Privacy Act

The Policy's Principles and Guidelines are consistent with the Privacy Act, but also recommend good practice that is beyond what the law requires.

The Guidelines make it clear when they recommend actions that are above and beyond the minimum legal requirements of the Privacy Act.

Agencies are not legally bound those recommendations but are encouraged to follow them in accordance with the spirit and intent of the Principles.

Mapping the Privacy Act's information privacy principles (IPPs), and statutory overrides, to the DPUP Principles and Guidelines

What this tool covers

  • The tool describes how the Privacy Act's information privacy principles (IPPs) are addressed in the DPUP Principles and Guidelines, where they contain good practice guidance that goes beyond IPP requirements and what, in summary, that additional good practice guidance is (Table 1).
  • It addresses how DPUP recognises that the IPPs can be modified or overridden by other laws, provides key examples of where that's the case, and links to other government guidance on such laws (Table 2).
  • It summarises aspects of DPUP that are beyond the scope of the Privacy Act in that they relate to non-personal information (Table 3).

Who may find this tool useful?

This tool is designed for those who are looking for a detailed comparison of DPUP against the Privacy Act’s IPPs. People in this category may include those advising on privacy or legal considerations and those training others on DPUP.

Mapping the IPPs to DPUP and explaining where DPUP good practice guidance goes beyond the IPPs

Privacy Act Information Privacy Principle 1: Purpose of collection of personal information

An agency can only collect personal information if the information is collected for a lawful purpose connected with a function or activity of the agency, and the collection of the information is necessary for that purpose.

If the lawful purpose for which personal information about an individual is collected does not require the collection of an individual’s identifying information, the agency may not require the individual’s identifying information.

Addressed in which Guideline(s)       

Purpose Matters Guideline (addresses a wide range of purpose-related issues)

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

Note: page number references are to page numbers in the composite DPUP PDF available at dpup.swa.govt.nz).

  • De-identified information: Importance of considering purpose even where personal information has been de-identified (p. 24)
  • Specific statutory power: Explanation of why assessing purpose is relevant when collecting, using or disclosing personal information under a specific statutory power (pp. 27, 30, 31)
  • Recording purposes of collection: Guidance on importance of documenting purposes of collection (pp. 30 and 33)
  • Methodology: Suggested approach to defining/assessing purposes of collecting/using personal information (pp. 32-40)
  • What people may think: Consideration of what people providing the information will think about the proposed use of their information (p. 33)
  • Evolving purpose statements: Guidance on care to be taken with evolving statements of purpose (p. 34)
  • Different analytical techniques: Guidance on considering whether there are different analytical techniques or processes that affect how much information is collected (p. 34)
  • Information required from every service user?: Guidance on considering whether personal information needs to be collected from every service user or whether some can opt out (p. 35)
  • Broader privacy interests: Consideration of broader groups' legitimate privacy interests (p. 36)
  • Sensitivities and adverse consequences: Guidance on considering sensitivities and possible adverse consequences even where collection is lawful (p. 38)
  • Trust relationships: Guidance on considering, when collecting personal information from another agency, the potential impact on trust relationships between the other agency and its service users (p. 40)
  • Checks and balances: Checks and balances that can be worked through to carefully consider proposed purposes, including consulting service users, agencies, Māori groups, external experts and others as needed (p. 41)
  • Identifying information for insights: Guidance on identifying what the most useful information will be to support the development of the desired insights, including qualitative and interpretative information (p.71)

Privacy Act Information Privacy Principle 2: Source of personal information

Agencies are required to collect personal information directly from the individuals concerned, unless an exception applies.

Addressed in which Guideline(s)

Purpose Matters Guideline (p. 28, in the context of an IPP2 purpose-related exception)

Transparency and Choice Guideline (p. 49).

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

No guidance beyond IPP2: The DPUP Guidelines do not contain good practice guidance going beyond, or that could be seen as extending, the IPP2 requirement.

Manaakitanga principle: The Manaakitanga principle does recognise, however, that service users should be included and involved whenever possible, as they may be able to offer greater value than just their information, and that their ideas and views should be included when developing or testing proposals to collect and use data or information to improve wellbeing.

