DPUP — funding, contracting or partnering checklist
This checklist can be used to check if any contract or agreement that will require the collection, sharing or use of people’s data or information aligns with the Data Protection and Use Policy (DPUP), even if the information does not or cannot identify who people are.
Work together as equals in the spirit of the Mahitahitanga Principle to agree how information or data from or about service users, whānau or communities will be cared for in a respectful, trusted and transparent way. Who you work with will vary depending on the situation.
Involve service users in making decisions about what is fair and reasonable to do with their data and information.
Be clear about why data or information is needed
The purpose of collecting or using people’s information for something other than providing them a service should be clear, fair and reasonable.
If data or information that is collected or shared for one purpose, such as funding or contracting, is going to be used for another purpose, then the reasons for doing so need to be clear, agreed between partners and communicated to service users.
Think carefully about using data or information that can identify someone
In general, data or information used to report on the delivery of a service or to provide evidence of compliance with contracting or funding requirements, should not be able to identify service users.
Any decision that requires sharing data or information that does or can identify people with funders, a contracting agency or an organisation that doesn’t work directly with service users, needs to be thought through carefully and checked with care. Is the purpose clear and would service users understand that purpose and agree that it’s fair and reasonable?
Completing the checklist
Use this checklist at any stage of your process or work that makes sense and is helpful for you.
Answer ‘Yes’ if this has been done. Great!
Answer ‘No’ if it is something that is relevant and should still happen but has not yet. It’s a sign that more work needs to be undertaken or more thinking done before moving forward with any collection or use of people’s data or information.
Have you worked together to:
- clarify why this data or information is needed and how collecting or using it will benefit the service users, people in similar circumstances to them or communities?
- include service users and relevant service user groups in deciding if it’s fair and reasonable to use their data and information in this way for this purpose?
- include relevant frontline workers, community representatives, cultural experts and so on in deciding if it’s fair and reasonable to use service users’ data and information in this way, for this purpose? Exactly who to involve will depend on what’s collected or used, by whom and why, any risks or particular sensitivities with the data or information, and what the possible consequences are if it is misused or misinterpreted.
- decide exactly what data or information will be collected from or about service users and their whānau? Agree:
- specifics. Rather than ‘information about their circumstances’ clarify exactly what is required and why — for example, income level, school name and year level, qualification level, number of people per household, ethnicity, risk score and so on
- what data or information will be collected or used in ways that do or can identify people, and what will be collected or used in ways that do not or cannot identify people
- what data or information is mandatory for service users to provide, where they have choices and the consequences of not providing it
- what will happen if a new need for data or information arises
- decide if data or information will be used to develop insights (for example, research or analysis), if this is applicable? Agree:
- what data or information will be used, including what will be used in a way that does not or cannot identify people and what will be used in a way that can or does
- how each partner will be involved
- how the learnings or insights will be shared and who else may be interested
- agree how each partner will use the data and information? Consider how other parts of an agency might use it
- agree on responsibilities around transparency?
- Who is responsible for explaining how data and information is going to be used in a way that is clear for service users, whānau and communities to understand.
- Document the processes and responsibilities for responding to questions or complaints about the collection or use of people’s data and information
- agree on responsibilities and processes for responding to people’s requests to access their data or information or to make corrections to it?
- develop safe and secure ways of transferring, sharing and storing the data or information? Agree on:
- what process or technology will be used
- how to make it as easy as possible for all partners
- responsibilities in terms of security and protection
- responsibilities and processes for deleting, destroying or returning data or information.
- agree how to provide or fund the resources needed to collect and manage data and information?
- agree how service users, groups of users or communities will be kept in the loop about how their data or information is used and the results or outcomes of using it?