Our State Highway 1 of privacy law
The Privacy Act established a core set of principles relating to the collection, use, storage, disclosure and retention, by public and private sector agencies, of information relating to individuals. It can be thought of as our State Highway 1 of privacy law. Of course, many people are well aware of the Privacy Act and navigate its byways frequently. If that’s you, you can probably skip this one. If not, hopefully it’ll lead you in the right direction and help you avoid any potholes.
The Act’s focus is on the conduct of “agencies”. An agency is any individual, organisation or business, whether in the public sector or the private sector. Certain bodies, such as the Governor-General, Ombudsmen, the courts and the news media, are exempt (section 2(1) definition of “agency”). Subject to those exemptions, the general rule is that if a person or body holds personal information, they have to comply with, among other things, the Act’s information privacy principles.
“Personal information” is “information about an identifiable individual and includes information relating to a death that is maintained by the Registrar-General pursuant to the Births, Deaths, and Marriages Registration Act 1995, or any former Act” (section 2(1)).
Information privacy principles
Section 6 sets out 12 information privacy principles (IPPs) which are summarised below.
Principle 1: Purpose of collection of personal information
Under principle 1, personal information must not be collected unless:
- the collection is for a lawful purpose connected with a function or activity of the agency collecting the information; and
- it is necessary to collect the information for that purpose.
Principle 2: Source of personal information
Under principle 2, personal information must be collected directly from the individual concerned. The exceptions to this are when the agency collecting the information believes on reasonable grounds that:
- the information is publicly available; or
- the individual concerned authorises collection of the information from someone else; or
- the interests of the individual concerned are not prejudiced; or
- it is necessary for a public sector agency to collect the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings; or
- complying with this principle would prejudice the purposes of collection; or
- complying with this principle would not be reasonably practical in the particular case; or
- the information will not be used in a form that identifies the individual, or will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
- the Privacy Commissioner has authorised collection under section 54.
Principle 3: Collection of information
Under principle 3, if an agency collects personal information directly from individuals it must, unless an exception applies, take such steps (if any) as are, in the circumstances, reasonable to inform the individuals of:
- the fact that the information is being collected;
- the purpose(s) of collection;
- the intended recipients;
- the names and addresses of who is collecting the information and who will hold it;
- if a specific law governs provision of the information, what the law is and whether provision of information is voluntary or mandatory;
- the consequences if all or any part of the requested information is not provided, and
- the individual’s rights of access to and to request correction of personal information.
The collecting agency doesn’t need to take these steps if it has already done so in relation to the same personal information, or information of the same kind, in the recent past, or if the agency believes on reasonable grounds that:
- non-compliance is authorised by the individual concerned;
- non-compliance will not prejudice the interests of the individual concerned;
- it is necessary for a public sector agency to collect the information to uphold or enforce the law, protect the tax base, or assist court or tribunal proceedings;
- complying with this principle will prejudice the purposes of collection;
- complying with this principle is not reasonably practical in the particular case; or
- the information will not be used in a form in which the individual concerned is identified, or will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.
Principle 4: Manner of collection of personal information
Under principle 4, personal information must not be collected by:
- unlawful means; or
- means that are unfair or intrude unreasonably on the personal affairs of the individual concerned.
Principle 5: Storage and security of personal information
Under principle 5, an agency holding personal information must ensure that:
- there are reasonable safeguards against loss; unauthorised access, use, modification or disclosure; and other misuse;
- if it is necessary to give information to another person, such as someone working on contract, everything reasonable is done to prevent unauthorised use or unauthorised disclosure of the information.
Principle 6: Access to personal information
Under principle 6, where personal information is held in a way that it can readily be retrieved, the individual concerned is entitled to:
- obtain confirmation of whether the information is held; and
- have access to information about them.
