Information Matching Privacy Impact Assessments
16 May 2008
OFFICE OF THE PRIVACY COMMISSIONER
1.1 Information matching - or data matching as it is called overseas - is an application of computer technology which carries particular privacy risks. Its use warrants careful scrutiny. Guidelines and rules have been developed and incorporated into law as part of the Privacy Act which seek to identify those circumstances where information matching is most clearly justified in the public interest notwithstanding some detriment to individual privacy.
1.2 Experience overseas and in New Zealand has been that the benefits of information matching are often exaggerated and the costs underestimated. The guidelines therefore also try to ensure that the benefits of a particular proposal outweigh the costs. The guidelines and rules also ensure that any information matching is undertaken in a way that minimises the effect on privacy through careful data management and respect for individual rights.
1.3 Consultation with key stakeholders is central to the privacy impact assessment process as it helps to ensure that key issues are noted, addressed and communicated. Consideration should be given to a privacy impact assessment which includes working with public reference groups. This can help foster broad community awareness and confidence in the proposal.
1.4 The note is directed towards the process that departments should follow in proposing an information matching programme and in pursuing legislative authority to undertake such matching. It does not describe information matching¹ or explain how it should be carried out.
1.5 This note should be read together with:
- Part X of the Privacy Act 1993;²
- the information matching guidelines (copy appended);³
- the information matching rules.4
1.6 Reference may also be had to:
- reports submitted by the Privacy Commissioner to the Minister of Justice on proposed information matching programmes;
- the Commissioner's annual reports.
2.1 The guide to Cabinter and Cabinet Committee Processes, accessible via http://cabguide.cabinetoffice.govt.nz/ requires a Minister to indicate whether a proposed bill or regulation complies with the principles and guidelines set out in the Privacy Act and, if the bill or regulation raises privacy issues, to indicate whether the Privacy Commissioner agrees that it complies with all relevant principles.
2.2 Departments should undertake an analysis of any information matching proposal in terms of the information matching guidelines at an early stage in the public policy making process. The benefits of doing so, regardless of the ultimate outcome, are quite obvious. If a problem is encountered in relation to the information matching guidelines it is as well that this be identified at an early stage so that the appropriate responses can be considered by departments in the first instance and, later, if necessary, by the Commissioner and Ministers.
3.1 The Privacy Commissioner has the express function under s.13(1)(f) of the Privacy Act (copy appended) to examine any proposed legislation which provides for the collection or disclosure of personal information which might be used for the purposes of an information matching programme. The Commissioner is to report the results of the examination to the Minister of Justice. The Commissioner is directed to have particular regard, in carrying out that examination, to the information matching guidelines set out in s.98 of the Act.
3.2 The Privacy Commissioner is required to carry out the functions under s.13(1)(f) in relation to "proposed legislation". It will only be possible for the Privacy Commissioner to complete such an examination when the form of that proposed legislation has been settled. At the very latest, this will be where a bill has been introduced to Parliament. However, depending upon the Parliamentary timetable it may be possible for the detail of the legislation to be known in draft form between the time that its introduction has been approved by Cabinet but before actually being introduced into the House. In some cases this will be an ideal time for the examination to be carried out. Departmental co-operation at that point, and at earlier stages, will assist to ensure that the ability to complete the examination does not delay passage of the legislation.
3.3 To facilitate the Commissioner's examination of a proposal in terms of the information matching guidelines it is recommended that a Department prepare its own written assessment of the proposal in terms of each of the guidelines. This assessment document is referred to in this note as an "Information Matching Privacy Impact Assessment" or "IMPIA". In relation to the Commissioner's function to examine information matching proposals, it is suggested that the department seeking legislative authority should produce this to the Commissioner. The preparation and supply of a written Privacy Impact Assessment will greatly assist in completing these tasks and in ensuring that any department's proposal for information matching has been fully considered in terms of the guidelines.
4.1 A privacy impact assessment document is useful for several reasons. It may serve as an internal working document at an early stage of a programme's development, for example when a proposal is discussed with a department's own Minister or other officials and when options are being evaluated. The document will also have a value in relation to informal discussions with the Privacy Commissioner and her staff before final decisions are made to commit to a matching programme or before finalising its exact shape. At the later stages of a proposal's development the document may be useful in relation to the preparation of cabinet committee papers. An assessment document will certainly be of assistance in explaining a department's position when the Privacy Commissioner undertakes her examination under s.13(1)(f).
4.2 An assessment document should include the details set out in appendix B.
4.3 Two copies of the assessment are required at the time the Commissioner's examination under s.13(1)(f) is undertaken. One is for the Commissioner's permanent record and one will be submitted with the Commissioner's report to the Minister of Justice. An electronic version is also desired for internal use.
4.4 In some cases the Commissioner may accept assurances contained in the assessment document and not enquire further. For this reason, it is essential for the Commissioner to receive an assessment document signed off by a person of sufficient authority in the department to assure the Commissioner that it represents the intentions of the department and that undertakings will be carried out. Normally the Commissioner will expect an assessment document to be signed off by the Chief Executive of all departments involved. In other cases, the Chief Executive might write to the Privacy Commissioner indicating the officials who will be working on the assessment and the senior official who will sign off the document, having the authority of the department to do so.
5.1 It is not necessary to involve the Privacy Commissioner in all stages of the development of an information matching proposal since some proposals may be considered and rejected for departmental reasons. However, where a proposal is not immediately rejected it will make sense, in most cases, for a department to make early contact with the Commissioner to give a preliminary indication as to its intention. Formal contact should commence with a letter to the Privacy Commissioner. Later contact is likely to be with the Assistant Commissioner and staff assisting her.
