Implementing the Privacy Principles
Find out about the 13 Privacy Principles outlined in the Privacy Act 2020, and how to follow them.
Principle 1 — Purpose for collection of personal information
Personal information can only be collected when it's necessary to achieve a legitimate agency function.
Owners and managers of websites or services should review all forms that require users to provide any type of personal data to ensure the forms only require data necessary for meeting the purpose for which the form was designed.
Principle 2 — Source of personal information
Personal information should be collected directly from the person concerned.
Principle 2 can be met through the use of robust, secure authentication and consent processes, and ideally integration with RealMe.
Authentication systems not using RealMe should be tested for flaws which are known to allow unauthorised access to other users’ data.
Agencies should engage a security panel vendor for this purpose.
Principle 3 — Collection of information from subject
People should be made aware of what is collected, why it is collected, how it will be used, and their right to review and correct it.
Agencies can meet Principle 3 by fully complying with section 2.4 of the NZ Government Web Usability Standard.
This standard outlines the required content of a Privacy Statement for each website or service.
Additionally, where user information is stored on a server accessible from the public domain, agencies should outline how information is protected but state that risk is ever-present on the web, and allow users to acknowledge acceptance via checkbox or similar.
Principle 4 — Manner of collection of personal information
Agencies can only collect information from people in a way that is fair and legal.
The Privacy Statement (refer to Principle 3) should comprehensively describe the collection of information.
It should also describe the collection and use of all behind-the-scenes data, such as data collected for analytics purposes or data collected from cookies.
Principle 5 — Storage and security of personal information
Personal information should be protected with safeguards that are considered reasonable, to prevent loss, disclosure or misuse.
For measures to secure personal data stored on web systems, see:
Principle 6 — Access to personal information
Where personal information is held, the person concerned has the right to seek confirmation that an agency holds their personal information, and the right to access it.
There are a number of provisions related to this principle.
Principle 6 is met by complying fully with Section 2.4 of the NZ Government Web Usability Standard, which requires this information to be included in a Privacy Statement for each site or service.
Principle 7 — Correction of personal information
People have the right to ask that their personal information is corrected, and an agency holding their personal information must take reasonable steps to make sure it is up-to-date, accurate and not misleading if requested.
Principle 7 is met by complying fully with Section 2.4 of the NZ Government Web Usability Standard, which requires this information to be included in a Privacy Statement for each site or service.
It also requires the publication of contact details for this purpose, and agencies should be responsive to such requests.
Principle 8 — Accuracy of personal information to be checked before use or disclosure
An agency holding personal information must not use that information without taking reasonable steps to ensure that it is up-to-date, accurate and not misleading.
At the least, where agencies are holding user data, users should be given opportunities to review and advise of any updates to that data.
Principle 9 — Agency not to keep personal information for longer than necessary
Personal information cannot be kept for longer than is required for the purposes for which the information is to be used.
Managers of sites and services should ensure that personal information is held only as long as required to deliver an online function or service. Users should also be informed via the privacy statement that they can request that their information be deleted. Agencies should consider the benefits that RealMe offers in streamlining the management of personal information.
Principle 10 — Limits on use of personal information
In most circumstances, personal information collected for one purpose cannot be used for any other purpose without the permission of the person concerned.
This can be viewed in terms of privacy domains — personal information cannot flow from one privacy domain to another without consent.
Agencies should review online systems to ensure that personal information is not re-used for purposes other than that for which it was supplied. Agencies should consider the benefits that RealMe offers in streamlining the management of personal information.
Principle 11 — Limits on disclosure of personal information
Personal information cannot normally be disclosed to other parties unless it is for the purposes of fulfilling the function for which it was provided.
Agencies should ensure that personal information held online is secured in accordance with this guidance and the principles of the NZISM.
Hosting agreements (whether internally or externally hosted) should explicitly preclude access to personal information by any unauthorised party.
Principle 12 — Disclosure of personal information outside New Zealand
Personal information can only be sent to organisations or people outside New Zealand if they meet specific criteria.
You may only send personal information to organisations or people outside New Zealand if they meet the criteria for Principle 12 — Disclosure of personal information outside New Zealand.
If the criteria do not apply, you can only make a cross-border disclosure with the permission of the person whose personal information you want to send. You'll need to make it clear to this person that their information may not be given the same protection as provided by New Zealand's Privacy Act 2020.
Principle 13 — Unique identifiers
Agencies cannot assign unique identifiers to people unless it is necessary for that agency to carry out its legal functions efficiently.
Unique identifiers are forms of identification, such as numbers or references given to people by agencies. Some examples are IRD numbers, passport numbers and driver licence numbers.
You should ensure that any identifiers are only used to enable particular functions necessary for the operation of the site or service. Make sure that analytic data is anonymised, secured from unauthorised access and only used for the purpose of understanding usage of a site or service.
You should consider the benefits that RealMe offers in providing protection to user privacy.
The context in which information is supplied can affect the sensitivity of that information. While many people may not be concerned about information such as their street address (for example, as published in a phone book), this may be very sensitive information to disclose for a person under a Domestic Protection Order, or for reasons best known to them. These considerations should be taken into account when determining the risk impact of a breach.
You should inform users about measures taken to protect their information, and ask them for their consent before storing any information on your agency web server.
Agencies storing in-confidence information on a web server should be aware of the aggregation effect: larger collections of information invariably present a bigger risk than each individual piece of such information. Substantial collections of in-confidence information require higher levels of protection and assurance. In these circumstances, agencies should consult their Information Technology Security Manager (ITSM) or Chief Information Security Officer (CISO).
For more advice, guidance and tools to help government agencies manage their privacy, see the rest of the privacy section on Digital.govt.nz.
Privacy Act 2020
Read the Privacy Act 2020 in full.