An agency may refuse to disclose personal information for a range of reasons, set out in Part 4 of the Act, including that it would:
- pose risks to New Zealand’s security or defence;
- breach confidences with another government;
- prevent detection of criminal offences or the right to a fair trial;
- endanger the safety of an individual;
- disclose a trade secret or unreasonably prejudice someone’s commercial position;
- involve an unwarranted breach of another individual’s privacy;
- breach confidence where the information has been gained solely for reasons to do with the individual’s employment, or to decide whether to insure the individual;
- be contrary to the interests of an individual under the age of 16;
- breach legal professional privilege;
- reveal the confidential source of information provided to a Radio New Zealand or Television New Zealand journalist; or
- constitute contempt of court or the House of Representatives.
Requests can also be refused if, for example, the agency does not hold the information or if the request is frivolous or vexatious.
Principle 7: Correction of personal information
Under principle 7, everyone is entitled to:
- request correction of their personal information;
- request that if it is not corrected, a statement is attached to the original information saying what correction was sought but not made.
If agencies have already passed on personal information that they then correct, they should inform the recipients about the correction.
Principle 8: Accuracy of personal information to be checked before use
Under principle 8, an agency must not use or disclose personal information without taking reasonable steps in the circumstances (if any) to check it is accurate, complete, relevant, up to date, and not misleading.
Principle 9: Personal information not to be kept for longer than necessary
Under principle 9, an agency holding personal information must not keep it for longer than needed for the purpose for which the agency collected it.
Principle 10: Limits on use of personal information
Under principle 10, personal information obtained in connection with one purpose must not be used for another, unless an exception applies.
The exceptions include situations when the agency holding personal information believes on reasonable grounds that:
- the agency got the information from a publicly available publication and, in the circumstances, it would not be unfair or unreasonable to use the information; or
- the individual concerned has authorised the use; or
- the use is necessary for a public sector agency to uphold or enforce the law, protect the tax base, or for the conduct of court or tribunal proceedings; or
- the use is necessary to prevent or lessen a serious threat to public health or safety or to the life or health of any individual; or
- the use is directly related to the purpose for which the information was obtained; or
- the information is used in a form in which the individual concerned is not identified, or is used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
- the use is authorised by the Privacy Commissioner under section 54.
In addition, an intelligence and security agency that holds personal information obtained in connection with one purpose may use it for any other purpose if the agency believes on reasonable grounds that doing so is necessary to perform any of its functions.
Principle 11: Limits on disclosure of personal information
Under principle 11, personal information must not be disclosed unless the agency reasonably believes that:
- the disclosure is in connection with, or directly related to, one of the purposes for which it was obtained; or
- the agency got the information from a publicly available publication and, in the circumstances, it would not be unfair or unreasonable to disclose the information; or
- disclosure is to the individual concerned; or
- disclosure is authorised by the individual concerned; or
- it is necessary for a public sector agency to disclose the information to uphold or enforce the law, protect the tax base, or for the conduct of court or tribunal proceedings; or
- disclosure is necessary to prevent or lessen a serious threat to public health or safety, or to the life or health of any individual; or
- disclosure is necessary to facilitate the sale of a business as a going concern; or
- the information is to be used in a form in which the individual concerned is not identified, or is to be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
- disclosure has been authorised by the Privacy Commissioner under section 54.
Principle 12: Unique identifiers
Under principle 12, unique identifiers – such as IRD numbers, bank customer numbers, driver’s licence and passport numbers – must not be assigned to individuals unless this is necessary for the organisation concerned to carry out its functions efficiently. The identifiers must be truly unique to each individual (except in some tax related circumstances), and the identity of individuals must be clearly established. No one is required to disclose their unique identifier unless it is for, or related to, one of the purposes for which the identifier was assigned.
Exceptions and exemptions
The Act contains a number of exceptions and exemptions to the default positions in the IPPs.
As is apparent from the summary of the IPPs above, many of the principles have built-in exceptions.
Further, and importantly, section 7 of the Act states, in effect, that if another statute is contrary to certain privacy principles, that other statute will prevail over the Privacy Act. In other words, the privacy principles are subordinate to other laws which govern the collection, use or sharing of personal information.
