Frequently Asked Questions (FAQs)

We’ve provided some FAQs on the Policy to help people understand more about the topics we are talking about. They also define some terms to help people better understand the conversation.

How to use these FAQs

We have split the FAQs into sections to help you. If you don't understand any of the terms used, please check out the glossary.


Data protection and use policy

Data protection and use policy - what currently happens

Data protection and use policy - the engagement and consultation process


Data protection and use policy

Q: Why do we need this policy?

A: Information collection, use and sharing play an important role in ensuring the most effective services are provided to the people who need them. At the same time, service users need confidence that the right processes are in place to ensure their personal information is being collected, used and shared appropriately.

The policy is expected to guide social sector organisations on what to consider when collecting, storing, using and sharing the personal information of service users. The policy will make it easier for organisations to understand what is and isn’t appropriate, how we can work through the grey areas together, how to work safely with people’s personal information, and how insights gained from data can be safely shared to help service providers deliver what is needed at a time that will make the most difference. It is essential that the policy will be delivered in the way that builds trust.

Q: What are the major areas the policy will address?

A: The scope of the policy is to:

  • Ensure those receiving social services have a better understanding about how their personal information is collected and used;
  • Clarify when personal identifiable information is needed and what types of personal information should be used for what purpose;
  • Build understanding of what protocols, structures and measures need to be in place to protect personal information;
  • Equip the social sector to work together using information to improve services and make better decisions for New Zealanders; 
  • Build understanding, trust, and confidence around the collection, storage and analysis of information.

Q: How are findings from the engagement being used to inform the policy?

A: The findings of the engagement on the protection and use of data have confirmed the major areas set out for the policy to address as appropriate. We’re using the findings to ensure that we develop a draft policy that addresses a range of concerns, is practical and applicable to a diverse sector.

Q: How will this new policy be implemented?

A: It is too early to say. It is something being considered and will depend in part on what shape the final policy takes and what we learn through the consultation process. The policy is anticipated to include a description of the roles and responsibilities of organisations within the system, and details on governance bodies, particularly for the Policy itself. We anticipate the organisation responsible for the Policy, once finalised through Cabinet, will manage the implementation process including accountabilities for organisations who are adopting the Policy, and be available to support organisations as they implement the Policy.

Q: How long will it take to implement the new policy?

A: It is too early to say. Implementation timeframes are likely to be determined with, or by the organisation(s) that will be responsible for the Policy once it is developed.

Q: What is the relationship between this work and the 2016 Ministry of Social Development policy relating to individual client level data (ICLD)?

A: In 2016 MSD announced that there would be a general contractual requirement requiring the disclosure of individual client-level data about service users. The need for a policy relating to the protection and use of personal information in the social sector emerged following a report by the Privacy Commissioner in April 2017, which concluded that the MSD approach was inconsistent with the principles of the Privacy Act. This original proposal to require personal information as a general contracting requirement with NGOs has been withdrawn.

The objective of this work is to create a policy which will provide practical assistance to the entire social sector on appropriate collection, use and sharing of personal information, when other types of data should be preferred, and explore how what we can learn from a range of sources can be returned to communities.

Personal information plays an important role in the provision of social services. For example Work and Income’s provision of benefit payments and employment support requires personal details, employment and income history, health conditions and details about living arrangements to provide support.

Q: Is this work similar to the work of the Data Futures Partnership?

A: A lot of work has been done on these issues and we are building upon this work. The guidelines and research produced by the Data Futures Partnership (DFP), as well as other work such as the Kiwis Count reports and various Privacy Commissioner reports, informs this work.

Unlike the DFP, this work focuses on the social sector. It seeks to:

  • Identify the areas that the social sector finds difficult or confusing.
  • Identify opportunities for insights gained from data to be shared with NGOs and communities.
  • Create practical tools to assist the social sector.

Q: Why is the Data Protection and Use Policy being developed?

A: In 2017 the Privacy Commissioner released a report into the Ministry of Social Development’s requirement on NGOs to provide individual client level data (ICLD) about the people who used their services. This kind of information makes it possible to know who accessed a service. In the report the Commissioner was clear that such a requirement was inconsistent with the Privacy Act and risks “undermining the trust between service users and NGOs”. The balance was not right. The Data Protection and Use policy was developed in response to those concerns and to provide government agencies, NGOs, community groups and the public with ways to navigate the complexity of using data and information safely and respectfully.