5.2 Liaison with the Commissioner's office will be of value while an IMPIA is under preparation. Although the Commissioner's staff will not indicate concluded views they may be able to give indications as to likely concerns and help isolate issues. Discussions could assist to dispel concerns as to privacy aspects or to suggest some course of action, such as a limitation of the scope of a proposal or the undertaking of a pilot match, to meet privacy concerns.
5.3 Following enactment of an information matching provision, there will need to be continuing departmental liaison with the Office of the Privacy Commissioner in respect of implementation and reporting issues arising under Part X of the Act. Departments must ensure that implementation remains consistent with the assurances given in the IMPIA and should keep the Commissioner's office informed of any significant operational changes planned.
6.1 When the Privacy Commissioner reports the results of an examination of a matching proposal to the Minister there is often detailed comment upon aspects of the information matching guidelines and rules. Awareness of what the Commissioner has said on previous occasions in respect of the guidelines and matching rules will assist officials preparing IMPIAs. Copies of the reports from October 1995 - March 1998 have been combined into a convenient compilation.5 Later reports are available individually. The Office of the Privacy Commissioner has also extracted comment from various reports and included it in a resource document for the assistance of officials preparing assessments.6
6.2 Officials are welcome to telephone the Commissioner's office if they wish to speak to someone about an information matching matter or in regard to the preparation of an assessment document. It is suggested that enquiries be directed as follows:
- consultation on any proposal to Cabinet to obtain authorisation for a new matching programme or to amend an existing information matching provision, preparation of an IMPIA - Data Matching Compliance Adviser or the Team Leader Technology;
- preparation of reporting formats, implementation of authorised programmes, monitoring of existing information matching programmes-Data Matching Compliance Adviser or the Team Leader Technology.
13. Functions of Commissioner - (1) The functions of the Commissioner shall be - ...
(f) To examine any proposed legislation that makes provision for-
(i) The collection of personal information by any public sector agency; or
(ii) The disclosure of personal information by one public sector agency to any other public sector agency, -
or both; to have particular regard, in the course of that examination, to the matters set out in section 98 of this Act, in any case where the Commissioner considers that the information might be used for the purposes of an information matching programme; and to report to the responsible Minister the results of that examination.
98. Information matching guidelines - The following matters are the matters referred to in section 13(1)(f) of this Act to which the Commissioner shall have particular regard, in examining any proposed legislation that makes provision for the collection of personal information by any public sector agency, or the disclosure of personal information by one public sector agency to any other public sector agency, in any case where the Commissioner considers that the information might be used for the purposes of an information matching programme:
(a) Whether or not the objective of the programme relates to a matter of significant public importance:
(b) Whether or not the use of the programme to achieve that objective will result in monetary savings that are both significant and quantifiable, or in other comparable benefits to society:
(c) Whether or not the use of an alternative means of achieving that objective would give either of the results referred to in paragraph (b) of this section:
(d) Whether or not the public interest in allowing the programme to proceed outweighs the public interest in adhering to the information privacy principles that the programme would otherwise contravene:
(e) Whether or not the programme involves information matching on a scale that is excessive, having regard to -
(i) The number of agencies that will be involved in the programme; and
(ii) The amount of detail about an individual that will be matched under the programme:
(f) Whether or not the programme will comply with the information matching rules.
Content of Information Matching Privacy Impact Assessment
(a) Cover sheet and table of contents
(b) Introductory section: Setting out certain key details and short summary information such as:
(i) the title of the proposal;
(ii) name of the department proposing the programme;
(iii) other agencies involved;
(iv) contact details for policy and technical issues for each of the agencies;
(v) summaries of some of the details that follow in (c) to (h);
(vi) the date at which the version of the IMPIA has been prepared.
(c) Description of proposal: Including:
(i) the objective of the proposals;
(ii) summary of the proposed operation of the programme. Include details about likely processes involved, what information is to be disclosed, how information will be matched, when s.103 notices will be sent, information flows (diagrams) and any other relevant processes;
(iii) where proposed legislation has already been drafted the relevant clauses should be attached and referred to.
(d) Timing: Description of the stage that the proposal has reached, the processes followed so far and the time frame to which the Department intends to work.
(e) The problem: Details of the problem to which the programme is addressed (including reference to any supporting documentation such as select committee reports, departmental studies, surveys, etc).
(f) Information matching guidelines: Detailed analysis (rationale, justification and cost/benefit) of the proposal in terms of the 6 information matching guidelines set out in s.98 (including reference to any supporting data such as results from pilot matches etc). Within this material, or in separate following sections, there should also be analysis of the proposal in respect of the:
(i) The information privacy principles (detail those principles for which compliance may be an issue) - relevant to guideline (s.98 d):
(ii) 8 information matching rules - relevant to guideline (s.98 f)
(g) Part 10 compliance: Explanation as to compliance with ss.99 to ss.104 of Part 10 of the Privacy Act.
(h) Draft information matching agreement and TSR: Where development of a proposal is well advanced a draft information matching agreement and Technical Standards Report may be attached, and referred to, if these have been prepared.
(i) Confidential material: Departments should indicate if any part of the document is sensitive, perhaps placing this in a confidential annex. If sensitivity is asserted it should be made clear whether that ceases when the policy decisions or implementing bill is made public.
(j) Sign-off: Normally by the chief executives of each department involved.
1 Definitions of "information matching programme" and other key terms are found in the Privacy Act 1993, s.97.
2 Privacy Act, ss.97-109.
3 Privacy Act, s.98.
4 Privacy Act, Fourth Schedule.
5 Office of the Privacy Commissioner, Examination of Proposed Information Matching Programmes October 1995 - March 1998, 1998, $25.
6 Office of the Privacy Commissioner, "The Privacy Commissioner's views on the Information Matching Guidelines", updated from time to time.