The Data Protection and Use Policy (DPUP) provides good practice advice for the collection and use of people's information. In some areas, and for good reasons, that advice goes beyond the law.
How DPUP relates to other laws and guidance
If an agency collects, uses or shares personal information, DPUP does not affect what it can or must do under law, for example under the:
Privacy Act 2020
Oranga Tamariki Act 1989
Family Violence Act 2018
Social Security Act 2018.
However, DPUP does take the position that at times there are good reasons to go further than meeting the bare requirements of the law to build trust.
DPUP’s Principles and Guidelines are consistent with the Privacy Act 2020. The Guidelines make it clear when they recommend good practice beyond the minimum legal requirements of the Act. Agencies are not legally bound by DPUP’s good practice advice but are encouraged to follow it in accordance with the spirit and intent of the Principles.
DPUP exists alongside other guidance on the collection and use of personal information. For example, ‘Principles for the safe and effective use of data and analytics’ prepared by the Office of the Privacy Commissioner and Stats NZ in 2018.
This 1-page document outlines how DPUP relates to the Privacy Act 2020, the Oranga Tamariki Information Sharing Provisions and the Family Violence Information Sharing Guidance.
DPUP’s Principles and Guidelines are consistent with the Privacy Act 2020. They also recommend good practice that is beyond what the law requires and make it clear when they do so.
Comparing DPUP with the information privacy principles (IPPs)
DPUP’s Principles and Guidelines address the Privacy Act 2020’s IPPs. This comparison is designed for agencies looking for a detailed comparison of DPUP against the IPPs. This may include people advising on privacy or legal considerations and those training others on DPUP.
This comparison summarises the good practice guidance. It addresses how DPUP recognises other laws can modify or override the IPPs, and provides key examples of where that happens. It also links to other government guidance on such laws.
Read a comparison of DPUP against the Privacy Act 2020’s IPPs
Summaries of DPUP’s good practice advice that is additional to what the Privacy Act 2020 requires, grouped within DPUP’s 4 Guidelines.
Purpose Matters Guideline
There is a focus in this Guideline on ensuring agencies can clearly point to real social value (to individuals, groups or wider society) when defining the purposes for collecting people’s information.
The Guideline states that if Agency A is collecting personal information from Agency B, it needs to inform Agency B, in clear terms, of its purpose of collection and whether it proposes to share the information with anyone else. Agency A needs to tell Agency B if giving it the information is voluntary or mandatory and, if mandatory, under what particular statutory provision.
The Guideline’s suggested approach to assessing purpose and collecting only what's needed includes being clear about the outcomes, the methods used to achieve the outcomes and consideration of relevant context. This encourages agencies to consider factors that do not feature in the Privacy Act 2020.
Questions to ask about the collection of personal information
Consider if different analytical techniques or processes can be used, with a view to collecting less personal information rather than more.
Ask if, to achieve an outcome, it’s necessary to collect personal information from every service user all of the time, regardless of their differences, or whether it may be feasible to allow some people to opt out.
The Guideline suggests a series of checks and balances that agencies may find helpful when assessing the purpose, necessity and appropriateness of collecting people's information. Those checks and balances include finding out, where relevant, the views of various people, whether from within the agency or from external sources (for example, review groups, Māori groups, external reference groups, service users or the Office of the Privacy Commissioner).
This ensures that, where appropriate, the people and communities who are impacted by the proposed collection or use have their ideas and voices included in defining the collection purposes.
The Guideline includes considering ethical issues that may come up from collecting people’s information for particular purposes. For example, the suggested approach to assessing purpose includes asking about:
the potential for adverse consequences (despite the lawfulness of collection)
how linking people’s personal information with other data could be perceived
the potential impact that collection from other agencies could have on the trust relationships between those other agencies and their immediate service users.
In addition to emphasising the requirements of information privacy principle 3 (IPP3) — Collection of information from subject, this Guideline states it can also be good practice to explain to people:
how their information will be protected
how the information will be used to help them or people in similar situations to them
if matching or linking is occurring, the fact that it is, why and what it could mean for them
if relevant, how particular information may be used in a form that does not identify them.
This Guideline notes that relying on IPP3’s grounds for not being transparent with people is the exception rather than the norm. The default is to provide people with the information required by IPP3. That reflects the legal position but the Purpose Matters Guideline emphasises that reliance on a particular IPP3 exception may not be appropriate.
It makes the important point that there is “nothing sufficiently unique about collecting personal information for statistical or research purposes to justify not telling people that their personal information will be linked with other datasets to yield insights, even where an agency can rely on the IPP3 exception.”
IPP3 requires telling people about “the intended recipients of the information”. The Guideline suggests that telling people should include not only the other agencies the information may be shared with, but also the kinds of recipients within your own agency. The Privacy Act 2020 is not clear on this distinction.
Picking up a theme from the Purpose Matters Guideline, this Guideline states that people involved in designing or communicating information collections need to help ensure that everyone involved, including those dealing directly with people, have a good understanding of the ‘what and why’ of collection.
This fosters consistent understanding and legal compliance. In addition, those involved with collecting personal information and, where relevant, those asked to share it with other agencies, need to feel able to ask ‘why’, safely and confidently and without fear of negative consequences.