What currently happens

Information is shared within the social sector for a range of reasons. In addition to the Privacy Act, there are more than 70 sets of legislative provisions governing what can and cannot be done with personal information in the social sector. Have a look at the following document to see an illustration of the kinds of provisions that apply:

Information sharing across the social sector [PDF, 4.3 MB]

In large government agencies information is used and shared for a range of purposes in order to provide services. For example, have a look at this document showing ACC information flows:

ACC external information data flows [PDF, 654 KB]

Q: Why is personal information shared?

Personal information is currently shared among social service organisations for a number of reasons, some of which include:

  • When it is necessary to prevent harm to someone. For example providers working with young people are required to notify Oranga Tamariki and/or the Police of concerns for a young person’s immediate safety.
  • When a number of organisations are working with a particular person or family, to ensure a joined-up and seamless service. For example the Ministry of Social Development’s job search services involve case managers working with clients to identify how they can be assisted. Clients’ information may be provided to other service providers, such as Dressed for Success, to enable them to assist the client. Those service providers report back to the Ministry of Social Development that the services have been provided. In some cases the services are tied to obligations.
  • To assess whether services are being provided to those for whom they are intended, and to inform decisions about what services to provide. For example in order to identify and address concerns which could affect a child’s ability to get the most benefit from school, B4 school check providers collect information during the checks to enable children to be referred to other services, such as an immunisation reminder and catch-up, and to monitor the referral. The results of B4 school checks are held in a nationally available database of non-identifiable information for research, service development and planning purposes. 
  • To enable the linking of data for research purposes which can be useful for evaluating the relationship between various challenges that people face, and the degree to which various forms of support and assistance have helped them. The Integrated Data Infrastructure (IDI) is an example of a linked data set. The data that is made available to researchers is de-identified and subject to strict protocols.

Q: What types of personal information is currently collected, and for what?

A: Different types of personal information is currently collected and used by government, NGOs and other service providers, including:

  • Administrative data is information collected by government, NGOs and other service providers during the delivery of a social service. Some of it will be personal information and some will not. This data is used to make decisions about individual clients, for operational matters, to understand patterns, and measure the effectiveness of services. 
  • Survey data is collected by government, NGOs and other service providers to build survey datasets. Some surveys collect personal information, some do not. Survey data, such as that collected through the national Census, helps social sector organisations better understand the needs, preferences and characteristics of people and communities by providing information about their situation and wellbeing.
  • Secondary collection is when data is collected by government from NGOs or other government agencies. Some of it will be personal information, some of it will not be. This information is collected to understand more about service users’ needs, what services they are receiving and what difference the services are making. 
  • Linked data is when personal information in existing data sets is used to link the data sets together. This results in richer datasets which creates opportunities for more complex and expanded research. For example, data linking helped to identify the role of folate in pregnancy in reducing neural tube defects such as spina bifida. The Integrated Data Infrastructure (IDI) is an example of a linked data set. The data that is made available to researchers is de-identified and subject to strict protocols.

Q: Who has access to personal information once it is collected?

A: Agencies have internal rules and procedures to ensure that only people who should see personal information are able to see it, including controls to prevent a conflict of interest.

Personal information may only be shared among social sector organisations if the law requires or allows it. Sharing may be allowed by the Privacy Act or by other laws. For example, if the information is being shared for the purpose for which it was collected, such as providing a service,or in order to prevent or lessen a serious threat to an individual’s life or health. The Privacy Act also provides for agreements between agencies known as approved information sharing agreements or information matching agreements. Check out the glossary below to find out more about these.

Q: Who oversees the collection and use of personal information to take care of New Zealander’s privacy?

A: State sector chief executives are ultimately accountable for the protection of privacy within their agencies. Departments are required to have Departmental Security Officers - who have responsibility for security, and all organisations are required to have Privacy Officers - who have responsibility for privacy-related matters. The government’s Chief Privacy Officer also has a role to build government’s capability in privacy and security management.

Service providers are responsible for appropriately protecting personal information they hold and generally have employees who have similar responsibilities to Departmental Security Officers and Privacy Officers.

If you have a concern, the first step is to address the issue with the agency or organisation concerned. You can ask to speak with their Privacy Officer. If you are unhappy with the response, you can contact the Office of the Privacy Commissioner for assistance(external link).

