice the purposes of the collection". Again, if the purpose(s) of collection haven't been clearly articulated, it will be difficult to rely on this exception. And again, without clarity of purpose, it may also be difficult to rely on other exceptions in IPP2.
If you're collecting personal information from other agencies, they need to understand your purpose of collection
For illustrative purposes, this section uses an example of a government agency (Government Agency) collecting personal information from a non-governmental organisation (NGO) that collects it directly from service users. However, the guidance applies generally to any agency collecting information from another.
If Government Agency is collecting personal information from NGO, it’s important that:
- Government Agency has a clearly articulated and lawful purpose of collecting the information from NGO; and
- Government Agency fully informs NGO of Government Agency's purpose of collection in a manner that is easy for NGO to understand and explain to its service users.
Government Agency needs to tell NGO about Government Agency's purpose, so NGO can include that purpose in NGO's statement of purposes to service users.
Government Agency should also tell NGO whether NGO’s provision of the information to Government Agency for the specified purpose(s) is mandatory (and, if so, under what particular statutory provision) or voluntary.
The Privacy Act does not specify all of these requirements (in terms of what Government Agency needs to tell NGO) but they are often vital. If NGO doesn’t fully understand these matters, NGO:
- could struggle to assess whether it is lawful to provide the information to Government Agency, whether it must or only may provide the information to Government Agency, and – where provision is voluntary – whether it should provide the information to Government Agency; and
- might not be able to meet its own transparency obligations to service users under the Privacy Act’s IPP3 (Collection of information from subject).
NGO should not have to ask Government Agency for this information. If, for whatever reason, Government Agency does not provide it, or NGO wishes to ask further questions, it's important for Government Agency to provide the information that NGO reasonably requests, without NGO fearing the consequences of asking or being told it doesn’t need to know.
The Privacy Act’s IPP1 says, in essence, don’t collect personal information unless it’s reasonably necessary for a lawful purpose connected with the agency’s functions or activities. When IPP1 applies, if a collecting agency can achieve its purpose without collecting identifying information (personal identifiers such as name and residential address), then it shouldn’t do so. The Privacy Act 2020 makes this clear with its new IPP1(2): “If the lawful purpose for which personal information about an individual is collected does not require the collection of an individual’s identifying information, the agency may not require the individual’s identifying information.”
Be clear about the purpose and use
About this page
This page explains how 'purpose' helps agencies understand what’s appropriate when looking at potential uses of people’s personal information. Other sections of the guideline look at the role of 'purpose; in relation to collection, and in relation to sharing people’s information with others.
Purpose and Use is explained in the following sections:
- Personal information only to be used for purpose of collection unless other uses permitted by law
- Clarity of original purpose also relevant to reliance on 'directly related purpose' exception under IPP10
- Clarity of other purposes also important
- Purpose still relevant when an alternative use appears to be authorised by a specific statutory provision
Ordinarily, personal information should only be used for the purpose for which it was collected, unless another proposed use is permitted by:
- the exceptions in the Privacy Act's IPP10 (Limits on use of personal information); or
- a specific statutory provision.
As the Office of the Privacy Commissioner observes, the “effect of [IPP10] is to ensure agencies are accountable for their actions when collecting information by prohibiting them from ‘repurposing’ information”.
This makes it important for collecting agencies to fully understand and carefully explain their purposes of collection at the outset. They need to ensure that their genuine proposed uses are covered, while always bearing in mind that they should not be collecting personal information if:
- it not reasonably necessary for lawful purposes connected with their functions or activities; or
- the collection is under a specific statutory collection provision, if the collection exceeds the bounds of the provision.
It is generally acceptable for an agency to have and communicate more than one purpose for collecting personal information, if at the time of collection the collecting agency genuinely proposes to use the information for more than one purpose. All stated purposes must be lawful purposes connected with the agency's functions or activities.
However, it is not acceptable to include vague 'catch-all' purposes in an attempt to capture remotely possible future uses, even if not reasonably contemplated at the time of collection. If an agency doesn't genuinely contemplate using personal information for some distant or uncertain reason, but is only adding it to its purpose statement to 'hedge its bets', then it's difficult to say that the distant and uncertain reason is actually a genuine purpose of collection, regardless of whether an agency asserts that to be so. 'Purpose creep' like this needs to be avoided. Not only does it run the risk of the agency acting unlawfully, but collecting people’s information and then doing nothing of value with it can erode people’s trust and confidence in the collecting agency.
