Privacy and dealing with information about people
The Government should respect privacy interests of people and ensure that the collection, use, and disclosure of information about identifiable people is done consistently with those interests. The unnecessary collection, misuse or perceived misuse, or unauthorised disclosure of personal information erodes the community’s trust in the Government and other institutions, and can make it harder to collect information in the future. Further, other countries may be reluctant to share information with New Zealand if our law does not give proper respect to privacy rights.
If new policy is being developed that proposes the handling of personal information (that is, information about a person that either identifies or is capable of identifying that person), officials must first consider whether the proposed action is governed by the Privacy Act 1993. That Act applies to both public sector and private sector agencies and establishes a set of information privacy principles for the handling of personal information. The two key concepts in the Act are purpose and transparency. If the personal information is already held by a public body for another purpose, officials must consider whether the proposed use falls within the purposes for which the personal information was originally collected, and whether those purposes have been communicated to the individuals concerned, before developing legislation that permits a new use or disclosure of that information.
Any policy development that affects personal information should include a Privacy Impact Assessment at an early stage to assess the extent of the impact on privacy and how that impact can be managed in the policy development process.
If the proposed handling of personal information is not authorised by the Privacy Act 1993 or other legislation (and authorisation under an approved information sharing agreement under that Act would be insufficient or inappropriate), new legislation may be required. In designing legislation, officials must know what they want to do and what personal information is required to do it. Legislation relating to personal information needs to clearly set out the particulars of the information to be collected, the purpose or purposes for which the information may be used, and to whom the information may be disclosed and why.
While this chapter focuses on how public sector agencies handle personal information, the Privacy Act 1993 and codes of practice also apply to private sector agencies. This chapter will therefore be relevant to legislation that affects or authorises the handling of personal information by private sector agencies.
 Privacy Commissioner Privacy Impact Assessment Toolkit (2015).
Is the legislation consistent with the requirements of the Privacy Act 1993 and that Act’s 12 information privacy principles?
Legislation should be consistent with the requirements of the Privacy Act 1993, in particular the information privacy principles.
The 12 information privacy principles are the cornerstone of the Privacy Act (and can be found in section 6). They address how agencies may collect, store, use, and disclose personal information. They also allow a person to request access to and correction of their personal information. Many of the information privacy principles have in-built exceptions, and Part 6 of the Privacy Act has further exemptions.
The policy objective will sometimes justify an inconsistency with the privacy principles. Section 7 of the Privacy Act provides that legislation that is inconsistent with the privacy principles will take precedence. There is then no need for legislation overriding the Act to contain an express override provision. However, any override of the Act requires a policy decision and the reasons should be clearly identified in the Cabinet papers.
If that occurs, the policy should be developed so as to minimise the inconsistency. If there is any ambiguity regarding an inconsistency with the Privacy Act, the courts may prefer an interpretation of the legislation that involves the least impact on the privacy interests of individuals.
The design of any legislative provision that overrides the privacy principles, in particular principles 10 and 11 (relating to the use and disclosure of personal information), should reflect as necessary the principles of specificity, proportionality, and transparency. Consultation with the Office of the Privacy Commissioner and the Ministry of Justice will help to identify the necessary design features.
The Cabinet Manual requires Ministers to draw attention to any aspects of a bill that have implications for, or may be affected by, the principles in the Privacy Act 1993, when submitting bids for bills for the legislative programme. Similarly, it requires Ministers to confirm compliance with those principles when subsequently submitting the bill to the Cabinet Legislation Committee for approval for introduction.
 Previously, the Guidelines indicated that if proposed legislation would be inconsistent with the information privacy principles that should be explicitly stated in the legislation. That advice has been amended because it could be misleading.
 Cabinet Office Cabinet Manual 2017 at 7.65 – 7.66.
Does the new legislation comply with any relevant code of practice issued by the Privacy Commissioner?
The design of new legislation must take account of any applicable code of practice.
The Privacy Commissioner issues codes of practice, which may modify or apply the information privacy principles to any specified information, agency, activity, industry, profession, or calling (or class of such thing). Codes of practice are disallowable instruments but not legislative instruments and are enforceable through the Privacy Commissioner’s investigation and complaints process and proceedings in the Human Rights Review Tribunal.
A list of the currently applicable codes of practice can be found on the Privacy Commissioner’s website.
New legislation should only provide authority for information sharing where the sharing cannot be undertaken using one of the existing mechanisms in the Privacy Act 1993 (for example, an approved information sharing agreement), or where using those mechanisms is not sufficient for the policy purpose.
