Privacy Commissioner - Te Mana Matapono Matatapu

Skip to content

Information Matching Bulletin, Issue 01, October 2011

News from the Office of the Privacy Commissioner - October 2011

Law Commission publishes final report
Privacy (Information Sharing) Bill introduced
Electronic Identity Verification Bill introduced
Electoral (Administration) Amendment Bill (No 2) passes
Section 106 reviews completed - programme cancelled
Information Matching Workshops
Publications
Contacts

Law Commission publishes final report

The Law Commission has completed its review of privacy law with the publication of its final report, 'Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4.'

The report includes a recommendation that there should be a new framework in the Act to allow the sharing of personal information between government agencies where it is in the public interest to do so (and with appropriate safeguards). The Law Commission sees information matching as a type of information sharing and recommends that information matching should be governed by the same rules as information sharing with proportionately greater safeguards for programmes which carry greater risks. However, the recently introduced Privacy (Information Sharing) Bill (see below) currently leaves the existing regime in place.

The Law Commission anticipated that it might be seen as preferable to keep the current information matching scheme, rather than incorporate information matching into the new information sharing framework. With that in mind, it made several recommendations that may have an operational impact on agencies:

• The s.103 notice period should be 10 days (currently five) but with the Privacy Commissioner able to reduce the period in appropriate cases
• All on-going information matching programmes should have to be authorised and operate under the information matching controls
• The required five yearly review (s.106) of each information sharing provision should be at the discretion of the Privacy Commissioner
• The current Rule 3 (online transfers) and Rule 8 (Time limits) should be deleted
• The blanket exemptions for Inland Revenue in section 101(5) and rule 6(3) should be repealed but exemptions provided for on a case by case basis.

The 'Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4' report is available at http://www.lawcom.govt.nz/project/review-privacy?quicktabs_23=report#node-2123.

Privacy (Information Sharing) Bill introduced

The Privacy (Information Sharing) Bill introduced on 16 August 2011 closely follows the recently completed Law Commission review of the Privacy Act. The Bill seeks to make two key changes. Firstly, exceptions to privacy principles 10(d) and 11(f) will be revised to allow the use and disclosure of information where there is a serious threat to public health or safety or the life or health of an individual. Currently the threat must be serious and imminent before information can be shared.

Second is the establishment of a new information sharing framework in the Privacy Act. The framework will allow for Approved Information Sharing Agreements (AISAs) to be confirmed by Order in Council. Currently, if an information sharing scheme does not comply with the Privacy Act, it needs authorisation via primary legislation. The Bill sets out the process for approval of an AISA along with a set of protections to ensure sharing arrangements operate openly and consistently within the bounds of their approval.

The new information sharing framework does not limit any other laws that allow for personal information to be collected, used, or disclosed. Nor does the new framework mean that agencies must enter into an AISA if they already have sufficient authority for the disclosure of personal information. The disclosure provisions in Part 10 (information matching) and Part 11(law enforcement information) of the Privacy Act will continue to operate and not be limited by the new information sharing framework.

An AISA will enable the sharing and use of information between and within agencies (both public and private sector) that deliver public services.

Among other things, the Bill provides a strong role for the Privacy Commissioner:

• must consider the privacy implications of each proposed agreement (or amendment), and may make submissions to the consulting agencies
• may (for approved agreements) report to the responsible Minister about privacy concerns that will or may arise because of the sharing agreement, or about the consultation process, and may publish the report
• may review the operation of an AISA after 12 months, and recommend amendment or revocation of an AISA where the Commissioner believes the AISA is not operating correctly, reasonably, or efficiently
• may direct agencies to report on the operation of each AISA.
The consultation, oversight, and reporting functions imposed by the Bill on the Privacy Commissioner will in turn require agencies that are party to an AISA to provide sufficient and timely information to the Privacy Commissioner so that she can meet her statutory obligations.

