Help people to understand what information they’re being asked to provide, and why
Under the Privacy Act's information privacy principle 2 (IPP2) (Source of personal information), agencies that collect personal information need to collect it directly from the individuals concerned, unless an IPP2 exception applies. Collecting information directly from people is a primary means by which agencies can ensure that they are being transparent with people about their collection of information, given the immediacy of the relationship with them and agencies' obligations in information privacy principle 3 (IPP3) (Collection of information from subject).
IPP3 sets out what an agency needs to make people aware of when collecting personal information from them.
This Guideline proposes that 'ensuring service users are aware' should mean helping them to reach a reasonable understanding in a way that makes sense to them, at the time(s) that work for them.
The focus of IPP3's transparency requirements is on ensuring people are aware of what information will be collected from them, why it’s needed (the 'purpose' of collection), and what choice they have over its collection. Ideally, this level of understanding should be achieved before the information is collected, but this may not always be possible (or 'practicable', as IPP3 puts it). Where it’s not, the agency needs to make people aware 'as soon as practicable' after collecting their information. What is practicable will depend on the situation, including the circumstances of the service user and the nature of the service that person needs.
The specific matters that people need to be made aware of are these:
- the fact that information is being collected, what information is being collected, and why (the purpose for which their information is needed)
- who will receive (or be able to see) their information (this important topic is discussed later on this page)
- where the collection is authorised or required by law, what that law is, and if people can choose whether or not to provide the information
- what the consequences might be if someone doesn't provide the information requested; and
- people’s rights of access to, and to request correction of, their information (see the Access to Information Guideline for more information on these rights).
There are some limited circumstances in which an agency that's collecting personal information from people doesn't need to make them aware of these matters. An agency doesn't need to do so if it has already done so in relation to the same kind of personal information in the recent past. The agency also doesn't need to do so if it believes on reasonable grounds that:
- not providing that information would not prejudice the interests of the individual concerned;
- not providing that information is necessary (in the case of a public sector agency) to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings;
- providing that information would prejudice the purposes of collection;
- providing that information would not be reasonably practical in the particular case; or
- the personal information collected from the individual concerned will not be used in a form in which the individual is identified or will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual.
Reliance on these grounds is the exception rather than the norm. The default is to provide people with the information required by IPP3. It's also important to note that many of these exceptions must be considered on a case-by-case basis and do not justify non-compliance with IPP3 for a broad group of service users.
If an agency does not inform people of the matters listed in IPP3 (under 'what service users need to be made aware of') and none of the grounds above applies, the Privacy Commissioner could issue a compliance notice to the agency that describes the breach of IPP3 and requires the agency to remedy it. Compliance notices can be issued in the absence of harm.
Additional matters people should be made aware of
Whilst the Privacy Act doesn’t require this, it is also good practice to explain:
- how people’s privacy will be protected, in terms of safe storage and security of their information and the access controls that will be placed on it in a manner that is consistent with the agency's obligations under IPP5 (Storage and security of personal information)
- how the information will be used to help them or people in similar situations to them (if this is not already part of the communicated purposes of collection) and, where possible, examples of this happening
- if the collected personal information will be matched or linked with other data relating to the same individuals, particularly data sourced from other agencies, the fact that matching or linking will occur, why it is being done and what it could mean for those individuals
- if relevant, how particular information may be used in a form that doesn’t identify them. People often think of their information as being ‘about them’ even if it doesn’t identify them and like to know how the information they provide will be used even when identifiers are removed or masked.
The importance of clarity as to who will see service users' personal information
In the social sector, the question of who will be able to see the often sensitive personal information collected from service users is an important one, particularly where a collecting agency is large and has multiple different functions, and where personal information may be shared with other agencies.
The Privacy Act's IPP3 refers only to making people aware of the "intended recipients of the information". This phrase does not distinguish between recipients within the agency collecting the information and recipients in the form of, for example, other agencies. In addition, and as the website of the Office of the Privacy Commissioner (OPC) puts it, it doesn't require the collecting agency "to list every possible person it might pass personal information to - it will be enough to give a general idea of who is likely to see the information and why they might see it."
At the same time, it is also clear from that material that the OPC considers it can be appropriate not only to inform people of any other agencies with whom the information may be shared, but also the kinds of people within the collecting agency who will see their personal information. This Guideline takes the same approach. It’s an important point because this part of IPP3 is often read as relating only to sharing personal information with other agencies. This can result in little or nothing being said, in privacy statements for example, about the limited audiences within the collecting agency who will be able to see people's personal information and that, in turn, can generate worry and concern on the part of service users.