Disclosing information about identifiable individuals between agencies for the purposes of delivering public services can be appropriate provided the privacy risks are managed well. However, information sharing to deliver public services must have clear legal authority. That authority may already be provided under the Privacy Act by the exceptions to the information privacy principles or by a code of practice. For example, information may be disclosed for a purpose directly related to the purpose for which it was obtained or when disclosure is necessary to prevent or lessen a serious threat to public health or public safety. There may also be existing authority under Part 10 (information matching), Part 10A (identity information), or Part 11 (law enforcement information) of the Privacy Act.
If there is no such authority, or the available authority is partial or uncertain, an approved information sharing agreement (AISA) under Part 9A of the Privacy Act 1993 may provide the necessary authority without the need to resort to a new Act. AISAs are information sharing agreements approved by the Governor-General, by Order in Council on the recommendation of the relevant Minister. An AISA may grant an exemption to, or modify, one or more of the privacy principles or a code of practice (except in respect of principles 6 and 7 relating to access and correction rights). The Office of the Privacy Commissioner has published guidance for creating AISAs. Departmental legal advisers, the Office of the Privacy Commissioner, and the Ministry of Justice should be consulted to ascertain whether there is already authority for information sharing or whether an AISA could provide that authority.
If there is no existing authority for proposed information sharing between agencies and an AISA would be insufficient or inappropriate, new legislation may be required. Generally, a new Act to authorise information sharing will only be required to overcome a statutory prohibition or restriction preventing it. However, in some cases, a new Act may be justified in other circumstances, for example where an Act would provide greater transparency than for the disclosure to be regulated under 1 or more AISAs. However, this should be weighed against the risk that a specific legislative disclosure regime will forgo the flexibility inherent in the Privacy Act, the safeguards provided by that Act, and the benefit of case law developed around it.
New legislation should use the existing complaints process under the Privacy Act 1993 unless there is a good reason not to do so.
The Privacy Act 1993 provides a comprehensive system for dealing with complaints arising from alleged breaches of the information privacy principles. This includes a complaints investigation process by the Commissioner and proceedings before the Human Rights Review Tribunal.
New legislation should adopt the Privacy Act complaints procedure. Such new legislation should include clear words that incorporate the complaints procedure (see section 66 of the Human Assisted Reproductive Technology Act 2004). Good reasons must exist to create any new complaints and review procedures.
Have the Privacy Commissioner, the Ministry of Justice and the Government Chief Privacy Officer (GCPO) been consulted?
The Privacy Commissioner, the Ministry of Justice and, when appropriate, the GCPO should be consulted when developing new policies and legislation that may affect the privacy of individuals.
The Privacy Commissioner and Ministry of Justice should always be consulted where policy and legislative proposals potentially affect the privacy of individuals. In addition, the following uses of information raise specific issues on which further advice should also be sought from legal advisers, the Privacy Commissioner, and the Ministry of Justice:
- Public register—A database or register that contains personal information and that members of the public can search through.
- Personal information sharing—Including either approved information sharing agreements (under Part 9A of the Privacy Act) or information matching regimes (under Part 10 of the Privacy Act).
- Transfer out of New Zealand—Sending information by any method to a body outside New Zealand (such as the sending of passport data to the border agencies of other countries or authorising banking records to be held overseas). Information sent outside New Zealand may no longer have the protection of the Privacy Act 1993 or other New Zealand laws or values. Also, the receiving jurisdiction may not have comparable safeguards to those found in New Zealand law. An appropriate level of additional safeguards should therefore be provided.
Statistics New Zealand, which leads the government’s work on data and analytics, should be consulted on proposed approved information sharing agreements.
Finally, if legislation is to propose sharing court information, the Ministry of Justice should be consulted and consideration given to consulting the judicial branch (through the Ministry of Justice).
 The Privacy Commissioner has a number of functions in respect of privacy, including examining proposed legislation that makes provision for the collection of personal information by any public sector agency or the disclosure of personal information by one public sector agency to another: Privacy Act 1993, section 13(1). The Ministry of Justice administers the Privacy Act 1993.
 Privacy Commissioner Drafting suggestions for departments preparing public register provisions (2007).
 Privacy Commissioner Approved Information Sharing Agreements (2015); Privacy Commissioner, Privacy Commissioner’s Views On The Information Matching Guidelines (2006).
 The GCPO leads an all of Government approach to privacy, including setting standards, developing guidance, building capability within agencies, and providing assurance to Government.