Purpose Matters: Assess purpose and only collect what is needed
Agencies should assess the purpose of collecting personal information to ensure they are collecting only what’s needed.
Assess the purpose for collection
When assessing the purpose of collecting personal information and the kinds of information to be collected, agencies should:
- be clear about the outcomes to be achieved
- be clear about the method that will be used to achieve the outcomes
- consider in what context the information will be collected and used.
Clarity in these areas can help an agency to:
- formulate the purpose of collection
- assess if that purpose relates to the agency’s functions or activities
- assess what personal information is needed to achieve the outcome
- determine if the collection is ethically justifiable and aligns to respectful practice (even if it will tick all legal boxes).
Be clear about the outcomes
To have clarity of purpose it’s necessary to understand why data or information is being collected — that is, the outcome or result of using it.
This should be well-defined and easy for a range of people, including service users, to understand. It should be written down. Recording it:
- helps agencies to think clearly
- captures information that needs to be communicated to service users — either directly, if the collecting agency is collecting the information directly from services users, or through another agency that is collecting the information from service users
- provides the basis for the collecting agency to determine if proposed future uses or disclosures of the information are for a purpose it was collected for or a directly related purpose.
Without clarity, an agency may not be able to determine if it’s necessary to collect the information it proposes to collect. In that event, the agency’s collection may breach the Privacy Act 2020’s information privacy principle 1 (IPP1) — Purpose of collection of personal information or, where relevant, not fall within a specific statutory collection power the agency is aiming to use.
Who the outcomes serve
When considering the outcomes, it can be helpful to reflect on who the outcomes serve:
- Do the individuals the information is collected from benefit, or do other people or does wider society benefit?
- If the benefit is to other people or wider society, what will the people providing the information think about that?
- Even though the Privacy Act 2020 or a specific statutory provision may allow the collecting, is using the information to benefit others ethically justifiable?
Be specific about what the information will be used for
Agencies need to avoid broad and ambiguous statements of purpose or outcomes. If your agency is collecting information for analysis, policy development or service design, either by itself or in conjunction with other data, you should describe these uses as precisely as possible.
If the results will be used to provide more targeted services and better outcomes for people, then say that, being as precise as possible.
If the results could lead to taking adverse action against people, say that too.
Consider telling people what their information will not be used for
IPP3 — Collection of information from subject — is concerned with telling people about the purposes for which their information will be used. That makes sense, especially when other uses are not permitted unless either an exception in IPP10 — Limits on use of personal information — applies or a separate statutory provision authorises another use. However, agencies cannot expect service users to understand this legal position.
- IPP3: Collection of personal information from subject — Office of the Privacy Commissioner
- IPP10: Use of personal information — Office of the Privacy Commissioner
It can sometimes be helpful to explain to people that, while their information will be used for purposes A and B, it will not be used for purposes X or Y. For example, if your agency is collecting particularly sensitive information about people to provide them with immediate care, and there’s no intention to allow any identifying information to be seen by researchers or other agencies, you could say that.
Similarly, if the information you’re collecting includes unique identifiers like a driver licence number, IRD number or passport number, you might want to tell people their number will not be used to match information you have about them with information another agency has about them. Deciding if it’s a good idea to make statements like this will depend on the context.
This consideration can be particularly important where people may fear their information will be used in a prejudicial manner against them. Taking this approach can help increase people’s levels of comfort with what’s happening with their information.
Be careful with evolving purpose statements
When a policy, service or programme is evolving , an agency may change or refine how it articulates the purpose of a proposed collection before collecting the information. If so, the agency should:
- be clear about which purpose statement is the final one
- state if the final statement is intended to replace earlier explanations.
Having different explanations of the purpose of collection across different policy, service or programme documents can lead to confusion about what the actual purpose of collection is or was. This could result in errors when explaining to people why the information is being collected and how it will be used.
It could also result in service users losing trust in the agency. If there is cause for an investigation into the purposes of collection, different purpose statements over time could result in uncertainty and adverse findings.
Be clear about the method
Why the method is important
As well as having a clear understanding of the outcome, it’s important to consider the method to achieve the outcome. Both the end and the means are important.
Knowing how the information will be processed to achieve the outcome can be relevant to determining if the information being collected can or will contribute to the outcome and, therefore, whether all of it is required to achieve the outcome.
An application form for a service might collect personal information such as a person’s name, date of birth, annual income, address, gender and ethnicity.
However, a tool to process such applications, and designed to match the eligibility criteria for the service, may only need name, date of birth, address and annual income. The agency may have no plans to use the information relating to gender and ethnicity. In that kind of situation, collecting information on gender and ethnicity would be unnecessary and, in all likelihood, unlawful.
Consider different analytical techniques or processes
In some situations, there may be different analytical techniques or processes for achieving an outcome. To achieve the outcome, the different techniques or processes may require more or less personal information, or even no personal information at all (because, for example, it can be de-identified before collection).
If one technique requiring less personal information can easily be deployed over another that requires more personal information, respectful practice means choosing the former technique to minimise the amount of personal information collected.