Specific exceptions to principle 6 (access to personal information) are set out in sections 27-29 of the Act.
Nothing in principles 1 to 5 or 8 to 11 applies in relation to information collected, obtained, held, used or disclosed by, or disclosed to, the SIS or GSCB (section 57).
There is also a power in section 54 for the Privacy Commissioner to authorise an agency to collect, use, or disclose personal information, even though that collection, use, or disclosure would otherwise be in breach of principle 2, 10 or 11, if the Commissioner is satisfied that, in the special circumstances of the case:
- the public interest in that collection, use or disclosure outweighs, to a substantial degree, any interference with the privacy of the individual that could result from the collection, use or disclosure; or
- that collection, use or disclosure involves a clear benefit to the individual concerned that outweighs any interference with the privacy of the individual that could result from that collection, use or disclosure (subsection (1)).
A potential constraint on this power is that the Commissioner is not permitted to grant such an authority in respect of the collection, use or disclosure of any personal information for any purpose if the individual concerned has refused to authorise the collection, use or disclosure of the information for that purpose (subsection (3)).
Codes of practice
The Privacy Act gives the Privacy Commissioner the power to issue codes of practice that become part of the law (the provisions for which are set out in Part 6 of the Act). These codes may modify the operation of the Act for specific industries, agencies, activities or types of personal information. Codes often modify one or more of the information privacy principles to take account of special circumstances which affect a class of agencies or a class of information. The rules established by a code may be more stringent or less stringent than the principles they replace. Codes can be amended or revoked by the Privacy Commissioner at any time. However, as they are deemed regulations, they must be presented to the House of Representatives and will be subject to scrutiny by the Regulations Review Committee.
Codes of practice currently in force are as follows:
- Health Information Privacy Code;
- Justice Sector Unique Identifier Code;
- Credit Reporting Privacy Code;
- Superannuation Schemes Unique Identifier Code;
- Telecommunications Information Privacy Code; and
- Civil Defence National Emergencies (Information Sharing) Code 2013.
- These are all available on the Privacy Commissioner’s website.
Part 9A (Information sharing) was inserted into the Privacy Act on 27 February 2013 by section 8 of the Privacy Amendment Act 2013. Its purpose is to enable the sharing of personal information to facilitate the provision of “public services”. It does this by:
- providing a mechanism for the approval of information sharing agreements for the sharing of information between or within agencies; and
- authorising exemptions from or modifications to any of the IPPs (except IPP6 and IPP7) and any code of practice (except any code of practice that modifies IPPs 6 and 7) (section 96A).
Privacy Commissioner function
One of the Privacy Commissioner’s functions, as set out in section 13(1)(f), is:
- to examine any proposed legislation that makes provision for the collection of personal information by any public sector agency or the disclosure of personal information by one public sector agency to any other public sector agency, or both;
- to have particular regard, in the course of that examination, to the matters set out in section 98 of the Act, in any case where the Commissioner considers that the information might be used for the purposes of an information matching programme; and
- to report to the responsible Minister the results of that examination.
The reference to section 98 of the Act takes one to Part 10. Part 10 regulates certain forms of information matching.
Section 98 sets out the matters referred to in section 13(1)(f) Act to which the Commissioner must have regard, namely:
- whether or not the objective of the programme relates to a matter of significant public importance;
- whether or not the use of the programme to achieve that objective will result in monetary savings that are both significant and quantifiable, or in other comparable benefits to society;
- whether or not the use of an alternative means of achieving that objective would give either of the results referred to in the preceding paragraph;
- whether or not the public interest in allowing the programme to proceed outweighs the public interest in adhering to the information privacy principles that the programme would otherwise contravene;
- whether or not the programme involves information matching on a scale that is excessive, having regard to the number of agencies that will be involved in the programme and the amount of detail about an individual that will be matched under the programme; and
- whether or not the programme will comply with the information matching rules as set out in Schedule 4 to the Act.
