We have split the FAQs into sections to help you. If you don't understand any of the terms used, please check out the glossary.
A: Information collection, use and sharing play an important role in ensuring the most effective services are provided to the people who need them. At the same time, service users need confidence that the right processes are in place to ensure their personal information is being collected, used and shared appropriately.
The policy is expected to guide social sector organisations on what to consider when collecting, storing, using and sharing the personal information of service users. The policy will make it easier for organisations to understand what is and isn’t appropriate, how we can work through the grey areas together, how to work safely with people’s personal information, and how insights gained from data can be safely shared to help service providers deliver what is needed at a time that will make the most difference. It is essential that the policy will be delivered in the way that builds trust.
A: The scope of the policy is to:
A: The findings of the engagement on the protection and use of data have confirmed the major areas set out for the policy to address as appropriate. We’re using the findings to ensure that we develop a draft policy that addresses a range of concerns, is practical and applicable to a diverse sector.
A: It is too early to say. It is something being considered and will depend in part on what shape the final policy takes and what we learn through the consultation process. The policy is anticipated to include a description of the roles and responsibilities of organisations within the system, and details on governance bodies, particularly for the Policy itself. We anticipate the organisation responsible for the Policy, once finalised through Cabinet, will manage the implementation process including accountabilities for organisations who are adopting the Policy, and be available to support organisations as they implement the Policy.
A: It is too early to say. Implementation timeframes are likely to be determined with, or by the organisation(s) that will be responsible for the Policy once it is developed.
A: In 2016 MSD announced that there would be a general contractual requirement requiring the disclosure of individual client-level data about service users. The need for a policy relating to the protection and use of personal information in the social sector emerged following a report by the Privacy Commissioner in April 2017, which concluded that the MSD approach was inconsistent with the principles of the Privacy Act. This original proposal to require personal information as a general contracting requirement with NGOs has been withdrawn.
The objective of this work is to create a policy which will provide practical assistance to the entire social sector on appropriate collection, use and sharing of personal information, when other types of data should be preferred, and explore how what we can learn from a range of sources can be returned to communities.
Personal information plays an important role in the provision of social services. For example Work and Income’s provision of benefit payments and employment support requires personal details, employment and income history, health conditions and details about living arrangements to provide support.
A: A lot of work has been done on these issues and we are building upon this work. The guidelines and research produced by the Data Futures Partnership (DFP), as well as other work such as the Kiwis Count reports and various Privacy Commissioner reports, informs this work.
Unlike the DFP, this work focuses on the social sector. It seeks to:
A: In 2017 the Privacy Commissioner released a report into the Ministry of Social Development’s requirement on NGOs to provide individual client level data (ICLD) about the people who used their services. This kind of information makes it possible to know who accessed a service. In the report the Commissioner was clear that such a requirement was inconsistent with the Privacy Act and risks “undermining the trust between service users and NGOs”. The balance was not right. The Data Protection and Use policy was developed in response to those concerns and to provide government agencies, NGOs, community groups and the public with ways to navigate the complexity of using data and information safely and respectfully.
Information is shared within the social sector for a range of reasons. In addition to the Privacy Act, there are more than 70 sets of legislative provisions governing what can and cannot be done with personal information in the social sector. Have a look at the following document to see an illustration of the kinds of provisions that apply:
In large government agencies information is used and shared for a range of purposes in order to provide services. For example, have a look at this document showing ACC information flows:
Personal information is currently shared among social service organisations for a number of reasons, some of which include:
A: Different types of personal information is currently collected and used by government, NGOs and other service providers, including:
A: Agencies have internal rules and procedures to ensure that only people who should see personal information are able to see it, including controls to prevent a conflict of interest.
Personal information may only be shared among social sector organisations if the law requires or allows it. Sharing may be allowed by the Privacy Act or by other laws. For example, if the information is being shared for the purpose for which it was collected, such as providing a service,or in order to prevent or lessen a serious threat to an individual’s life or health. The Privacy Act also provides for agreements between agencies known as approved information sharing agreements or information matching agreements. Check out the glossary below to find out more about these.
A: State sector chief executives are ultimately accountable for the protection of privacy within their agencies. Departments are required to have Departmental Security Officers - who have responsibility for security, and all organisations are required to have Privacy Officers - who have responsibility for privacy-related matters. The government’s Chief Privacy Officer also has a role to build government’s capability in privacy and security management.
