Personal information can be shared between agencies using AISAs, IMAs, MoUs and Information Privacy Principle 11 exceptions.
The Privacy Act and information sharing
The Privacy Act is the primary legislation governing information sharing in New Zealand. Legislation specific to an agency may also mandate how an agency can collect, use and/or disclose personal information.
The Privacy Act also provides the Privacy Commissioner with the power to authorise the disclosure of personal information that would otherwise breach Information Privacy Principle (IPP) 11 in special circumstances where:
the public interest in the disclosure outweighs the privacy interests of the individual, or
where the benefit of the disclosure to the individual outweighs the privacy interests of the individual (for example, where there’s a direct financial benefit associated with the disclosure to the individual).
An agency will need to consider which of the following information sharing instruments will best facilitate the achievement of their desired outcomes.
Where an AISA, IMA or MOU is utilised, details of the disclosure should be included in the relevant privacy notice.
Approved Information Sharing Agreements (AISAs)
An AISA is a formal agreement created under the Privacy Act that allows personal information to be shared between (or within) agencies within New Zealand for the purpose of delivering public services.
At least 1 of the agencies that enters into an AISA must be a public sector agency.
An AISA authorises agreed departures from the Information Privacy Principles (except IPPs 6 (access) and 7 (correction)) if there’s a clear public policy justification and the privacy risks of doing so are managed appropriately. In practical terms, this may change how personal information is able to be:
collected
stored
checked
used
disclosed
exchanged.
If necessary, an AISA can also authorise assigning of a unique identifier to an individual or assign a unique identifier that has been assigned by another agency.
Developing an AISA requires a considerable amount of time and effort (approximately 18 months to 2 years). It’s important for an agency to consider whether other information sharing options may be able to satisfy their requirements.
Developing an AISA requires the following:
problem identification (gap analysis) and identification of policy options
completing a business case and cost/benefit analysis
preparing an AISA and operating procedures
preparing a Privacy Impact Assessment
preparing a Regulatory Impact Assessment
consultating with relevant groups, stakeholders and the public
consultating with the Privacy Commissioner
obtaining top level approvals (Ministerial and Cabinet) on 2 or more occasions
The Privacy Act 2020 provides that no new IMA provisions can be created. IMAs can be entered into where provisions already exist. The Privacy Commissioner may require agencies with already existing IMAs to regularly report on the operation of their information matching programmes.
An Information Matching Agreement (IMA) was an agreement created under Part 10 of the Privacy Act 1993. Information matching involves the comparison of 1 set of records with another, generally to find records in both sets of data that relate to the same person. An IMA was only able to be created in accordance with an enabling legislative provision.
Examples of an already existing IMA, Ministry of Social Development’s StudyLink compares lists of students enrolled at educational institutions with student allowances and loans to confirm their entitlement.
Another example is the Electoral Commission, which matches the list of people obtaining a driver licence with the electoral roll to identify people who are eligible to vote but haven’t enrolled to invite them to enrol or update their details.
When agencies intend to regularly share information they’ll often enter into a Memorandum of Understanding (MoU). An MoU is a form of information sharing agreement that sets out:
the parties involved
the information that will be shared
the legal basis for sharing
the purposes for which the information can be used
the retention period for the information.
Unlike an AISA, an MoU cannot legitimise disclosures that would otherwise be unauthorised under the Privacy Act including varying the privacy principles.
Information Privacy Principle (IPP) 11 exceptions
An agency can only disclose personal information if the proposed disclosure satisfies 1 of the exceptions listed in IPP 11.
The exceptions include where the disclosure has been authorised by the individual, to avoid prejudice to the maintenance of the law, and when the information is used in a form in which the individual concerned is not identified.
The IPP 11 exceptions can usually only be used on a case-by-case basis. So, an agency cannot usually rely on IPP 11 exceptions in relation to a proposed bulk sharing of personal information.