In general, the larger and more multi-faceted a collecting agency is, the more important it becomes to give service users comfort by explaining who within the agency will and won't have access to their personal information. What can be said in any given situation will depend on the context and who within the agency may need to see the information. What’s important is not leaving people with the impression that anyone inside the agency's four walls will be able to see it, especially when they don't have a genuine need to see it.
Help frontline staff to understand so they can fulfill their responsibilities and help service users to understand
For a range of reasons, sometimes those collecting personal information directly from people do not know all the reasons why it’s being collected, as the decisions as to what to collect may have been made by others in their agency or in parallel with another agency or by another agency. In other words, there can be a knowledge gap between those deciding to collect, and those who actually do the collecting.
Anyone involved in designing information collections or communicating them to others, for example in contracting documents, needs to help ensure that people all the way along the chain, including those dealing directly with service users, have a good understanding of the ‘what and why’ as outlined in this Guideline. Failure to do so may undermine people’s responsibilities, which often flow from legal duties that agencies have to service users. If those dealing directly with service users don’t have a good understanding of why information is being collected, they may not be able to prepare their privacy statements, explain matters proactively or answer questions that service users put to them.
At the same time, those involved with collecting personal information from service users and, where relevant, those being asked to share it with other agencies, need to feel able to ask ‘why’, safely and confidently, and without fear of negative consequences. People involved in the ‘chain’ of collecting, using and sharing information have a right to be given a good answer, and it should be assumed that at some point a service user will ask the same question.
Remember that ensuring that service users are aware can help an agency meet its accuracy obligation
Agencies have a responsibility under the Privacy Act's IPP8 (Accuracy, etc, of personal information to be checked before use or disclosure) to take reasonable steps, before using or disclosing personal information, to ensure that the information is accurate, up to date, complete, relevant, and not misleading.
Helping service users to have a good understanding of what’s being collected and the purpose(s) of collection, while providing them proactively with means to access and request correction of their information (or to correct it themselves), can help agencies meet their own obligations under IPP8, in that service users may be more likely to request corrections of their personal information (or, if possible, update it themselves) if they think it’s inaccurate or incomplete.
Match the approach to the context
Approaches to transparency and choice can take many forms. Keep the outcome in mind (providing good and safe opportunities for service users to understand and to ask questions) but think broadly about the approach.
Consider a range of methods that might work for the service users you work with
It can be helpful to consider a range of methods for explaining matters to your service users. These might include:
- one to one conversations
- brochures, fact sheets or FAQs to take home
- posters in offices
- website information at different levels of detail
- information on forms they are asked to sign, and copies they can take away
- presentations to groups of people.
The most effective approach will often be to talk people through these topics in person so that they can ask questions. Whilst a range of different approaches can work it’s important to ensure that the outcome of ensuring understanding is achieved, by checking with people from time to time, and by respecting cultural and language considerations.
Provide multiple opportunities if that’s what people need
Service users will sometimes be stressed or in crisis when they initially look for support. They may not yet be interested, willing, or ready to think about what may happen with their personal information. For that reason it may be necessary to offer a number of opportunities to re-visit the topic, and to respond appropriately to their level of interest in understanding. Service users in this kind of situation could include victims of crime, or children or young people whose authority over or willingness to make decisions about themselves changes as they become older.
ExampleIn some situations service users might be informed face-to-face of key matters relating to the collection and use of their personal information, but also be given a one-page information sheet to take away and/or be told that they can always check the agency’s privacy statement on its website for further information about the handling of their information and who to contact if they have any questions.
Be as specific as you can
Be as specific and clear as possible with explanations so people have the best chance of understanding what information is being collected from them, how their information will be used and who will be able to see it.
Here are some example comparisons of good versus not-so-good practice:
|Better explanation||Insufficient explanation|
|"We will share your information with agencies X, Y and Z for these reasons..."||"We will share information with relevant agencies"|
|"Your information might be used without your name, address or anything else that identifies you to help us apply for more funding".||"Information is used for service improvement".|
|"This information about you will be linked with other information about you that we hold, to help us research [XYZ], but anything that identifies you will be removed before anyone uses it for research".||"Information will be used for research purposes".|
|"People directly involved in providing services to you and our internal researchers will be able to use your information, but other people, for example contract managers, will not be able to see it".||"We will share your information with people who need to see it".|
These are examples of things to think about:
- Will service users be surprised by anything if they come to understand or hear about it later?
- What are the communication needs of your particular service users? What timing, language, format, visuals, flowcharts, pictures or other things could be helpful?
- Is this a one-off encounter or a long-term engagement when there may be further opportunities to discuss the information being collected and what may happen with it?
- What kind of information is being collected, what will it be used for and how might that impact what service users need to understand, either now or over time?
- Who should people contact if they have questions? Do they know how to do that?
