Privacy Act 2020 for sharing information
The Privacy Act is the main legislation governing the sharing of personal information in New Zealand.
Information Privacy Principles 2 and 11
Disclosures and collections
Sharing personal information with another agency is a ‘disclosure’ under the Privacy Act. An agency can only disclose personal information if the proposed disclosure satisfies one of the exceptions listed in Information Privacy Principle (IPP) 11.
Receiving personal information that another agency shares is a ‘collection’ under the Privacy Act. An agency should generally collect personal information from the person concerned — but there are exceptions in IPP 2 that allow agencies to collect personal information indirectly.
It does not matter how that information is shared. Information may be physically sent, transmitted digitally, your agency may allow another agency to extract information from your systems or view and use information within your systems. All of these are disclosures and collections.
Principle 11 - Disclosure of personal information — Office of the Privacy CommissionerIPP 11 exceptions
Commonly used exceptions include where the:
- individual gives authorisation
- disclosure is one of the purposes for which the information was collected
- disclosure is for one of the purposes, or a directly related purpose, for which the information was initially collected
- information is used in a form that does not identify the individual
- information is used for research and statistical purposes and will not be published in a form that could reasonably be expected to identify an individual
- disclosure is necessary to prevent or lessen a serious threat to health and safety, or to avoid prejudice to the maintenance of the law.
You will need to assess the circumstances of your sharing activity to determine whether an exception applies.
The collecting agency has to ensure that it genuinely needs the information and that it’s allowed to collect it. However, there is a higher risk associated with disclosing information, as it is important to make sure people’s information is not improperly exposed. The agency disclosing the information should therefore check carefully that one of the exceptions is satisfied before sharing any personal information either in response to a request or proactively.
Approved information sharing agreements
The Privacy Act enables the development of approved information sharing agreements (AISAs). AISAs are a legal instrument, as they are approved by an Order in Council. AISAs provide the legal authority for the sharing of specified information between specified agencies for specified purposes.
AISAs are used when a modification to the IPPs is required to enable the information sharing activity. Schedule 2 of the Privacy Act 2020 lists:
- all AISAs
- the agencies that are party to the AISAs
- the information that can be shared
- the purpose for sharing under the AISA.
Privacy Act codes of practice
The Privacy Commissioner has the power to issue codes of practice. These codes modify the operation of the Privacy Act and set rules for specific industries, organisations, or types of personal information.
Health Information Privacy Code
If you are wanting to share health information about an individual, you will need to consider whether the Health Information Privacy Code (HIPC) 2020 applies. The HIPC sets specific rules for agencies in the health sector, including rules for sharing health information.
Heath Information Privacy Code 2020 — Office of the Privacy Commissioner
The HIPC applies to:
- agencies providing personal or public health or disability services such as primary health organisation, rest homes, supported accommodation, doctors, nurses, dentists, pharmacists, and optometrists
- listed agencies that do not provide health services to individuals, but which are part of the health sector, such as ACC, Ministry of Health, Te Whatu Ora, Health Research Council, health insurers and professional disciplinary bodies.
The HIPC rules align closely with the Information Privacy Principles. So, for example, a health agency can only disclose health information if the proposed disclosure satisfies one of the exceptions listed in Rule 11. While it’s not always required, authorisation plays a stronger role in the health sector than it does in non-health contexts.
Agencies not covered by the HIPC rules
Many agencies hold health information but are not ‘health agencies’ as defined by the HIPC. If you’re not a health agency, then the HIPC rules are not relevant to you.
Instead, you’ll need to consider the exceptions in IPP 11 or other legal authorities such as the Oranga Tamariki Act or Family Violence Act before you share health information.
Other codes of practice
There are 5 other codes of practice:
- Civil Defence National Emergencies (Information Sharing) Code 2020
- Telecommunications Information Privacy Code 2020
- Credit Reporting Privacy Code 2020
- Justice Sector Unique Identifier Code 2020
- Superannuation Schemes Unique Identifier Code 2020
Codes of practice — Office of the Privacy Commissioner
Civil Defence National Emergencies (Information Sharing) Code 2020
This code provides agencies with a broader discretion to collect, use and disclose information provided that a state of national emergency is in place (and for 20 working days after the state of national emergency is lifted). It facilitates the sharing of information to assist in the response to the national emergency.