If a collecting agency needs to know people are over 20 years of age, it might use a tool that asks for a person’s date of birth or age but then uses that to work out if the person is over 20 and only stores a ‘Yes over 20’ response, instead of the date of birth or current age.
Collecting agencies that need help with this can reach out to others with relevant experience or expertise. Depending on the context, it might be helpful to seek advice from other agencies such as Stats NZ, frontline non-governmental organisations (NGOs), service user representatives, the Office of the Privacy Commissioner or the Government Chief Privacy Officer.
Should agencies collect personal information from every service user all the time
In some situations, an agency may propose to collect information from a wide group of people to achieve a stated purpose or outcome. However, the group may have different subgroups or be made up of people with different service needs, sensitivities or fears.
At a macro level, it may be reasonable to conclude that it’s reasonably necessary to collect personal information from members of the wide group of people to achieve the stated purpose. However, it does not necessarily follow that the information needs to be collected from every member of the group, all the time, and regardless of individuals’ different service needs, sensitivities or fears. That depends on the context.
The key point is to consider whether the purpose can be achieved if only a proportion of people in the group provide the information requested. If the answer is yes, it may be helpful to assess whether allowing people to opt out of providing the information is feasible. If it is, the collecting agency can then consider whether anyone in the wider group should be given this option or whether there are particular subgroups of people, for example, vulnerable people needing services for particularly sensitive issues, that should be given the opportunity to opt out.
If opting out is not feasible, another option might be to allow people, or particular subgroups, to provide their information anonymously. Or, if the collecting agency (Agency A) is collecting information from another agency or organisation (Agency B) that collects personal information directly from individuals, it may be possible for Agency A’s purposes to be achieved by collecting information from Agency B that has been anonymised or de-identified prior to disclosure to Agency A.
When IPP1 applies, these considerations are directly relevant to whether the collecting agency can conclude that it’s always reasonably necessary to collect the personal information from everyone, all the time.
The wider and more diverse a group is, or the longer the period of information collection is likely to be, the more important this question may become.
If agencies collect information from one channel or into 1 repository
Sometimes agencies collect different kinds of personal information for different purposes but through a single collection channel and into a single location. In other situations, an agency might use different collection channels but collate all the information into a single repository or output, such as a spreadsheet.
If there are several groups within an agency who need to have access to different kinds of personal information, having all the information in 1 location or repository could result in some staff having access to personal information they do not need to see and which, therefore, they should not see.
This could also be contrary to IPP5 — Storage and security of personal information. Under IPP5, agencies need to ensure that personal information they hold is protected by reasonable security safeguards “against ... access, use, modification, or disclosure that is not authorised by the agency”.
In this kind of situation, part of the method for achieving the outcomes (that is, the means for collecting and collating the information) may be inappropriate and needs to be reconsidered. This can be particularly important as service users can get understandably worried about too many or the wrong people having access to their personal information.
Consider the context
Relevance of context
Context matters because it influences how people might feel about the collection or use of their personal information for particular purposes or how much information is collected, and that, in turn, may affect their wellbeing.
It also affects the kinds of checks and balances an agency may decide to work through before collecting, using or sharing personal information for a particular purpose — especially if there’s any risk that collecting, using or sharing personal information in the manner proposed could do, or be perceived to do, more harm than good.
Context can also be relevant to the collection, use or sharing of information that has been de-identified, in the sense that it will not be possible to identify specific individuals from the de-identified information. This is because de-identified information can still contain information that some individuals, groups or cultures may find sensitive.
It can be particularly important to remember that, while the Privacy Act 2020 is concerned with the privacy of individuals, we live in a society where broader groups have legitimate privacy interests.
The Privacy Act 2020’s controls may fall away once personal information has been fully de-identified in the sense described above, but the remaining information could still be sensitive to, for example, whānau, hapū, iwi, Māori, other cultural groups or other societal groups.
The next part of this Guideline provides guidance on potentially relevant contextual matters and describes some specific issues that may be particularly important in some situations.
Questions to consider
The following are some contextual matters to consider in decision-making.
Who collects the information from service users?
- Will your agency collect the information from service users? If not, which agency will or did collect it from them?
- If another agency will or did collect the information you want to use, will the service users be told, or were they told that your agency would receive their information?
- If not (and assuming the original collecting agency is permitted to disclose it to your agency and that your agency is permitted to collect it), how might they feel about your agency having their information? Could your agency’s use of their information be distressing to them or otherwise adversely affect their wellbeing?
What type of service does the information relate to?
Generally speaking, the more sensitive, urgent or acute a service is for people, the more important it becomes to take people’s wellbeing into account when considering:
- the purposes their information will be collected for (especially if those purposes entail disclosures to others)
- how much will be collected.
An agency provides a support service to victims of serious crime. The nature of that service and what the victims have experienced are highly relevant to:
- the purposes their personal information might be collected for
- how much personal information might be collected
- how their personal information might be used and shared with others.
This is the case regardless of what the law may permit.
What is the nature of the information?
- Is the information fairly routine or basic in nature or is it particularly sensitive? For example, is it about service users’ mental health or their attendance in a programme? Consider that, in some situations, information that may sound fairly routine to the collecting agency may actually be quite sensitive for the people asked to provide it.
