When to work through checks and balances

The Data Protection and Use Policy (DPUP) Purpose Matters Guideline emphasises the importance of:

• getting the purposes of collection right
• only collecting what’s reasonably necessary for those purposes
• taking care to avoid unintended adverse consequences.

To achieve this, agencies should use checks and balances described in the section ‘Suggested checks and balances’ below, to test their initial thinking around information collection – what’s their purpose and is it necessary or appropriate.

It is important to do this when an agency:

• is unsure about how it is articulating the purpose of collection, for example whether it’s precise enough and covers all genuine purposes or whether it could lead to overcollection of personal information
• identifies a risk that others, particularly service delivery organisations and service users, could be concerned about
• is unsure whether the purpose of collection is sufficiently connected to the agency’s functions or activities
• operates in a complex legislative environment — that is, in addition to the Privacy Act, an agency has powers or is subject to constraints in specific legislation that applies to that agency
• proposes to collect sensitive information or information that could be perceived to have no logical connection to the stated purposes
• is considering information that could be used to discriminate against people, for example, gender, marital status, ethnicity, religious belief, sexual orientation, or mental or other health information
• is collecting the information or using it for a stated purpose in a manner that could adversely affect the trust and confidence people have in the agency, or run the risk of people in need not asking for the help that’s available to them.

Agencies should also note that poorly written purpose statements could result in:

• service users or other agencies complaining
• the Privacy Commissioner enforcing measures.

Under the Privacy Act 2020, the Privacy Commissioner can issue a compliance notice if they believe one of the Privacy Act 2020’s information privacy principles (IPPs) has been breached, for example, IPP1 on the purpose of collection or IPP3 on what a collecting agency needs to tell individuals.

A compliance notice describes the breach and requires the agency to remedy it. It can be issued if no harm has occurred.

IPP1: Purpose for collection of personal information — Office of the Privacy Commissioner

IPP3: Collection of information from subject — Office of the Privacy Commissioner

Suggested checks and balances

To ensure that its purpose of collection and its privacy statement are clear and comply with the Privacy Act 2020, an agency may wish to seek:

• input from a privacy consultant
• legal advice from a lawyer with a solid understanding of privacy law
• advice from an appropriate review group or panel if ethical questions arise, for example, Data.govt.nz’s Data Ethics Advisory Group
• input from other agencies including, where relevant, service delivery organisations who have a relationship with service users
• information from service users or service user representatives.

What is a privacy statement and what to include — Office of the Privacy Commissioner

Agencies may also wish to:

• check with a line manager, and get their opinion
• ask the agency’s privacy officer for help
• undertake a privacy impact assessment or, if available, apply a framework like the Ministry of Social Development's Privacy, Human Rights and Ethics (PHRaE) framework (PDF 258KB)
• raise any risks or uncertainties about the proposed purposes of collection and the information to be collected with the agency’s executive management team
• consult relevant Māori groups if the collection or use could have a distinct impact on Māori, or raise concerns for Māori
• consider whether to establish or seek advice from a review board, external reference group, ethics committee or client reference group
• consult the Office of the Privacy Commissioner.