The Treasury

Global Navigation

Personal tools

Privacy issues

People generally care about the privacy of their personal information, and if they are required or agree to provide personal information to government agencies, businesses or other organisations for specific purposes, then they have strong expectations about how those agencies will deal with that information.

The Privacy Act 1993 contains a range of requirements concerning how personal information is dealt with, including:

  • the information privacy principles that set out the standards for how personal information should be collected, stored, used, disclosed and the rights people have to access and seek correction of their personal information (s 6);
  • the public register privacy principles in Part 7;[25]
  • information sharing provisions in Part 9A;
  • information matching rules in Part 10;
  • the sharing of law enforcement information in Part 11;
  • the transfer of personal information outside New Zealand in Part 11A;

A Bill that provides for personal information to be dealt with in some way may override the requirements of the Privacy Act 1993. Consequently, it should be subject to careful scrutiny and be able to be fully justified.

A Cabinet paper seeking approval to introduce a Bill must advise whether the Bill complies with the principles and guidelines in the Privacy Act. If the Bill raises privacy issues, the Cabinet paper needs to indicate whether the Privacy Commissioner agrees that they comply with all relevant principles.[26]

The Privacy Commissioner also has a statutory function to examine proposed legislation that provides for the collection of personal information by any public sector agency or the disclosure of personal information by one public sector agency to another public sector agency.[27]

Question 3.5

3.5.  Does this Bill create, amend or remove any provisions relating to the collection, storage, access to, correction of, use or disclosure of personal information? [YES/NO]

What matters are covered by the question?

This disclosure requires the identification of any provisions in a Bill that relate to how personal information is dealt with, because these may depart from the general privacy standards established by the Privacy Act 1993. The information privacy principles in section 6 of the Privacy Act 1993 set out the requirements for personal information.

“Personal information” is defined broadly in the Privacy Act 1993 and “means information about an identifiable individual”.[28]m

Consequently, disclosure will be required if a Bill creates or amends provisions that:

  • specify when or how information about an individual is collected or held;
  • require personal information to be collected;
  • restrict access to personal information;
  • specify when or how personal information can be used or disclosed;
  • authorise or require personal information to be disclosed in particular circumstances, including information sharing and information matching;
  • establish a system for uniquely identifying individuals (e.g. by assigning an identifier such as driver licence or passport number or using biometrics such as fingerprints);
  • authorise agencies to use a common unique identifier for individuals;
  • establish or modify a public register; or
  • enable the transfer of personal information outside New Zealand.

The Legislation Advisory Committee's Guidelines on Process and Content of Legislation contains more detailed information about privacy implications.[29]

What is the nature of the further information sought?

If the answer is YES, please:

  • identify the relevant provision(s) in the Bill;  and
  • answer the subsidiary question (Question.3.5.1).

Identification of the relevant provisions should include the clause number of the Bill and a brief summary of the provision's effect. It could also explain how it might depart from the Privacy Act requirements or standards.

If the answer is NO, no further information is required.  You can also delete the subsidiary question (Question 3.5.1) from the disclosure statement.

Question 3.5.1

3.5.1.  Was the Privacy Commissioner consulted about these provisions? [YES/NO]

What matters are covered by the question?

Consultation with the Privacy Commissioner could take various forms, including phone discussions, emails, meetings with officials from the Office of the Privacy Commissioner, or the receipt of comments from the Privacy Commissioner.

What is the nature of the further information sought?

If the answer is YES, please:

  • describe the nature and extent of the consultation undertaken; and
  • the nature of any action taken to address issues raised.

The answer to Question 3.5.1 is likely to involve a brief description of:

  • the matters or Bill provisions the Privacy Commissioner was consulted about, and the form the consultation took;
  • the issues that were raised in consultation, most likely by the Privacy Commissioner but possibly by the agency preparing the Bill; and
  • the actions taken, if any, in relation to those matters or Bill provisions, to address concerns raised by the Privacy Commissioner, or otherwise a short explanation of why no action was taken.

If the Bill is large and involves quite a few issues, try to keep the description of the issues as short as possible. The aim is to convey the nature and extent of the issues consulted on. If similar issues arose in respect of a number of clauses try to group the clauses together so an issue only has to be identified once.

If the answer is NO, no further information is required. 

You may, however, choose to take the opportunity to briefly explain why the Privacy Commissioner was not consulted.

Notes

Page top