Clarity of original purpose also relevant to reliance on 'directly related purpose' exception under IPP10
Under IPP 10, personal information can only be used for another purpose if an agency believes on reasonable grounds that one of the IPP10 exceptions applies. One of the exceptions is that the purpose of using the information is directly related to the purpose for which the information was obtained. If an agency has not clearly defined the original purpose of collection, relying on this 'directly related purpose' exception could be difficult.
Where an agency wishes to use personal information for a purpose other than the original purpose(s) of collection, it remains important for the agency to be clear about and document the nature and scope of that other purpose. There are two reasons for this:
- to ensure that the other purpose is lawful, by checking it against either the Privacy Act's IPP10 or, if a specific statutory provision authorises other uses, against that provision; and
- to have a record of the purposes for which personal information is being used and why each kind of use is permissible.
If the documented ‘other purpose’ is not lawful under either the Privacy Act’s IPP10 or a specific statutory provision, then the personal information should not be used for that other purpose.
Purpose still relevant when an alternative use appears to be authorised by a specific statutory provision
There are various contexts in the social sector in which specific statutory provisions authorise the use of personal information for purposes different to the original purpose of collection.
Even in contexts like this, though, the purpose of a proposed alternative use needs to be clear before the specific statutory provision is relied on, to ensure the use is covered by the provision. If an agency doesn’t answer this question properly, and it turns out that the use wasn’t covered by the provision and that the alternative use would not have been permitted under IPP10, then the agency’s use of the information for the alternative purpose may (depending on the circumstances) amount to an "interference with privacy" under the Privacy Act.
Be clear about purpose and sharing
About this page
This page explains how ‘purpose’ helps agencies understand what’s appropriate if they are thinking about sharing people’s personal information with others. Other sections of the guideline look at the role of ‘purpose’ in relation to collection, and in relation to use of people’s information.
Purpose and Sharing is explained in the following sections:
Clarity of purpose at the point of collecting personal information can also be relevant to whether an agency is able to share that information with others. This is because, under the Privacy Act’s IPP11 (Limits on disclosure of personal information), an agency must not disclose the personal information unless the agency believes, on reasonable grounds, that one of the listed exceptions applies.
The first exception is that the disclosure is one of the purposes for which the information was obtained or is directly related to those purposes. To determine whether this exception applies, the agency must know what the original purposes of obtaining the information were.
If one of the purposes of collecting personal information is to share it with another agency for a particular reason, as often occurs in the social sector, the collecting agency needs to be clear about that upfront. If collecting the information directly from service users, usually the agency needs to explain this to them under IPP3 (Collection of information from subject) with a reasonable degree of specificity. This means explaining who the agency is and why the information is being shared with that agency.
If collecting the information from another agency or organisation, the agency should be clear with them about this too, again with a reasonable degree of specificity. This may influence whether that agency or organisation is willing to disclose the information and whether it may seek to impose controls on further distribution of the information (for example, under a memorandum of understanding or contract).
IPP11 (Limits on disclosure of personal information) can be overridden by specific statutory provisions that either authorise or require the disclosure of personal information to other agencies. There are many instances of this in the social sector. However, purpose remains relevant in this context as well. Usually such specific statutory provisions specify the purposes for which particular personal information can be shared. This means the agency needs to be clear about the purpose of disclosure before relying on a specific statutory disclosure provision, to ensure the proposed disclosure is covered by the provision.
If an agency doesn’t answer this question properly, and it turns out that the disclosure wasn’t covered by the provision, and that the disclosure would not have been permitted under IPP11 either, then the agency’s disclosure of the information may amount to an interference with privacy.
Take this approach to assessing purpose and only collecting what's needed
About this page
This section describes an approach to assess purpose, and to ensure that personal information is only collected when it’s needed.
When assessing the purpose of collecting personal information and the kinds of information to be collected, agencies should:
Having clarity in these areas can help an agency to:
- formulate the purpose of collection
- assess whether that purpose is connected with the agency's functions or activities
- assess what particular personal information is needed to achieve the outcome
- determine whether the collection is ethically justifiable and aligns to respectful practice (even it it will tick all legal boxes).
Well-defined and recorded outcomes are important
To have clarity of purpose it is necessary to understand why data or information is being collected, that is, the outcome or result of using it. This should be well-defined and easy for a range of people, including service users, to understand. It should be written down. The act of recording it:
- contributes to clarity of thought
- contributes to the information that needs to be communicated to service users (either directly, if the collecting agency is collecting the information directly from services users, or through another agency that is collecting the information from service users), and
- provides the basis for the collecting agency to determine whether proposed uses or disclosures of the information in the future are for a purpose for which it was collected or a directly related purpose.
