What DPUP is
The Data Protection and Use Policy (DPUP) describes what ‘doing the right thing’ looks like when you collect or use people’s personal information.
DPUP is for all New Zealanders, particularly agencies and the people who use their services.
DPUP uses the term ‘agency’ to refer to government agencies, non-governmental organisations and other providers of services.
Read the 1-page DPUP overview
- Data Protection and Use Policy — an overview
- Data Protection and Use Policy — an overview (PDF 127KB)
- Data Protection and Use Policy — an overview (PPTX 1.2MB)
DPUP’s key concepts
DPUP puts people first. It’s about respectful, trusted and transparent use of people’s personal information.
DPUP provides good-practice advice about collecting and using people’s information. It recommends practices that in some places go beyond the law, and in those situations says clearly why it does so. This is because when information is no longer ‘personal’ in terms of the law, it may remain deeply personal and sensitive to the communities it comes from, describes, or is about.
DPUP supports agencies to:
- be clear about the vital importance of purpose when collecting and using people’s personal information
- help people to understand what’s happening with their information and what choices they have
- make it easy for people to see and request correction of their information
- work together for better insights and outcomes.
Although DPUP is not mandatory, agencies are encouraged to adopt it in a way that makes the most sense for their agency, their work and their communities.
Cabinet endorsed DPUP in November 2019.
Introduction to DPUP
Personal and non-personal information
DPUP uses the terms ‘personal information’ and ‘non-personal information’.
- Personal information is information that does, or could be used to, identify individual people.
- Non-personal information does not identify individual people, and cannot be used to, even if it is combined with other information.
DPUP states when its advice applies to personal information, non-personal information, or both. It also uses the terms ‘data’ and ‘information’ interchangeably.
DPUP consists of 5 Principles and 4 Guidelines. These make up the policy. It also includes practical guidance that wraps around the policy, so agencies can use it in their work.
The Principles focus on values and behaviours. The Guidelines bring the Principles to life by explaining good practice in critical areas that make the most difference. This has a significant impact on people’s trust and confidence.
Although the Principles and Guidelines are different, they overlap and this is intentional.
These define a common set of values and behaviours. They help agencies to provide people with respectful and transparent interactions and practices.
Because the Principles have people and their wellbeing at the centre, the focus for agencies is on relationships, rather than rules. It’s a way of working that respects people, their information and their stories.
The Principles were developed to respect and acknowledge cultural considerations. A range of Māori stakeholders contributed to the Principles, and their names and meanings.
The 5 Principles are:
- Focus on improving people’s lives — individuals, children and young people, whānau, iwi and communities.
- Strive to create positive outcomes from any collection, sharing or use of data and information.
- Use checks and balances, and ensure that the information collected or used is reasonably necessary for the purpose.
- Respect and uphold the mana and dignity of the people, whānau, communities or groups who share their data and information.
- Recognise and incorporate diverse cultural interests, perspectives and needs.
- Include and involve service users whenever possible.
- Incorporate people’s views when they have a specific interest in what is done with their information.
- Empower people by giving them choices and enabling their access to and use of their data and information.
- Where possible, give people choices and respect the choices they make.
- Give people easy access to and oversight of their information wherever possible.
- Act as a steward in a way that people understand and trust.
- Recognise you are a kaitiaki rather than an owner of people’s information.
- Be open and transparent — support people’s interest or need to understand.
- Keep data and information safe and secure and respect its value.
- If there’s a privacy breach, act quickly and openly.
- Work as equals to create and share valuable knowledge.
- Work with other agencies to create and share value together.
- Carefully share relevant information so people get the support they want and need.
- Grow collective knowledge and improve services through 2-way sharing of non-personal information.
These key activities describe good practice and ways to apply the Principles to an agency’s everyday business. The Guidelines help agencies to understand and apply good practice, including many key aspects of the Privacy Act 2020, in relation to these activities.
Agencies need to apply the Guidelines in a way that makes sense for the:
- type of work they do
- people they work for
- range and sensitivity of information they hold about people.
The 4 Guidelines include:
- Be clear about the purpose of collecting or using people’s information. Collect only what is needed.
- Consider how using people’s information might affect their wellbeing and their trust in those using it.
Transparency and Choice
- Be transparent and help people understand why their information is needed and what happens with it.
- As much as possible, support their choices about what they want to share and how they want it used.
Access to Information
- Be proactive about supporting people to understand what information is held about them, their rights to access it and ask for corrections to be made.
- Look for ways to make this easy and safe for service users.
- Work together to ensure information used to create insights is relevant and usefully describes real experiences.
- Share insights to help grow knowledge and support wellbeing.
The practical guidance under ‘Before you start to use DPUP’ and ‘Use DPUP in your work’ includes information, examples and resources to support you in applying DPUP in your everyday work.
The guidance helps you to:
- develop a good understanding of DPUP
- plan for adopting DPUP in your organisation
- apply DPUP in your work.
If you have questions about DPUP, or want a PDF of the policy, email email@example.com.