Transparency and Choice: Help people to understand
The Data Protection and Use Policy (DPUP) gives agencies advice to help people understand what information they’re being asked to provide, and why.
What people need to be made aware of
Under the Privacy Act 2020’s information privacy principle 2 (IPP2) — Source of personal information, agencies that collect personal information need to collect it directly from the people concerned unless an IPP2 exception applies. This means agencies can ensure they are transparent with people about collecting their information because they are dealing directly with the people.
In addition, information privacy principle 3 (IPP3) — Collection of information from subject, sets out what agencies must make people aware of when collecting their personal information.
- IPP2: Source of personal information — Office of the Privacy Commissioner
- IPP3: Collection of information from a subject — Office of the Privacy Commissioner
This Guideline proposes that ‘ensuring people are aware’ should mean helping them reach a reasonable understanding in a way that makes sense to them at the times that work for them.
The focus of IPP3’s transparency requirements is on ensuring people are aware of:
- what information will be collected from them
- why it’s needed (the ‘purpose’ of collection)
- what choice they have over its collection.
Ideally, this level of understanding should be achieved before the information is collected, but this may not always be possible (or ‘practicable’, as IPP3 puts it). Where it’s not, the agency needs to make people aware ‘as soon as practicable’ after collecting their information. What is practicable will depend on the situation, including the person’s circumstances and the nature of the service that person needs.
The specific matters that people need to be made aware of are:
- the fact that information is being collected, what information is being collected, and why (the purpose their information is needed for)
- who will receive (or be able to see) their information
Provide clarity about who sees personal information
- if the collection is authorised or required by law, what that law is, and if people can choose whether to provide the information
- what the consequences might be if someone does not provide the information requested
- people’s rights to access and to request correction of their information.
Access to Information Guideline
When agencies do not have to make people aware
There are some limited circumstances where an agency that’s collecting personal information from people does not need to make them aware of these matters. An agency does not need to if it has already done so in relation to the same kind of personal information in the recent past.
The agency also doesn’t need to if it believes on reasonable grounds that:
- not providing that information
- would not prejudice the interests of the individual concerned
- is necessary (in the case of a public sector agency) to uphold or enforce the law, protect the tax base or assist court or tribunal proceedings
- providing that information
- would prejudice the purposes of collection
- would not be reasonably practical in the particular case
- the personal information collected from the individual concerned will not be used in a form in which the individual is identified or will be used for statistical or research purposes, and will not be published in a form that could reasonably be expected to identify the individual.
Reliance on these grounds is the exception rather than the norm. The default is to provide people with the information required by IPP3. It’s also important to note that many of these exceptions must be considered on a case-by-case basis and do not justify non-compliance with IPP3 for a broad group of service users.
If an agency does not inform people of the matters listed in IPP3 and none of the grounds above applies, the Privacy Commissioner could issue a compliance notice to the agency that describes the breach of IPP3 and requires the agency to remedy it. Compliance notices can be issued in the absence of harm.
What agencies should also consider
While the Privacy Act 2020 does not require agencies to do these things, it is also good practice to explain:
- how people’s privacy will be protected, in terms of safe storage and security of their information and the access controls it will have that is consistent with the agency’s obligations under IPP5 — Storage and security of personal information
- how the information will be used to help them or people in similar situations to them (if this is not already part of the communicated purposes of collection) and, where possible, examples of this happening
- if the collected personal information will be matched or linked with other data relating to the same individuals, particularly data sourced from other agencies, the fact that matching or linking will occur, why it is being done and what it could mean for those people
- if relevant, how particular information may be used in a form that does not identify them. People often think of their information as being about them even if it does not identify them and like to know how the information they provide will be used even when identifiers are removed or masked.
IPP5: Storage and security of personal information — Office of the Privacy Commissioner
Under the Privacy Act 2020’s IPP3(4)(e)(i), an agency does not need to tell people about a collection of personal information, its purpose and the other matters listed in IPP3 if the agency believes on reasonable grounds that the information will not be used in a form in which the individual concerned is identified. It may still, however, be good practice for the agency to tell them.
Part 3 of the Privacy Act 2020: Information privacy principles and codes of practice — Parliamentary Counsel Office
Provide clarity about who sees personal information
The question of who can see the often sensitive personal information collected from service users is an important one. This is particularly so if a collecting agency is large and has many different functions, and may share personal information with other agencies.
IPP3 refers only to making people aware of the “intended recipients of the information”. This phrase does not distinguish between recipients. For example, it may mean:
- different people or groups within the agency collecting the information
- different agencies of any kind that may receive the information.
In addition, in the past, the Office of the Privacy Commissioner (OPC) has said it does not require the collecting agency to list every possible person it might pass personal information to — it will be enough to give a general idea of who is likely to see the information and why they might see it.
IPP3: Collection of information from subject — Office of the Privacy Commissioner
At the same time, it’s also clear the OPC considers it can be appropriate to inform people of:
- any other agencies the information may be shared with
- the kinds of people within the collecting agency who will see their personal information.
This Guideline takes the same approach. It’s an important point because this part of IPP3 is often read as relating only to sharing personal information with other agencies.
This can result in little or nothing being said, in privacy statements, for example, about the limited audiences within the collecting agency who can see people’s personal information and that, in turn, can cause worry and concern for service users.
In general, the larger and more multifaceted a collecting agency is, the more important it becomes to explain to service users who within the agency will and will not have access to their personal information. What can be said will depend on the situation and who within the agency may need to see the information.
It’s important to not leave people with the impression that anyone inside the agency will be able to see their personal information, especially when they do not have a genuine need to see it.
Help frontline staff to help service users understand
For a range of reasons, sometimes those collecting personal information directly from people do not know all the reasons why it’s being collected. This is because the decisions about what to collect may have been made by others in their agency, or in parallel with or by another agency. In other words, there can be a knowledge gap between those deciding to collect and those who do the collecting.
Anyone involved in designing information collections or communicating them to others, for example, in contracting documents, needs to help ensure that everyone involved, including those dealing directly with service users, has a good understanding of the ‘what and why’ as outlined in this Guideline. Not doing this may undermine people’s responsibilities, which often flow from legal duties that agencies have to service users.
If those dealing directly with service users do not have a good understanding of why information is being collected, they may not be able to prepare their privacy statements, explain matters proactively or answer service users’ questions.
If you’re collecting personal information from other agencies they need to understand your purpose of collection. At the same time, those involved with collecting service users’ personal information and, where relevant, those being asked to share it with other agencies, need to feel able to ask ‘why’, safely and confidently, and without fear of negative consequences.
People involved in the chain of collecting, using and sharing information have a right to be given a good answer. Agencies should assume that at some point a service user will ask the same question.
When other agencies need to understand the purpose of collection
Agencies have accuracy obligations
Agencies have a responsibility under IPP8 — Accuracy of personal information — to be checked before use or disclosure, to take reasonable steps before using or disclosing personal information to ensure it’s accurate, up to date, complete, relevant and not misleading.
Helping service users to have a good understanding of what’s being collected and the purposes of collection, while proactively providing them with means to access and request correction of their information (or to correct it themselves), can help agencies meet their own obligations under IPP8.
Service users may be more likely to request corrections of their personal information (or, if possible, update it themselves) if they think it’s inaccurate or incomplete.
IPP8: Accuracy of personal information — Office of the Privacy Commissioner
Utility links and page information