Privacy Act Information Privacy Principle 3: Collection of information

Unless an exception applies, the collecting agency must take such steps (if any) as are, in the circumstances, reasonable to inform the individuals of a range of listed matters.

Addressed in which Guideline(s)

  • Purpose Matters Guideline (pp. 27, 29 and 39, in the context of purpose and transparency related discussions)

Transparency and Choice Guideline (comprehensively addresses a wide range of transparency and choice-related issues)

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

Providing purpose-related information to other agencies: IPP3's focus is on what individuals are to be told when an agency collects personal information from them. The Act is silent on what an agency should tell another agency when collecting personal information from that other agency. The Purpose Matters Guideline emphasises the importance of providing purpose-related information to such agencies and explains why (pp. 28-29)

How information will not be used: Where appropriate, agencies to consider telling people how their information will not be used (p. 33)

Perceptions of linking: Guidance on considering how people could perceive their data being linked with other data and what they should be told about it (p. 39)

Use of information once de-identified: Recommendation for agencies to be transparent about what they are doing with people's information even when it has been de-identified (Transparency and Choice Guideline, p. 46)

Telling people about more than IPP3 matters: Guidance on making people aware of matters beyond the IPP3 requirements, including more granular guidance than the wording of IPP3 on informing people about who will see their personal information, whether inside or outside of the collecting agency (p. 50)

Helping frontline staff understand: Guidance on helping frontline staff to fully understand the reasons for collection to enable them to be transparent with service users (p. 51)

Methods of helping people understand: Guidance on considering the range of methods by which information may be communicated to service users in a manner that works for them, providing multiple opportunities for understanding if needed, and providing a safe and responsive environment (pp. 52-53)

Choice: Guidance on providing people with choices, where an agency can, as to whether personal information needs to be provided (exceeding IPP3 requirements) or as to how the information is captured or who is able to see the information (p. 54)

Privacy Act Information Privacy Principle 4: Manner of collection of personal information

Personal information must not be collected by unlawful means, or means that are unfair or intrude unreasonably on the personal affairs of the individual concerned. Particular care is needed when collecting personal information from children and young people.

Addressed in which Guideline(s)       

Transparency and Choice Guideline (pp. 54 and 55).

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

Choice as to manner of collection: Consideration of choice as to how the information is captured, for example “by a member of the agency’s staff writing down what a person says versus giving someone a paper or online form to fill out” (p. 54)

Privacy Act Information Privacy Principle 5: Storage and security of personal information

An agency holding personal information must ensure there are reasonable safeguards against loss, misuse or disclosure, and that, if it's necessary to give information to another person, such as someone working on contract, everything reasonable is done to prevent unauthorised use or unauthorised disclosure.

Addressed in which Guideline(s)

  • Purpose Matters Guideline (p. 36, when considering potential information access problems if different kinds of personal information are being collected via a single channel/repository)

Transparency and Choice Guideline (p. 50, in the context of making people aware of additional matters beyond those in IPP3).

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

No guidance beyond IPP5: The DPUP Guidelines do not contain good practice guidance going beyond, or that could be seen as extending, IPP5 requirements.

Kaitiakitanga principle: The Kaitiakitanga principle does recognise, however, that, as kaitiakitanga, agencies need to protect people’s stories and information and keep them safe and secure.

Privacy Act Information Privacy Principle 6: Access to personal information

Where personal information is held in a way that it can readily be retrieved, the individual concerned is entitled to obtain confirmation of whether the information is held and to have access to the information.

Where an individual is given access, the individual needs to be advised of the right to request the correction of the information.

An agency may refuse to disclose personal information if a ground set out in Part 4 of the Act applies.

Addressed in which Guideline(s)

Access to Information Guideline (addresses a wide range of access and correction-related issues).

