Purpose Matters: Be clear about purpose and use
The Data Protection and Use Policy (DPUP) helps agencies fully understand and carefully explain their purposes of collection from the start.
Use personal information only for the collection purpose
Ordinarily, personal information should only be used for the purpose it was collected for unless another proposed use is permitted by:
- the exceptions in the Privacy Act 2020’s information privacy principle (IPP) 10 — Limits on use of personal information
- a specific statutory provision.
As the Office of the Privacy Commissioner (OPC) observes, the “effect of [IPP10] is to ensure agencies are accountable for their actions when collecting information by prohibiting them from ‘repurposing’ information”.
This makes it important for collection agencies to fully understand and carefully explain their purposes of collection at the outset. Agencies need to ensure their genuine proposed uses are covered, while always bearing in mind they should not collect personal information if:
- it is not reasonably necessary for lawful purposes connected with their functions or activities, or
- the collection is under a specific statutory collection provision, and the collection exceeds the bounds of the provision.
It is generally acceptable for an agency to have and communicate more than one purpose for collecting personal information if, at the time of collection, it genuinely proposes to use the information for more than one purpose. All stated purposes must be lawful purposes connected with the agency’s functions or activities.
However, it is not acceptable for agencies to include vague catch-all purposes to ‘hedge their bets’ that they might want to use the information sometime in the future. Agencies need to be able to show that the stated purposes of collection cannot be carried out without the collected information. Otherwise they run the risk of acting unlawfully.
In addition, collecting people’s information and then doing nothing of value with it can erode people’s trust and confidence in the collecting agency.
‘Directly related purpose’ exception relies on a clear original purpose
Under IPP10, personal information can only be used for another purpose if an agency believes on reasonable grounds that one of the IPP10 exceptions applies.
An exception is that the purpose of using the information is directly related to the purpose the information was obtained for. If an agency has not clearly defined the original purpose of collection, relying on this ‘directly related purpose’ exception could be difficult.
Sometimes people wonder if a proposed use is directly related to the purpose the information was obtained for. The OPC has a useful summary of what needs to be considered.
Clarity of other purposes also important
If an agency wishes to use personal information for a purpose other than the original purpose of collection, it’s important the agency is clear about and documents the nature and scope of that other purpose. There are 2 reasons for this:
- to ensure that the other purpose is lawful by checking it against either IPP10 or, if a specific statutory provision authorises other uses, against that provision
- to have a record of the purposes personal information is being used for and why each kind of use is allowed.
If the documented other purpose is not lawful under either IPP10 or a specific statutory provision, then the personal information should not be used for that other purpose.
Purpose of proposed ‘alternative use’ needs to be clear
There are various contexts in which specific statutory provisions authorise the use of personal information for purposes that are different to the original purpose of collection.
Under Section 126 of the Housing Restructuring and Tenancy Matters Act 1992, the Ministry of Social Development may use information obtained under a part of that Act, in its role as social housing agency, to perform its functions, duties, and powers under the Social Security Act 2018. Even here, the purpose of a proposed alternative use needs to be clear before relying on the specific statutory provision. This ensures the use is covered by the provision.
If an agency is not clear about the purpose of its proposed alternative use, then that use may not be covered by the provision and be permitted under IPP10. In that case, the agency’s use of the information (depending on the circumstances) could be an ‘interference with privacy’ under the Privacy Act 2020.
An ‘interference with privacy’ occurs where, for example, there is a breach of an IPP in the Privacy Act 2020 and that breach causes one or more individuals to suffer harm.