What people need to be made aware of

Under the Privacy Act 2020’s information privacy principle 2 (IPP2) — Source of personal information, agencies that collect personal information need to collect it directly from the people concerned unless an IPP2 exception applies. This means agencies can ensure they are transparent with people about collecting their information because they are dealing directly with the people.

In addition, information privacy principle 3 (IPP3) — Collection of information from subject, sets out what agencies must make people aware of when collecting their personal information.

• IPP2: Source of personal information — Office of the Privacy Commissioner
• IPP3: Collection of information from a subject — Office of the Privacy Commissioner

The focus of IPP3’s transparency requirements is on ensuring people are aware of:

• what information will be collected from them
• why it’s needed (the ‘purpose’ of collection)
• what choice they have over its collection.

Ideally, this level of understanding should be achieved before the information is collected, but this may not always be possible (or ‘practicable’, as IPP3 puts it). Where it’s not, the agency needs to make people aware ‘as soon as practicable’ after collecting their information. What is practicable will depend on the situation, including the person’s circumstances and the nature of the service that person needs.

The specific matters that people need to be made aware of are:

• the fact that information is being collected, what information is being collected, and why (the purpose their information is needed for)
• who will receive (or be able to see) their information
  Provide clarity about who sees personal information
• if the collection is authorised or required by law, what that law is, and if people can choose whether to provide the information
• what the consequences might be if someone does not provide the information requested
• people’s rights to access and to request correction of their information.

Access to Information Guideline

When agencies do not have to make people aware

There are some limited circumstances where an agency that’s collecting personal information from people does not need to make them aware of these matters. An agency does not need to if it has already done so in relation to the same kind of personal information in the recent past.

The agency also doesn’t need to if it believes on reasonable grounds that:

• not providing that information
  
  • would not prejudice the interests of the individual concerned
  • is necessary (in the case of a public sector agency) to uphold or enforce the law, protect the tax base or assist court or tribunal proceedings
• providing that information
  
  • would prejudice the purposes of collection
  • would not be reasonably practical in the particular case
• the personal information collected from the individual concerned will not be used in a form in which the individual is identified or will be used for statistical or research purposes, and will not be published in a form that could reasonably be expected to identify the individual.

What agencies should also consider

While the Privacy Act 2020 does not require agencies to do these things, it is also good practice to explain:

• how people’s privacy will be protected, in terms of safe storage and security of their information and the access controls it will have that is consistent with the agency’s obligations under IPP5 — Storage and security of personal information
• how the information will be used to help them or people in similar situations to them (if this is not already part of the communicated purposes of collection) and, where possible, examples of this happening
• if the collected personal information will be matched or linked with other data relating to the same individuals, particularly data sourced from other agencies, the fact that matching or linking will occur, why it is being done and what it could mean for those people
• if relevant, how particular information may be used in a form that does not identify them. People often think of their information as being about them even if it does not identify them and like to know how the information they provide will be used even when identifiers are removed or masked.

IPP5: Storage and security of personal information — Office of the Privacy Commissioner

Provide clarity about who sees personal information

The question of who can see the often sensitive personal information collected from service users is an important one. This is particularly so if a collecting agency is large and has many different functions, and may share personal information with other agencies.

IPP3 refers only to making people aware of the “intended recipients of the information”. This phrase does not distinguish between recipients. For example, it may mean:

• different people or groups within the agency collecting the information
• different agencies of any kind that may receive the information.

In addition, in the past, the Office of the Privacy Commissioner (OPC) has said it does not require the collecting agency to list every possible person it might pass personal information to — it will be enough to give a general idea of who is likely to see the information and why they might see it.

IPP3: Collection of information from subject — Office of the Privacy Commissioner

At the same time, it’s also clear the OPC considers it can be appropriate to inform people of:

• any other agencies the information may be shared with
• the kinds of people within the collecting agency who will see their personal information.

This Guideline takes the same approach. It’s an important point because this part of IPP3 is often read as relating only to sharing personal information with other agencies.

This can result in little or nothing being said, in privacy statements, for example, about the limited audiences within the collecting agency who can see people’s personal information and that, in turn, can cause worry and concern for service users.

Help frontline staff to help service users understand

For a range of reasons, sometimes those collecting personal information directly from people do not know all the reasons why it’s being collected. This is because the decisions about what to collect may have been made by others in their agency, or in parallel with or by another agency. In other words, there can be a knowledge gap between those deciding to collect and those who do the collecting.

Anyone involved in designing information collections or communicating them to others, for example, in contracting documents, needs to help ensure that everyone involved, including those dealing directly with service users, has a good understanding of the ‘what and why’ as outlined in this Guideline. Not doing this may undermine people’s responsibilities, which often flow from legal duties that agencies have to service users.

If those dealing directly with service users do not have a good understanding of why information is being collected, they may not be able to prepare their privacy statements, explain matters proactively or answer service users’ questions.

When other agencies need to understand the purpose of collection

Agencies have accuracy obligations

Agencies have a responsibility under IPP8 — Accuracy of personal information — to be checked before use or disclosure, to take reasonable steps before using or disclosing personal information to ensure it’s accurate, up to date, complete, relevant and not misleading.

Helping service users to have a good understanding of what’s being collected and the purposes of collection, while proactively providing them with means to access and request correction of their information (or to correct it themselves), can help agencies meet their own obligations under IPP8.

Service users may be more likely to request corrections of their personal information (or, if possible, update it themselves) if they think it’s inaccurate or incomplete.

IPP8: Accuracy of personal information — Office of the Privacy Commissioner