Q: What choice do individuals have about the use and sharing of their personal information?

A: In some cases individuals can obtain services without providing any personal information. For example, personal information does not have to be provided to use the National Sexual Violence Helpline. In other cases individuals can opt out of using the service and the sharing of their information. For example, a young person can opt out of the Youth (or NEET) Service, which connects young people with youth coaches and mentoring support by sharing young people’s information between schools and MSD.

Sometimes, with their consent, an individual’s information is shared with other government agencies or service providers in order for them to be provided a complete service. For example, they may be referred to a health specialist. In other cases individuals do not have a choice about their personal information being shared. For example where it is necessary to share information in order to prevent or lessen a serious threat to someone’s life or health.


The engagement and consultation process

Q: What is the consultation timeline for the Data Protection and Use Policy?

We expect to deliver a draft Data Protection and Use Policy to Cabinet in early-mid 2019. The public consultation period will be initiated following Cabinet approval of the draft policy for consultation. Details for the consultation will be published on this website. If you would like to receive an email notification when the consultation period is confirmed, please email us to request this.

Q: What is the role of Māori in this process?

A: We are actively engaging and working in partnership with Māori to build on and strengthen existing relationships and ensure that our work translates to positive social outcomes for Māori.

The Treaty of Waitangi and historic Treaty settlements have created opportunities for the Crown and Māori to engage and partner with each other on issues of mutual interest. This process represents one of those opportunities. It is important to explore ways we can work better together given Māori overrepresentation amongst social service users. We know that Māori, like other New Zealanders, have concerns about protection of personal information. We are also aware of other issues that Māori are concerned about, such as Māori data sovereignty and governance. We will actively engage with Māori to understand these issues, and explore the potential to work together in this area.

Q: What is the role of Pacific peoples in this process?

A: This process recognises the diversity of Pacific communities and explores the potential to work together. It is important to explore ways we can work better together given Pacific peoples’ overrepresentation amongst social service users. We will actively engage and work in partnership with Pacific peoples to build on and strengthen existing relationships, understand their concerns about the use and protection of personal information, and ensure that our work translates to positive social outcomes for Pacific peoples.

Q: What is the role of disabled people in this process?

A: We will actively engage and work in partnership with disabled people to build on and strengthen existing relationships, understand their concerns about the use and protection of personal information and ensure that our work translates to positive social outcomes for disabled people. It is important to explore ways we can work better together with disabled people given they are disproportionately affected by negative social outcomes.

Q: How have you ensured that you are talking to the right people?

A: A working group has been guiding the SIA’s work to support the engagement to be as wide, deep and effective as possible. The working group consists of individuals from social sector agencies, NGOs, peak bodies and the Office of the Privacy Commissioner. We also have Māori, Pacific peoples, and disabled people advisors and a client advocate. Engagement hui were held for invited and registered participants in 27 locations across New Zealand, we and will revisit many of these locations during the public consultation for the Data Protection and Use Policy. Organisations with existing relationships with service users have assisted by creating opportunities for direct engagement with service users.

Q: What else is the government doing in this area?

A: A number of government agencies are working to get a better understanding of how to practically focus on the wellbeing of New Zealanders and improve how they use and protect data.

This work includes Treasury’s Living Standards Framework(external link) and the Department of the Prime Minister and Cabinet’s (DPMC) child wellbeing work(external link). The child poverty reduction bill will lead to the development of a child wellbeing strategy.

We are also coordinating with Oranga Tamariki, and the Ministry of Justice, as they develop codes of practice for information sharing in the areas of child safety and wellbeing and family violence.

When we come to develop the draft policy, we intend that it will complement existing work.

Q: What is the Social Investment Agency (SIA)?

A: The SIA is a small agency that looks right across the social sector. Our focus is on supporting better use of evidence to improve decision making across government in order to improve social outcomes. We work in partnership with other agencies and service providers to innovate and trial new ways of doing things. We co-ordinate, build, and share capability across the social sector.

Q: What’s the SIA’s role in this?

A: The SIA is taking the lead in developing this approach and policy on behalf of the social sector. Both of these will be owned and implemented across the entire social sector. The SIA will take a lead role in supporting agencies and service providers to apply the approach and policy, and monitor how they are implemented.

Export PDF