The Privacy (Information Sharing) Bill is available at http://www.legislation.govt.nz/bill/government/2011/0318/latest/versions.aspx


Electronic Identity Verification Bill introduced

The Electronic Identity Verification Bill was introduced on 30 August 2011. The purpose of the Bill is to regulate the administration and application of the Electronic Identity Verification Service (EIVS). The EIVS is designed to allow people to authenticate their identity once and so avoid the cost and inconvenience of repeatedly having to prove their identity in person to different agencies.

To ensure the integrity of the EIVS, the Bill includes a new information matching provision to support the verification of identity information. Clause 35 of the Bill allows for the disclosure of identity information from the Births, Deaths, and Marriages, Citizenship, Immigration, and Passports databases to the Chief Executive of Department of Internal Affairs (who manages the EIVS) to authenticate an individual's identity, and to keep the information contained in the individual's EIVS record accurate and up to date.

The Electronic Identity Verification Bill is available at http://www.legislation.govt.nz/bill/government/2011/0323/latest/versions.aspx


Electoral (Administration) Amendment Bill (No 2) passes

The Electoral (Administration) Amendment Bill (No 2) passed on 16 August 2011. The Bill authorises one new information matching provision and amends an existing one.

The new provision (Electoral Act 1993, s.263B(4)(d)(ii)) allows for the comparison of voter registration records with the records of New Zealand passport applicants so that the Electoral Enrolment Centre (EEC) can identifying people who are qualified to register as an elector but who have not yet registered, and send them an invitation to do so.

The amended provision (Electoral Act 1993, s.263A) allows the EEC to check the eligibility of people who apply for voter registration by comparing applicant details against records held by Immigration New Zealand of people who are in New Zealand unlawfully or only resident in New Zealand by virtue of holding a temporary visa. Previously, EEC could only remove ineligible voters from the roll after they had been added.

Section 106 reviews completed - programme cancelled

The Privacy Commissioner recently submitted to the Minister of Justice two reports under section 106 (review of statutory authorities for information matching) of the Privacy Act.

The first report covered the following programmes:
• IRD/MSD Debtors Tracing
• MSD/IRD Working for Families Tax Credits Double Payment
• INZ/EEC Unqualified Voters
• MSD/Justice Fines Defaulters Tracing

The second report covered the following programmes:
• NZTA/EEC Unenrolled Voters
• MOT/EEC Unenrolled Voters
• MSD/EEC Unenrolled Voters
• Citizenship/EEC Unenrolled Voters

With the exception of the IRD/MSD Debtors Tracing Programme the Privacy Commissioner concluded that the authority for each programme should continue. The Privacy Commissioner concluded that the IRD/MSD Debtors Tracing programme was not providing the Ministry of Social Development with significant debt recoveries and should be reviewed to determine whether the programme was a good return on investment.

MSD undertook a review of the programme and concluded that the programme was not providing significant recoveries. MSD ceased operating the programme in May 2011.

The s.106 reports are available at http://privacy.org.nz/information-matching-reports-and-reviews/.

Information matching workshops

These half day workshops are designed to give some practical background knowledge about the Privacy Act along with more detailed information about preparing an Information Matching Privacy Impact Assessment. The cost is $170 (inc GST).

The next workshop is tentatively scheduled for 16 February 2012, but is dependent on having enough participants registered. To register your interest in attending this workshop, contact Sharon Newton on (04) 4747590 or by email to workshops@privacy.org.nz.

Publications
There are a number of other publications and reports available from the Privacy Commissioner that may be of interest to those involved in information matching. These are listed on the Privacy Commissioner's website, http://www.privacy.org.nz/data-matching-introduction/

Contacts
Wellington
4th Floor, 109-111 Featherston Street
PO Box 10-094
Wellington.
Telephone: 04 474 7590

Simon Rae
Team Leader, Policy and Technology
Direct line: 04 494 7082

Neil Sanson
Data Matching Compliance Adviser
Direct line: 04 474 7592

Colin Trotter
Senior Adviser, Data Matching Compliance
Direct line: 04 494 7087

You can contact us by email. Our standard email format is first name.surname@privacy.org.nz