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

Informing and reminding people of access and correction rights: Explanation of why, in the social sector, it can be particularly important to inform and remind people of their access and correction rights (Access to Information Guideline, p. 62)

Recording people’s information: Guidance on the importance, when recording information about people, to ensure it is accurate, clear and well-written (p. 63)

Helping people ask: Guidance on helping people to ask for their information, beyond merely informing people of their right to access and request correction of their personal information as required by IPP3 (p. 64)

Making it easy: Guidance on making it easy to access and request corrections of one's information (pp. 65-67)

Acting as agent or representative: Guidance on acting as an agent or representative for a service user in relation to Privacy Act requests (p. 67)

Privacy Act Information Privacy Principle 7: Correction of personal information

Everyone is entitled to request correction of their personal information and to request that, if not corrected, a statement is attached saying what correction was sought but not made.

If agencies have already passed on personal information they then correct, they should inform the recipients about the correction.

Addressed in which Guideline(s)       

Access to Information Guideline (addresses a wide range of access and correction-related issues).

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

See above: Access and correction are often treated together.

Privacy Act Information Privacy Principle 8: Accuracy of personal information to be checked before use

An agency must not use or disclose personal information without taking reasonable steps (if any) to check it is accurate, complete, relevant, up to date, and not misleading.

Addressed in which Guideline(s)

  • Transparency and Choice Guideline (p. 51).

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

  • Helping people access and request correction can help agencies with IPP8: The Transparency and Choice Guideline notes that:
  • "Helping service users to have a good understanding of what’s being collected and the purpose(s) of collection, while providing them proactively with means to access and request correction of their information (or to correct it themselves), can help agencies meet their own obligations under IPP8, in that service users may be more likely to request corrections of their personal information (or, if possible, update it themselves) if they think it’s inaccurate or incomplete." (p. 51)
  • Consulting people with experience on matters relevant to information quality and context: The Sharing Value Guideline recommends that people with relevant experience are consulted to ensure that knowledge on such things as the availability and quality of information, what is involved in collecting the information, and cultural context informs the collection and use of the information (p. 77).

Privacy Act Information Privacy Principle 9: Personal information not to be kept for longer than necessary

An agency holding personal information must not keep it for longer than needed for the lawful purposes of use.

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

No guidance beyond IPP9: The DPUP Guidelines do not contain good practice guidance going beyond, or that could be seen as extending, IPP9 requirements.

Privacy Act Information Privacy Principle 10: Limits on use of personal information

An agency that holds personal information obtained in connection with one purpose must not use the information for another purpose, unless an exception applies.

Addressed in which Guideline(s)

Purpose Matters Guideline (pp. 29, 30 and 33, in the context of purpose and use discussion).

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

No guidance beyond IPP10: The DPUP Guidelines do not contain good practice guidance going beyond, or that could be seen as extending, IPP10 requirements.

Privacy Act Information Privacy Principle 11: Limits on disclosure of personal information

An agency must not disclose personal information it holds one of the listed exceptions applies.

Addressed in which Guideline(s)       

Purpose Matters Guideline (p. 31, in the context of being clear about purpose and sharing, and statutory overrides of IPP11).

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

No guidance beyond IPP11: The DPUP Guidelines do not contain good practice guidance going beyond, or that could be seen as extending, IPP11 requirements. See section below entitle ‘How DPUP Guidelines recognise that the IPPs can be modified or overridden by other laws, with examples’ for general recognition in DPUP Guidelines that specific statutory provisions can override certain IPPs. Such provisions can override IPP11 as well.

Privacy Act Information Privacy Principle 12: Disclosure of personal information outside New Zealand

IPP12 regulates the disclosure of personal information outside New Zealand. Its seeks to ensure that, when information is disclosed offshore, there are comparable safeguards to those in the Act. In essence, an agency can only disclose personal information to a foreign person or entity (i.e., overseas), in reliance on certain listed IPP11 exceptions, if one of a number of conditions is satisfied.

Addressed in which Guideline(s)

Purpose Matters Guideline (footnote on p. 31)

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

No guidance beyond IPP12: The DPUP Guidelines do not contain good practice guidance going beyond IPP12.

