Privacy and dealing with information about people
The Government should respect privacy interests and ensure that the collection of information about people is done in a transparent manner, where the type and amount of information collected and what is done with that information is clearly explained. Maintaining the community’s trust that government will respect privacy interests is key to the Government’s ability to collect the information it needs to provide many public services.
The Privacy Act 1993 governs the way that the Government and private sector organisations must handle personal information. The Privacy Act will be engaged if the new legislation involves the handling of information about a person that either identifies or is capable of identifying that person (defined as “personal information”).
- The Privacy Commissioner is an Independent Crown Entity charged with monitoring the protection of New Zealanders’ privacy rights.
- The GCPO’s role is to provide expert guidance and internal advice on privacy issues to the Government.
The Cabinet Manual requires Ministers, when submitting bills for the legislative programme, to draw attention to any aspects of a bill that have potential implications for, or may be affected by, the Privacy Act (see paragraph 7.60(c)).
Any policy development that involves personal information should involve a Privacy Impact Assessment at an early stage to assess the extent of the impact and how it can be managed in the policy development process.
While this chapter focuses on how the public sector handles personal information, the Privacy Act also applies to how the private sector handles personal information (such as credit reports and banking information). The Privacy Act and many of the considerations in this chapter will therefore be relevant to legislation that affects or authorises the handling of personal information by private sector bodies.
Is the legislation consistent with the requirements of the Privacy Act 1993 and its 12 Information Privacy Principles?
Legislation should be consistent with the requirements of the Privacy Act 1993, in particular the Information Privacy Principles.
The two key concepts in the Privacy Act are purpose and transparency. You must know what you want to do and what personal information you need to do it, and you must clearly communicate both those aspects to those whose information is involved. Where relevant, legislation should clearly state its relationship with the Privacy Act and explicitly address whether the Privacy Act does or does not apply, or where parts of the Privacy Act do not apply.
The personal information that is required may already be held by a public body for another purpose. Whether the proposed use falls within the purposes for which the personal information was originally collected, and whether those purposes have been communicated to the individuals concerned, should be considered before developing legislation that permits a new use or disclosure of information that is already held.
The 12 Information Privacy Principles are the cornerstone of the Privacy Act (and can be found in s 6). They address how agencies and private sector bodies may collect, store, use, and disclose personal information. They also allow a person to request access to and correction of their personal information. Many of the Information Privacy Principles have in-built exceptions, and Part 6 of the Privacy Act has further exemptions for them. For more guidance, consult the Privacy Commissioner’s website.
Legislation may be inconsistent with the Privacy Act, but this must be explicit in the legislation. A full explanation will also need to be provided to the relevant Cabinet Committee as to why the inconsistency with the Privacy Act in the proposed legislation is necessary to achieve the policy objectives.
Where the policy objective requires an inconsistency with the Privacy Act, the legislation should be drafted so as to minimise the inconsistency. If there is any ambiguity regarding an inconsistency with the Privacy Act, the courts may prefer an interpretation of the legislation that involves the least impact on the privacy interests of individuals.
The design of new legislation must take account of any applicable Code of Practice.
The Privacy Commissioner issues Codes of Practice that may modify the application of or replace the Information Privacy Principles (such as in respect of health information). Codes of Practice have the force of regulations and are enforceable through the Privacy Commissioner and the Human Rights Review Tribunal.
Legislation can be inconsistent with a Code of Practice, but this intention must be clear on the face of the legislation.
A list of the currently applicable Codes of Practice can be found on the Privacy Commissioner’s website.
Consult the Privacy Commissioner, the Ministry of Justice and the GCPO when developing new policies and legislation that may affect the privacy of individuals.
The Privacy Commissioner and Ministry of Justice should always be consulted where policy and legislative proposals potentially affect the privacy of individuals.
The following uses of information raise specific issues on which further advice should be sought from legal advisers, the Privacy Commissioner, the Ministry of Justice, and the GPCO:
- Public register: A database or register that contains personal information, and that members of the public can search through.
- Information matching: The comparison by electronic means of one set of records held by one agency with those held by another agency to find records in both sets of data that are about the same person.
- Information sharing: The sharing of information between agencies (including between public and private agencies) to provide public services. New information sharing arrangements, that would otherwise breach the Privacy Act, should be governed by an Approved Information Sharing Agreement (“AISA”). The Ministry of Justice has produced guidance on AISAs.
- Transfer out of New Zealand: Sending information by any method to a body outside New Zealand (such as the sending of passport data to the border agencies of other countries or authorising banking records to be held overseas). Information sent outside New Zealand may no longer have the protection of the Privacy Act 1993 or other New Zealand laws or values. Also, the receiving jurisdiction may not have comparable safeguards to those found in New Zealand law. An appropriate level of additional safeguards should therefore be provided.
New legislation should use the existing complaints process under the Privacy Act 1993 unless there is a good reason not to do so.
The Privacy Act 1993 provides a comprehensive system for dealing with complaints arising from alleged breaches of the Privacy Act 1993. This includes a complaints investigation process by the Commissioner and proceedings before the Human Rights Review Tribunal.
New legislation should adopt the Privacy Act complaints procedure. Such new legislation should include clear words that incorporate the complaints procedure (see s 22F(4) of the Health Act 1956 or s 11A(7) of the Social Security Act 1964). Good reasons must exist to create any new complaints and review procedures.
The full range of consequences of creating legislation that does not comply with the Privacy Act 1993 should be considered.
The misuse or perceived misuse of personal information erodes the community’s trust in the Government and other institutions, and can make it harder to collect information in the future. Further, other countries may be reluctant to share information with New Zealand if this country does not give proper respect to privacy rights.