- Does it make sense to provide detailed information, or can more general explanations be used, given the variety of purposes and information collected? Think carefully about the balance, as generalisations can raise further questions and risk being inappropriate, and assumptions about how service users perceive the sensitivity of their information may not be accurate. Note also that, through the likes of layered privacy statements, both general and detailed information can be given.
- If another agency is collecting information on your behalf, what support does it need? The collecting agency should be given the information it needs and feel able to freely ask all the questions that service users may ask it.
- Who can help to develop or test forms, explanations and other communication material?
- If service users are concerned about something, or would like to complain, how can they do that, and are they aware of their ability to do so? For example, will you provide details of who they can contact, by email or phone? Will you provide an online contact form? Will you invite them to come and talk with you if they wish?
Make sure there is a safe and responsive environment
It's particularly important in the social sector for people to be able to obtain a good understanding of what's being done with their personal information in a safe and responsive environment. To enable people to reach a good understanding it’s helpful to consider how to ensure people feel safe to listen and ask questions, and what kind of information will work best for them.
Example of things to think about
- How will you ensure that people feel safe and confident to ask questions, either when information is first collected, or at regular intervals?
- Appreciate that people read, hear, learn and understand in different ways. Be prepared to offer choices about how they want to understand things. Information, processes and communication material should be adapted to meet the needs of different service users, given for example their kaupapa Māori contexts, age, spoken languages, and other factors that might suggest necessary alternatives.
- How can you check their level of understanding and interest? Thinking about their personal information won’t always be their first priority, but it will matter at some stage. Find ways to check that the required level of understanding is being achieved. For some groups of service users, this might be achieved through ad hoc sampling.
- Consider if timing matters. As noted earlier in this Guideline, the Privacy Act requires that service users are told of the matters listed in IPP3 (about the collection and use of their personal information) at the time of collection, or if that’s not practical (for example they are in crisis or there is an emergency) as soon as possible after that. In some situations it may be appropriate to explain a minimum amount straight away and then follow up with the person, with more detailed information, later.
Offer choices when you can
Whether people have real choices as whether or not to provide personal information, depends on the context. People may have:
- no choice: such as being required by a specific statutory provision to provide personal information when requested by an agency from which you’ve already applied for a particular benefit or service;
- limited choice: accepting that providing some level of personal information is an essential part of using the service in question, such as using a mental health counselling service (so the only choice is whether to accept the service or not); or
- some choices: such as choosing to enrol in a drug and alcohol support programme where a person will have choices about what experiences they do or don’t share, and with whom.
Even when it’s not feasible for an agency to offer a person a choice as to whether to provide their information (for example, because the information is required to provide a requested service), it may still be possible to offer choices about:
- how the information is captured (for example, by a member of the agency’s staff writing down what a person says versus giving someone a paper or online form to fill out); or
- who is able see or use the information (for example, by enabling people to record their wishes about limiting access and respecting those wishes).
It is important that people who need to access a social service to improve their wellbeing or that of their whānau, understand how their information will be collected and managed and the benefits of providing it. When their only practical choice is to provide their information or refuse a service, having this understanding may help them to provide their information with confidence, rather than refuse a service that could help them.
People within agencies who are involved in deciding what personal information may need to be collected for specific purposes should endeavour to identify any choices that are consistent with and won’t defeat those purposes (see Purpose Matters). This may include:
- identifying and putting processes in place for situations where it is acceptable to provide no, or limited, or alternative kinds of personal information, for example, cultural considerations or the fact that people have disabilities or are experiencing high levels of stress may warrant such an approach, including practical considerations such as alternatives to confirming identity when individuals don’t have a driving licence
- enabling people to agree to some purposes for which their personal information can be used, but not others
- enabling people to provide summary information if detailed information is particularly sensitive
- enabling people to provide information anonymously if, for example, the purposes of collection can accommodate this.
For further discussion of the question of offering choices to certain groups of service users, see the section of the Purpose Matters Guideline headed 'Ask whether, to achieve the outcome, it is reasonably necessary to collect personal information from every service user all of the time or whether allowing people to opt out is feasible'.
Examples of things to think about:
- Is it possible to offer people choices for certain kinds of collection without defeating the purposes of collection?
- If you were asked, could you provide a clear explanation as to why offering people a choice as to the collection of their personal information is not feasible?
- Do you need any help to make decisions on these issues and, if so, who can help? Can subject matter experts or service provider or client representatives help?
Collect in a lawful and fair manner
This Guideline's focus is on transparency and choice. It may be helpful to note, though, that when it comes to the actual collection of personal information, the Privacy Act's information privacy principle 4 (IPP4) requires agencies to collect the information by means that are lawful, fair and that do not intrude to an unreasonable extent upon the personal affairs of the individuals concerned.
IPP4 also emphasises that particular care is needed when collecting personal information from children and young people.