For example, it permits sharing information to help:
- identify individuals who are caught in the emergency
- identify people that may need specialist assistance
- coordinate the management of the emergency.
Telecommunications Information Privacy Code 2020
This code applies specific rules to telecommunications agencies to better ensure the protection of individual privacy. The code applies to telecommunications information collected, used, and disclosed by telecommunications agencies.
Most of the code is not relevant to public sector agencies, except for the purposes of general knowledge. However, relevant agencies should be aware of the provision that allows sharing of emergency location information to facilitate a response to an emergency call or to prevent or lessen a serious threat to an individual’s life or health.
Credit Reporting Privacy Code 2020
Applies to credit reporting companies to ensure the protection of individual privacy. Credit reporting companies must display a summary of the rights under this code on their websites and when responding to a person’s request for a copy of their credit report.
While the code does not apply to government agencies, finance and advisers in human resources (HR) may need to be aware of some of the rules so they are clear about what credit reporting companies can and cannot do.
Justice Sector Unique Identifier Code 2020
This code provides a partial exemption from IPP 13 for specific agencies within the justice sector when those agencies reassign a unique identifier to people proceeding through the justice system. It does not affect the operation of the other information privacy principles.
Agencies subject to the code include Police, Department of Corrections, New Zealand Transport Agency, Ministry of Social Development, Ministry of Justice, the Registrar of Motor Vehicles, and Road User Charges Collectors.
Superannuation Schemes Unique Identifier Code 2020
This code provides a partial exemption from IPP 13 for agencies with certain superannuation schemes. It does not affect the operation of the other information privacy principles.
Those who need to provide advice in this specialist area may need to consult the code.
Law enforcement information
There are general exceptions in some of the information privacy principles (including IPP 11) that permit information sharing if the agency reasonably believes this is necessary for the maintenance of the law.
However, schedule 4 of the Privacy Act 2020 also authorises specified public agencies to have access to listed types of law enforcement information that is held by other specified agencies. This schedule covers some of the most common sharing needs, to make it easier to determine if the sharing is allowed.
Schedule 4 Privacy Act 2020 — New Zealand Legislation
Specified agencies include:
- Police
- Serious Fraud Office
- Department of Corrections
- Ministry of Justice
- Ministry of Business, Innovation and Employment
- NZ Transport Agency
- Ministry for Primary Industries
- NZ Customs Service
- WorkSafe NZ
Each specified agency will have its own internal policy and procedures for accessing and sharing law enforcement information under the Privacy Act.
Identity information
The Privacy Act authorises specified public agencies to have access to identity information about individuals held by other agencies (holding agencies). Schedule 3 of the Privacy Act sets out which agencies can access specified types of identity information held by listed agencies for specific purposes. In most cases, the purposes for accessing identity information relate to verifying the identity of a person.
Schedule 3 Privacy Act 2020 — New Zealand Legislation
Each agency authorised to access identity information held by another agency will have its own internal policy and procedures for accessing that information.
Section 30: Privacy Commissioner authorisation to share
The Privacy Act provides the Privacy Commissioner with the power to authorise a one-off disclosure of personal information that would otherwise breach IPP 11, provided that either:
- the public interest in the disclosure outweighs the privacy interests of the individual, or
- the benefit of the disclosure to the individual outweighs the privacy interests of the individual — for example, where there’s a direct financial benefit associated with the disclosure to the individual.
Note: Seek advice from your privacy, information sharing or legal teams if you think your information sharing activity could be authorised by section 30.
Further information about how to make applications, and what information to include, is available on the Privacy Commissioner’s website — Section 30 authorisations.
Information matching programmes
All information matching programmes set out in schedule 5 of the Privacy Act 2020 are authorised under specific statutory provisions.[Footnote 1]Footnote
Schedule 5 Privacy Act 2020 — New Zealand Legislation
Since the new Privacy Act came into force in 2020, no new information matching programmes can be established. Other forms of information sharing, including AISAs, need to be considered instead.
However, there are still some programmes in operation. Those programmes are governed by the rules set out in the Privacy Act. Relevant staff in agencies (for example, staff who compile data to report to the Privacy Commissioner) need to be aware of those rules.
List of provisions and authorised information matching programmes: Information matching provisions — Office of the Privacy Commissioner.