- If information is collected in circumstances where those providing it do not need to establish their identity, is there a risk of receiving inaccurate information?
- Is there any potential for people to feel judged or discriminated against by an agency using their information in the proposed manner?
- Would the collection or use of the personal information affect people’s trust and confidence in the agency collecting it or using it?
What are the circumstances of the people involved?
- Might the proposed use of service users’ personal information be seen as unrepresentative or reinforcing of stereotypes?
- Is the information about children, people who are marginalised or stigmatised, or people at greater risk of harm, and whose information needs greater protection?
- If the information comes via a service or programme, do the people concerned self-refer or is their attendance compulsory?
This may influence how much choice they have over the collection of their information and how they might feel about that or about it being used for other purposes, even if they’re told about those other purposes when their information is collected.
What is the potential for adverse consequences?
An agency’s purpose for collecting personal information may be related to its functions or activities, and be well-intentioned, and understandable. The collection of personal information to achieve that purpose may appear to be reasonably necessary. It may be consistent with government priorities and policy objectives and, from these perspectives, justifiable. From a legal perspective, it might tick all boxes under IPP1.
Applying the Data Protection and Use Policy (DPUP) He Tāngata Principle, though, means asking whether pursuit of the purpose and the collection of personal information for that purpose could have adverse consequences for people. This is where the Privacy Act 2020’s IPPs are relatively silent. Indeed, there can be instances where a collection and use will not be contrary to any privacy principle but where the potential for adverse consequences, once understood, may prompt reconsideration.
In some situations, particularly where new policies, services or programmes are involved, it may be desirable to consider the ethical considerations of what is proposed. For example, it may be desirable to:
- take both the positive outcomes and the potential adverse consequences into account before proceeding, and to ask if pursuit of this purpose could do more harm than good, even if that’s not the intention
- consider the importance of respecting people’s dignity and treating them in a just manner, consistent with the He Tāngata Principle.
Sometimes, it can help to imagine what is proposed like the scale in Diagram 3. This is a simple representation of what will often be a complex picture (in an actual situation, the positive purposes would be specifically described, and there could be additional or different adverse consequences) but it may help to put matters in perspective and prompt a collecting agency to ask if it has only been thinking about one side of what lies in the balance.
Identifying the adverse consequences may also help an agency to take steps to avoid them while still enabling it to pursue one or more of its original purposes.
Agencies require information from people or from service delivery organisations who collect information. However, if people are afraid of what might happen to them or who might see their sensitive information, they could walk away from services they need. This situation might result in more harm than good. Even when lawful, agencies may need to take care to ensure information collection practices do not deter people from seeking the help they need.
How could linking people’s personal information with other data be perceived?
It is not uncommon for personal information to be collected with a view to linking it with other datasets to yield insights, whether as the sole purpose of collection or as one of the purposes of collection.
If a collecting agency proposes doing this, it needs to be clear about the nature of the proposed linking and how resulting insights will or are likely to be used. This is important to avoid over-collection of personal information and to be able to explain to people how their personal information will be used.
While the law allows this kind of linking in certain situations (each situation needs to be assessed on its merits), it can be important for the collecting agency to ask itself, and sometimes service provider organisations and service users, what people would think about their information being linked up in this way.
This question remains important even when the resulting data will be de-identified or anonymised before further use as some people may still have concerns about information derived from their personal information being used in this way, particularly where the information is sensitive.
If the collecting agency elects to proceed with the collection for linking purposes, the next question needs to be considered.
What should an agency tell people about their personal information being linked with other data?
This topic is part of the Transparency and Choice Guideline, but it is mentioned here as well, given its relationship to the purpose of collection.
From an ethical perspective, and bearing in mind the nature and range of information that circulates among agencies, it is important to explain to service users their data may be linked with other data, regardless of whether the law requires that.
This is not a straightforward point because, under IPP3, one of the grounds for not having to explain the purposes of collection and other matters to people is where the agency believes that the information will be used for statistical or research purposes and will not be published in a form that could identify individuals. If an agency’s linking purposes fall squarely within this exception, it might conclude that it does not need to tell people about the linking and how the insights will be used.
However, there is nothing sufficiently unique about collecting personal information for statistical or research purposes to justify not telling people that their personal information will be linked with other datasets to yield insights, even where an agency can rely on the IPP3 exception.
What is the potential impact on relationships when personal information is collected from other agencies?
People form trust relationships based on interactions they have with other people. When information is collected by frontline service delivery organisations, such as NGOs, those trust relationships may exist at the local level. They may have developed over time and they may be based on particular approaches to, for example, information disclosure and consent, that the service delivery organisations have followed. In some cases, these approaches may have flowed from codes of ethics that certain service providers need to follow as a matter of professional obligation.
If an agency is proposing to collect personal information from frontline service delivery organisations, it can be important to:
- take existing trust relationships and approaches into account
- ask what impact the agency’s collection from these organisations could have on them and their clients.
It may be important to consult with the organisations and, where appropriate, service users, at an early stage, before collection decisions are made.