Without such clarity, an agency may not be able to determine whether it's necessary to collect the information the agency proposes to collect. In that event, the agency's collection may breach the Privacy Act's IPP1 or, where relevant, not fall within a specific statutory collection power the agency seeks to rely on.
Who do the outcomes serve?
When considering the outcome(s), it can be helpful to reflect upon whom the outcome(s) serve. That is, do the individuals from whom the information is collected benefit, or do other people or does wider society benefit? If the benefit is to other people or wider society, what will the people providing the information think about that? The Privacy Act or a specific statutory provision may allow it, but is using their information to benefit others ethically justifiable?
Avoid broad and ambiguous statements
Broad and ambiguous statements of purpose or outcomes need to be avoided. For example, if information is being collected for the purpose of analysis relevant to policy development or service delivery, either by itself or in conjunction with other data, it may be necessary to consider and articulate the potential uses of the results of that analysis. If the results will be used to provide more targeted services and better outcomes for people, then say that, with an appropriate degree of precision. If the results could lead to the taking of adverse action against people, say that too.
Consider telling people what their information will not be used for
IPP3 is concerned with telling people about the purposes for which their information will be used. That makes sense, especially when other uses are not permitted unless either an exception in IPP10 (Limits on use of personal information) applies or a separate statutory provision authorises another use. However, one cannot expect service users to understand this legal position.
It can sometimes be helpful, therefore, to explain to people that, while their information will be used for purposes A and B, it will not be used for purposes X or Y.
For example, if your agency is collecting particularly sensitive information about people to provide them with immediate care, and there's no intention to allow any identifying information to be seen by researchers or other agencies, you could say that. Similarly, if the information you're collecting includes unique identifiers like a driver's licence number, IRD number or passport number, you might want to tell people that their number won't be used to match information you have about them with information another agency has about them. The desirability or otherwise of making statements like this will depend on the context.
This consideration can be particularly important where people may fear that their information will be used in a manner that could prejudice them. Taking this approach can help increase people’s levels of comfort with what’s happening with their information.
Be careful with evolving statements of purpose
When a policy, service or programme is in an evolving state, an agency's articulation of the purpose of a proposed collection may change or be refined before the information is collected. Where that is the case, the agency should be clear about which statement of purpose is the final one and, if the final statement is intended to replace earlier explanations that should be stated.
Having different explanations of the purpose of collection across different policy, service or programme documents can lead to confusion as to what the actual purpose of collection is or was. This could result in errors when explaining to people why the information is being collected and how it will be used. It could also result in a loss of trust on the part of service users. If there is cause for the purposes of collection to be investigated, different purpose statements over time could result in uncertainty and adverse findings.
Why the method is important
As well as having a clear understanding of the outcome, it’s important to consider the method for achieving the outcome; both the end and the means are important. Knowing how the information will be processed to achieve the outcome can be relevant to determining whether the information being collected can or will contribute to the outcome and, therefore, whether all of it is required to achieve the outcome.
An application form for a service might collect personal information comprising a person's name, date of birth, annual income, address, gender and ethnicity. However, a tool to process such applications, and designed to match the eligibility criteria for the service, may only need name, date of birth, address and annual income. The agency may have no plans to use the information relating to gender and ethnicity. In that kind of situation, collecting information on gender and ethnicity would be unnecessary and, in all likelihood, unlawful.
Consider whether there are different analytical techniques or processes
In some situations there may be different analytical techniques or processes for achieving an outcome and, to achieve the outcome, the different techniques or processes may require more or less personal information, or even no personal information at all (because, for example, it can be de-identified before collection). If one technique requiring less personal information can easily be deployed over another that requires more personal information, respectful practice means choosing the former technique to minimise the amount of personal information collected.
If a collecting agency needs to know people are over 20 years of age, it might use a tool that asks for a person's date of birth or age but then determines from that whether the person is over 20 and only stores a "Yes over 20" response, instead of the date of birth or current age.
Collecting agencies that need help with this, can reach out to others with relevant experience or expertise. Depending on the context, it might be helpful to seek advice from other agencies such as Stats NZ, frontline NGOs, service user representatives, the Office of the Privacy Commissioner, or the Government Chief Privacy Officer.