The Guideline emphasises the importance of matching a transparency approach to collection to the context people find themselves in. It encourages agencies to:
consider a range of methods
respect cultural and language considerations
provide multiple opportunities for people to understand if that's what people need
be as specific as they can.
The Guideline suggests that when agencies tell people what their information will be used for and who will see it, it may also be good to tell them what it will not be used for and who will not see it. This point is made in the Purpose Matters Guideline as well.
The Guideline emphasises the importance of people being able to get a good understanding of what’s being done with their personal information in a safe and responsive environment. That includes considering how to ensure people feel safe to listen and ask questions, and what kind of information will work best for them.
Access to Information
This Guideline has a strong focus on helping people understand their access and correction rights. It recommends that people should, from time to time, be reminded about these rights, especially if their information was collected when they were in crisis. The Guideline suggests practical and proactive ways to help.
The Guideline advises agencies to record information about people clearly, accurately and professionally, both as a matter of respect and because people can request access to and view what has been written about them. Agencies cannot legally say no to a person’s request for personal information because the information was poorly written or expressed with insufficient care.
The Guideline stresses the importance of making it easy for people to access their personal information and to request corrections. It suggests a variety of ways this can be done.
The Guideline explains how non-governmental organisations can act on behalf of their service users to get access to their personal information from government agencies. Examples might include:
confirming details of benefits and entitlements
information about health or wellbeing
information about a person’s overall situation that they may prefer not to re-tell, given that doing so repeatedly may have negative impacts on a person’s wellbeing.
The Guideline provides guidance on helping people access and use digital channels to access their information. For example, helping them get set up on portals such as MyMSD and ManageMyHealth.
This Guideline addresses a range of topics the Privacy Act 2020 does not mention. It deals with the kaitiaki roles data custodians hold, and how what they hold may be of use or interest to other groups, such as iwi, communities, service providers and others. It focuses on enabling appropriate agencies with legitimate interests to access non-personal forms of data, information, knowledge and insight, which have been derived from people's personal information.
The Guideline is about helping other agencies to use data or insights that may be useful to them — growing capability, so the value of data is more accessible to more agencies. The Guideline emphasises that, if one agency or group collects information and provides it to another, they should receive the value of that information at some point. What this means will depend on why it was gathered.
Example of sharing insights back to the agency that provided you with the information
An agency collects information. It provides it to an agency that uses it to develop insights about homelessness, financial hardship, stable employment challenges or similar. The agency should then share those insights with the organisation.
The Guideline recommends that when proposing to develop insights (analysis, research, studies and so on), agencies collaborate with providers, communities and service users to identify what the most useful information or method could be to help develop those insights.
Agencies are encouraged to identify those organisations with a legitimate interest and / or experiences in relation to the areas being studied or analysed which can contribute to the work as it is carried out. Agencies should seek qualitative, narrative or interpretative information to help provide context in relation to quantitative information. The Guideline recommends the insights are then shared with those who have a legitimate interest.
References and useful links
These links contain further information that is likely to be useful, depending on the nature of your agency's work. In each case, the references include guidance and advice on how to think about and adopt relevant practices that relate to the respectful use of people's information.
Privacy resources
Find general advice about privacy organisations and their various responsibilities in Privacy organisations.
Māori data resources
Te Arawhiti, the Office of Māori–Crown Relations, has described the responsibilities of public sector agencies to ensure that engagement with Māori is meaningful.
This advice helps agencies to think about the form, purpose and style of their engagement with Māori.
The Ministry for Pacific Peoples publishes a range of advice to support effective engagement with Pacific peoples, for example a Pacific policy analysis tool.
The Ministry of Social Development developed the Child Impact Assessment Tool to help assess whether policy proposals will improve the wellbeing of children and young people.
The Ministry of Social Development's Privacy Human Rights and Ethics framework is a set of capabilities and tools to ensure that issues of privacy, human rights and ethics are considered from the design stage of a new initiative.
The Health and Disability Ethics Committees check that proposed health and disability studies meet established ethical standards to protect participants.
Aotearoa New Zealand's Association of Social Workers / Te Rōpū Tauwhiro i Aotearoa provides helpful guidance, for example, dealing with client confidentiality, in its Code of Ethics.
Wider government guidance
Guidelines about information sharing to support tamariki wellbeing provides guidance for sharing information across the child welfare and protection sector in line with the Oranga Tamariki Act 1989.
Stats NZ and the Office of the Privacy Commissioner (OPC) jointly published principles in May 2018 that note the criticality of ensuring that data is fit for purpose and that the right data is used in the right context, and the importance of transparency and inclusion through consultation with stakeholders.
In 2018, the Human Rights Commission published a paper addressing the impact of digital technology on the right to privacy, providing information on the International Human Rights Framework, safeguards and emerging issues.
The Ombudsman provides resources on fair interactions with government agencies and resources to assist agencies, including guidance on the rights of people with disabilities and the Official Information Act 1982.
The New Zealand Government's customer-centred service design principles provide advice on designing services with empathy and understanding of service users' experiences, needs and desired outcomes.
The Social Wellbeing Agency (SWA) analysed and summarised what was heard in the ‘Your voice, your data, your say’ engagement on investing for social wellbeing and the protection and use of data.
SWA recorded the findings from its engagement on investing for social wellbeing and the protection and use of data, which was drawn upon during DPUP’s development.