There are currently 8 information matching rules in Schedule 4, dealing with:
- notice to individuals affected;
- use of unique identifiers;
- on-line transfers;
- technical standards;
- safeguards for individuals affected by results of information matching programmes;
- destruction of information;
- a qualified prohibition on the creation of new databanks; and
- time limits.
Section 99 prohibits the supply of personal information under an information matching provision, for the purposes of an authorised information matching programme, other than pursuant to a written agreement between the relevant agencies (subsection (1)). Such agreements are to incorporate provisions reflecting the information matching rules in Schedule 4 (subsection (2)).
An “information matching provision” is, in essence, any provision specified in the second column of Schedule 3 to the Act (section 97). “Authorised information matching programme” means “the comparison (whether manually or by means of any electronic or other device) of authorised information matching information with other personal information for the purpose of producing or verifying information about an identifiable individual”. “Authorised information matching information”, in relation to any specified agency, means “information that consists of or includes information disclosed pursuant to an information matching provision” (section 97).
Subject to any rule of law to the contrary, any specified agency that is involved in an authorised information matching programme may take adverse action against an individual on the basis of any discrepancy produced by that programme (section 100(1)). “Adverse action” is “any action that may adversely affect the rights, benefits, privileges, obligations or interests of any specific individual” (section 97).
At the same time, where, through an information matching programme, an agency becomes aware of a discrepancy, that agency shall destroy the information not later than 60 working days after it becomes aware of the discrepancy unless, before the expiration of that period, the agency has considered the information and made a decision to take adverse action against any individual on the basis of that discrepancy (101(1)). Section 101 also contains a 12 month time limit on taking adverse action as well as additional destruction obligations (subsections (2)-(4)). Nothing in that section applies to IRD (subsection (5)). Under section 102, the Commissioner may extend the time limit if certain conditions are met.
Section 103 prescribes procedural obligations on an agency proposing to take adverse action on the basis of a discrepancy. The general rule is that the agency must give written notice to the person concerned of the discrepancy and proposed action, and give him or her 5 working days to show why the action should not be taken (subsection (1)).
There are particular exemptions to this allowing MSD to take immediate action in respect of certain benefits and allowances, allowing IRD to take immediate action to recover certain specified unpaid amounts and financial support, and allowing the police and bailiffs to executing arrest warrants in respect of the non- payment of fines (subsections (1A), (1C) and (2A) respectively). Further, nothing in subsections (1) or (1A) prevents an agency from taking adverse action against an individual if compliance with the requirements of that subsection would prejudice any investigation into the commission of an offence or the possible commission of an offence (subsection (2)).
The Act also contains two provisions designed to preclude avoidance of controls on information matching. The first is section 108, concerning the use of certain exceptions to information privacy principles. The second is section 109, the essence of which is that neither the Official Information Act 1982 or the Local Government Official Information and Meetings Act 1987 may be used by one agency to disclose personal information to another if the sole or principal purpose for which the information is sought is for use in an information matching programme.
Interferences with privacy
Under Part 8 of the Act, the Privacy Commissioner can investigate privacy-related complaints where there has been an “interference with privacy”. The main form of interference with privacy occurs where an agency:
- breaches a privacy principle; and
- the action giving rise to the breach has caused or may cause a kind of harm referred to in the Act.
Harm can be in the nature of:
- loss, detriment, damage, or injury to the individual;
- an adverse effect on the individual’s rights, benefits, privileges, obligations, or interests; or
- significant humiliation, significant loss of dignity, or significant injury to the feelings of the individual.
It’s also an interference with privacy to breach an approved information sharing agreement or an information matching agreement where the breach has caused or may cause such harm.
An unjustified refusal to allow a person to access his or her information or to correct personal information when requested is also an interference with privacy. There is no need to establish harm for these kinds of interference with privacy.
For more information on complaints and what the Privacy Commissioner can do, see the Office of the Privacy Commissioner’s website.