Principle 13: Unique identifiers

Unique identifiers (UIs) – such as IRD numbers and passport numbers – must not be assigned to individuals unless necessary for the agency to carry out its functions efficiently. UIs must be truly unique to each individual (except in some tax related circumstances or for statistical or research purposes). An agency (A) does not assign a unique identifier to an individual by simply recording a unique identifier assigned to the individual by another agency (B) for the sole purpose of communicating with B about the individual. UIs are only to be assigned to individuals whose identities are clearly established, and the risk of misuse of UIs by others needs to be minimised. No one is required to disclose their UI unless it is for, or related to, one of the purposes for which the UI was assigned.

Addressed in which Guideline(s)

Not addressed in DPUP. UIs referred to in the Purpose Matters Guideline (p. 33) but there is no reference to IPP13 itself.

Where and how Guidelines' good practice guidance goes beyond the IPP requirements

Minimal guidance beyond IPP13: The DPUP Guidelines do not contain good practice guidance going beyond, or that could be seen as extending, IPP13 requirements, other than a statement in the Purpose Matters Guideline (at p. 33) that "if the information you’re collecting includes unique identifiers like a driver’s licence number, IRD number or passport number, you might want to tell people that their number won’t be used to match information you have about them with information another agency has about them".

Note that the Privacy Act 2020 introduces, among other things, a new mandatory privacy breach notification regime, and a new compliance notice regime. Privacy breach notification is addressed briefly at p.15 of DPUP (in its discussion of the Kaitiakitanga principle). Compliance notices are mentioned briefly at p. 41 of DPUP (in the Purpose Matters Guideline) and at p. 50 of DPUP (in the Transparency and Choice Guideline). 

How DPUP Guidelines recognise that the IPPs can be modified or overridden by other laws, with examples

IPPs can be overridden: The Privacy Act’s IPPs can be modified or overridden by:

  • other Acts of Parliament
  • legislative instruments, whether under the Privacy Act (such as an Approved Information Sharing Agreement under Part 7 of the Act) or other legislation, and
  • Codes of Practice under section 32 of the Privacy Act (such as the Health Information Privacy Code)

(see sections 24 (Relationships between IPPs and other New Zealand law) and 38 (Effect of codes of practice) of the Privacy Act 2020).

Addressed in which Guideline(s)       

  • Purpose Matters Guideline – various places including p. 23 (list of key concepts), p. 27 (clarity of purpose required regardless of legal basis for correction), p. 28 (recognising that specific powers can override IPP2), p. 29 (personal information only to be used for purpose of collection unless other uses permitted by law), p. 30 (purpose still relevant when an alternative use appears to be authorised by a specific statutory provision), p. 31 (purpose still relevant when disclosure appears to be authorised by a specific statutory provision).

Transparency and Choice Guideline, p. 54 (recognising that sometimes people can be given no choice about providing information, i.e., where a specific provision requires it).

Key examples of statutory overrides and other applicable government guidance

The following Acts, among others, include various provisions that override certain IPPs:

  • Accident Compensation Act 2001
  • Births, Deaths, Marriages, and Relationships Registration Act 1995
  • Family Violence Act 2018
  • Health Act 1956
  • Kāinga Ora–Homes and Communities Act 2019
  • Mental Health (Compulsory Assessment and Treatment) Act 1992
  • Oranga Tamariki Act 1989
  • Privacy (Information Sharing Agreement between Ministry of Social Development and New Zealand Customs Service) Order 2019
  • Privacy (Information Sharing Agreement for Improving Public Services for At-risk Children) Order 2015
  • Social Security Act 2018
  • Substance Addiction (Compulsory Assessment and Treatment) Act 2017

For guidance on the:

Family Violence Act information sharing provisions, see https://www.justice.govt.nz/justice-sector-policy/key-initiatives/reducing-family-and-sexual-violence/a-new-family-violence-act/information-sharing-guidance/

Other Areas of DPUP Guidelines that are beyond the scope of the Privacy Act

The Sharing Value Guildeline provides guidance on developing and sharing the value of information and insights among those interested (e.g., service users, frontline staff, funding partners and the community) in an inclusive, useful, respectful and valuable way. It has a particular focus on sharing non-personal information i.e., information that does not identify and is not capable of identifying people.