Ask whether, to achieve the outcome, it is reasonably necessary to collect personal information from every service user all of the time or whether allowing people to opt out is feasible
In some situations, an agency may propose to collect information from a wide group of people to achieve a stated purpose or outcome, despite the group having different subgroups or the group being comprised of people with different service needs, sensitivities or fears. At a macro level, it may be reasonable to conclude that it's reasonably necessary to collect personal information from members of the wide group of people to achieve the stated purpose.
However, it doesn't necessarily follow that the information needs to be collected from every member of the group, all the time, and regardless of individuals' different service needs, sensitivities or fears. Whether that is the case or not will depend on the context.
The key point is to consider whether the purpose can be achieved if only a proportion of people in the group provide the information requested. If the answer is yes, it may be helpful to assess whether allowing people to opt out of providing the information is feasible. If it is, the collecting agency can then consider whether anyone in the wide group should be given this ability or whether there are particular subgroups of people, e.g., vulnerable people needing services for particularly sensitive issues, that should be given the opportunity to opt out.
If opt out isn't feasible, another option might be to allow people, or particular subgroups, to provide their information anonymously. Or, if the collecting agency (Agency A) is collecting information from another agency or organisation (Agency B) that collects personal information directly from individuals, it may be possible for Agency A's purposes to be achieved by collecting information from Agency B that has been anonymised or de-identified prior to disclosure to Agency A.
Similarly, if personal information is being collected to assist with something like policy development or analysis of a service, there may come a time at which it is no longer necessary to collect the same kinds of personal information from people, on the basis that the purpose has been achieved.
When IPP1 applies, these questions are directly relevant to whether the collecting agency is able to conclude that it's always reasonably necessary to collect the personal information from everyone, all of the time.
The wider and more diverse a group is, or the longer the period of information collection is likely to be, the more important this question may become.
If different kinds of personal information are being collected via a single channel or into a single repository, ask whether that poses any information access problems
Sometimes agencies collect different kinds of personal information for different purposes but through a single collection channel and into a single location. In other situations, an agency might use different collection channels but collate all the information into a single repository or output, such as a spreadsheet.
If there are different audiences or groups within the agency who have different access needs in relation to the different kinds of personal information, having it all compiled into a single location, repository or output could result in some staff having access to personal information they don’t need to see and which, therefore, they should not see. This could also be contrary to the Privacy Act's IPP5 (Storage and security of personal information). Under IPP5, agencies need to ensure that personal information they hold is protected by reasonable security safeguards "against access, use, modification, or disclosure that is not authorised by the agency".
In this kind of situation, part of the method for achieving the outcomes, i.e., the means for collecting and collating the information, may be inappropriate and need to be reconsidered. In the social sector this can be particularly important because service users can get understandably worried about too many or the wrong people having access to their personal information. They shouldn’t have to worry about this and, if agencies can provide comfort to them about that, then all the better.
The relevance of context
Context matters because it influences how people might feel about a collection or use of their personal information for particular purposes or how much information is collected, and that, in turn, may affect their wellbeing. It also affects the kinds of checks and balances an agency may decide to work through before collecting, using or sharing personal information for a particular purpose, especially if there's any risk that collecting, using or sharing personal information in the manner proposed could do, or be perceived to do, more harm than good.
Context can also be relevant to the collection, use or sharing of information that has been de-identified, in the sense that it won't be possible to identify specific individuals from the de-identified information. This is because de-identified information can still contain information that some individuals, groups or cultures may find sensitive.
It can be particularly important to remember that, whilst the Privacy Act is concerned with the privacy of individuals, we live in a society where broader groups have legitimate privacy interests. The Act's controls may fall away once personal information has been fully de-identified in the sense described above, but the remaining information could still be sensitive to, for example, whānau, hapū, iwi, other cultural groups, or other groups of society.
The next part of this Guideline provides guidance on potentially relevant contextual matters and describes some specific issues that may be particularly important in some situations.
Potentially relevant contextual matters
Contextual matters to consider in decision-making may include some or all of the following.
Which agency is collecting the information from service users?
- Will your agency collect the information from service users? If not, which agency will, or did, collect it from them?
- If another agency will collect, or did collect, the information you want to use, will the service users be told or were they told that your agency would receive their information? If not (and assuming the original collecting agency is permitted to disclose it to your agency and that your agency is permitted to collect it), how might they feel about your agency having their information? Could your agency's use of the information be distressing to them or otherwise adversely affect their wellbeing.
What's the nature of the service or programme for which the information will be collected or was originally collected?