Service providers are responsible for appropriately protecting personal information they hold and generally have employees who have similar responsibilities to Departmental Security Officers and Privacy Officers.
If you have a concern, the first step is to address the issue with the agency or organisation concerned. You can ask to speak with their Privacy Officer. If you are unhappy with the response, you can contact the Office of the Privacy Commissioner for assistance(external link).
A: In some cases individuals can obtain services without providing any personal information. For example, personal information does not have to be provided to use the National Sexual Violence Helpline. In other cases individuals can opt out of using the service and the sharing of their information. For example, a young person can opt out of the Youth (or NEET) Service, which connects young people with youth coaches and mentoring support by sharing young people’s information between schools and MSD.
Sometimes, with their consent, an individual’s information is shared with other government agencies or service providers in order for them to be provided a complete service. For example, they may be referred to a health specialist. In other cases individuals do not have a choice about their personal information being shared. For example where it is necessary to share information in order to prevent or lessen a serious threat to someone’s life or health.
We expect to deliver a draft Data Protection and Use Policy to Cabinet in early-mid 2019. The public consultation period will be initiated following Cabinet approval of the draft policy for consultation. Details for the consultation will be published on this website. If you would like to receive an email notification when the consultation period is confirmed, please email us to request this.
A: We are actively engaging and working in partnership with Māori to build on and strengthen existing relationships and ensure that our work translates to positive social outcomes for Māori.
The Treaty of Waitangi and historic Treaty settlements have created opportunities for the Crown and Māori to engage and partner with each other on issues of mutual interest. This process represents one of those opportunities. It is important to explore ways we can work better together given Māori overrepresentation amongst social service users. We know that Māori, like other New Zealanders, have concerns about protection of personal information. We are also aware of other issues that Māori are concerned about, such as Māori data sovereignty and governance. We will actively engage with Māori to understand these issues, and explore the potential to work together in this area.
A: This process recognises the diversity of Pacific communities and explores the potential to work together. It is important to explore ways we can work better together given Pacific peoples’ overrepresentation amongst social service users. We will actively engage and work in partnership with Pacific peoples to build on and strengthen existing relationships, understand their concerns about the use and protection of personal information, and ensure that our work translates to positive social outcomes for Pacific peoples.
A: We will actively engage and work in partnership with disabled people to build on and strengthen existing relationships, understand their concerns about the use and protection of personal information and ensure that our work translates to positive social outcomes for disabled people. It is important to explore ways we can work better together with disabled people given they are disproportionately affected by negative social outcomes.
A: A working group has been guiding the SIA’s work to support the engagement to be as wide, deep and effective as possible. The working group consists of individuals from social sector agencies, NGOs, peak bodies and the Office of the Privacy Commissioner. We also have Māori, Pacific peoples, and disabled people advisors and a client advocate. Engagement hui were held for invited and registered participants in 27 locations across New Zealand, we and will revisit many of these locations during the public consultation for the Data Protection and Use Policy. Organisations with existing relationships with service users have assisted by creating opportunities for direct engagement with service users.
A: A number of government agencies are working to get a better understanding of how to practically focus on the wellbeing of New Zealanders and improve how they use and protect data.
This work includes Treasury’s Living Standards Framework(external link) and the Department of the Prime Minister and Cabinet’s (DPMC) child wellbeing work(external link). The child poverty reduction bill will lead to the development of a child wellbeing strategy.
We are also coordinating with Oranga Tamariki, and the Ministry of Justice, as they develop codes of practice for information sharing in the areas of child safety and wellbeing and family violence.
When we come to develop the draft policy, we intend that it will complement existing work.
A: The SIA is a small agency that looks right across the social sector. Our focus is on supporting better use of evidence to improve decision making across government in order to improve social outcomes. We work in partnership with other agencies and service providers to innovate and trial new ways of doing things. We co-ordinate, build, and share capability across the social sector.
A: The SIA is taking the lead in developing this approach and policy on behalf of the social sector. Both of these will be owned and implemented across the entire social sector. The SIA will take a lead role in supporting agencies and service providers to apply the approach and policy, and monitor how they are implemented.