Generally speaking, the more sensitive, urgent or acute for people a service is, the more important it becomes to consider people's wellbeing and take that into account when considering the purposes for which their information will be collected (especially if those purposes entail disclosures to others) and how much will be collected. For example, if an agency is providing a support service to victims of serious crime, the nature of that service and what the victims have experienced are highly relevant to the purposes for which, and how much of, their personal information might be collected, used, and shared with others. This is the case regardless of what the law may permit.
What's the nature of the information?
- Is the information fairly routine or basic in nature or is it particularly sensitive? For example, is it about service users’ mental health or their attendance in a programme? Consider that, in some situations, information that may sound fairly routine to the collecting agency may actually be quite sensitive for the people being asked to provide it.
- If information is collected in circumstances where those providing it don’t need to establish their identity, is there a risk of receiving inaccurate information?
- Is there any potential for people to feel judged or discriminated against by an agency using their information in the manner proposed?
- Would the collection or use of the personal information affect people's trust and confidence in the agency collecting it or using it?
What are the circumstances of the people involved?
- Might the proposed use of service users' personal information be seen as unrepresentative or reinforcing of stereotypes?
- Is the information about children, people who are marginalised or stigmatised, or people at greater risk of harm, and whose information needs greater protection?
- If the information comes via a service or programme, do the people concerned self-refer or is their attendance compulsory? This may influence how much choice they have over the collection of their information and how they might feel about that or about it being used for other purposes, even if they’re told about those other purposes when their information is collected.
Is there potential for adverse consequences?
An agency’s purpose for collecting personal information may be related to its functions or activities, well-intentioned, and understandable, and the collection of personal information to achieve that purpose may appear to be reasonably necessary. It may be consistent with government priorities and policy objectives and, from these perspectives, justifiable. From a legal perspective, it might tick all boxes under the Privacy Act's IPP1 (Collection of personal information).
Applying the He tāngata Principle, though, means asking whether pursuit of the purpose and the collection of personal information for that purpose could have adverse consequences for people. This is an area on which the Privacy Act's information privacy principles are relatively silent. Indeed, there can be instances where a collection and use will not be contrary to any privacy principle but where the potential for adverse consequences, once understood, may prompt reconsideration.
In some situations, particularly where new policies, services or programmes are involved, it may be desirable to place an ethical lens over what's proposed. For example, it may be desirable to:
- take both the positive outcomes and the potential adverse consequences into account before proceeding, and to ask if pursuit of this purpose could do more harm than good, even if that's not the intention
- consider the importance of respecting people's dignity and treating them in a just manner, consistent with the He tāngata Principle.
Sometimes, it can help to conceptualise what’s proposed like this. This is a simple representation of what will often be a complex picture (in an actual situation, the positive purposes would be specifically described, and there could be additional or different adverse consequences) but it may help to put matters in perspective and prompt a collecting agency to ask whether it has only been thinking about one side of what lies in the balance.
Identifying the adverse consequences may also help an agency to take steps to avoid them while still enabling it to pursue one or more of its original purposes.
If requiring information from people, or requiring service delivery organisations who collect information to pass it on to others, could result in people walking away from services they need for fear of what might happen to them or who might see their sensitive information, then that might result in more harm than good. Even when lawful, care may be needed to ensure that information collection practices do not deter people from seeking the help they need.
How could linking people's personal information with other data be perceived?
It is not uncommon for personal information to be collected with a view to linking it with other datasets to yield insights, whether as the sole purpose of collection or as one of the purposes of collection.
If a collecting agency is proposing to do this, it needs to be clear about the nature of the proposed linking and how resulting insights will or are likely to be used. This is important to avoid over-collection of personal information and to be able to explain to people how their personal information will be used.
While the law allows this kind of linking in certain situations (each situation needs to be assessed on its merits), it can be important for the collecting agency to ask itself, and sometimes service provider organisations and service users, what people would think about their information being linked up in this way.
This question remains important even when the resulting data will be de-identified or anonymised before further use as some people may still have concerns about information derived from their personal information being used in this way, particularly where the information is sensitive.
If the collecting agency elects to proceed with the collection for linking purposes, the next question needs to be considered.
What should an agency tell people about their personal information being linked with other data?
This topic naturally arises under the Transparency and Choice Guideline, it is mentioned here as well given its relationship to the purpose of collection.
From an ethical perspective and bearing in mind the nature and range of information that circulates in the social sector, it is important to explain proposed data linking to service users, regardless of whether the law requires that. This is not a straight-forward point because, under IPP3, one of the grounds for not having to explain the purposes of collection and other matters to people is where the agency believes that the information will be used for statistical or research purposes and won't be published in a form that could identify individuals. Where an agency’s linking purposes fall squarely within this exception, the agency might conclude that it doesn't need to tell people about the linking and how the insights will be used.
However, there is nothing sufficiently unique about the collection of personal information for statistical or research purposes to justify not telling people that their personal information will be linked with other datasets to yield insights, even where a social sector agency can rely on the IPP3 exception.
If personal information is to be collected from other agencies, what is the potential impact on the unique trust relationships that those agencies may have in place with people?
People form trust relationships based on interactions they have with other people. Where information is being collected by frontline service delivery organisations, such as NGOs, those trust relationships may exist at the local level. They may have developed over time and they may be premised on particular approaches to, for example, information disclosure and consent, that the service delivery organisations have followed. In some cases, these approaches may have flowed from codes of ethics that certain kinds of service providers need to follow as a matter of professional obligation.
If an agency (Agency A) is proposing to collect personal information from frontline service delivery organisations, it can be important to take the existence of these trust relationships and approaches into account, and to ask what impact Agency A's collection from these organisations could have on them and their clients. It may be important to consult the organisations and, where appropriate, service users, at an early stage, before collection decisions are made.
Work through checks and balances when needed
About this page
When trying to balance people’s right to privacy, with the reasonable necessities of using people’s information to deliver services effectively, there will often be judgement involved. In fact, a good understanding of the role of purpose (the ‘why’) will sometimes mean making more judgements, rather than fewer.
This section looks at when and how to use checks and balances to help with those judgements.
This Guideline emphasises the importance of getting the purpose(s) of collection right, only collecting what's reasonably necessary for those purpose(s), and taking care to avoid unintended adverse consequences. Given the significance of these matters, in some cases it can be helpful to subject an agency's initial thinking, around purpose and the necessity and appropriateness of collection, to one or more checks and balances. This is particularly so when an agency:
- is unsure about how it is articulating a purpose of collection, for example whether it’s sufficiently precise and covers all genuine purposes or whether it could be over-reaching
- identifies a risk that others could be concerned about the collection, particularly if service delivery organisations or service users could be concerned
- is unsure whether a purpose of collection is sufficiently connected to the agency's functions or activities
- could be collecting more personal information than is necessary for the stated purpose(s)
- is embarking on a new service or programme that, for some people, may be controversial
- operates in a complex legislative environment (that is, in addition to the Privacy Act, an agency has powers or is subject to constraints in specific legislation that applies to that agency)
- is proposing to collect sensitive information or information that could be perceived to have no logical connection to the stated purpose(s) or where the type of information being collected (such as gender, marital status, ethnicity, religious belief, sexual orientation, or mental or other health information) could be used to discriminate against people
- is collecting the information or using it for a stated purpose in a manner that could adversely affect the trust and confidence people have in the agency, or run the risk of people in need not seeking the help that’s available to them.
Agencies should also note that, under the Privacy Act 2020, the Privacy Commissioner can issue a compliance notice if the Commissioner believes that an IPP (such as IPP1 on the purpose of collection or IPP3 on what an collecting agency needs to tell individuals) has been breached. A compliance notice describes the breach and requires the agency to remedy it, and can be issued in the absence of harm.
If any of the previously described circumstances above exist, the collecting agency (or, where relevant, an agency disclosing the information to a collecting agency) may wish to do one or more of the following:
- check with a line manager, and get that person's opinion
- ask the agency’s privacy officer for help
- seek input from a privacy consultant
- seek legal advice from a lawyer or firm with a solid understanding of privacy law
- undertake a privacy impact assessment or, if available to your agency, apply a framework like the Ministry of Social Development's Privacy, Human Rights and Ethics framework (PHRaE)
- seek advice from an appropriate review group or panel if ethical questions arise, for example the the Data Ethics Advisory Group
- raise with the agency’s executive management team any risks or uncertainties about the proposed purpose(s) of collection and the information to be collected
- seek input from other agencies, including, where relevant, service delivery organisations who have a relationship with service users
- consult relevant Māori groups if the collection or use could have a distinct impact on Māori or raise concerns for Māori
- seek information from service users or service user representatives
- consider whether to establish or seek advice from a review board, external reference group, ethics committee or client reference group
- consult the OPC.