Privacy Act 2020

Information sharing involving government agencies

A person's privacy can be affected by information sharing when agencies are:

using information obtained for one purpose for an unrelated purpose
'fishing' in government records with the hope of finding wrongdoing by someone
automating decisions affecting individuals and removing human judgment
presuming people guilty simply through their being listed in a computer or requiring people to prove their innocence
multiplying the effects on individuals of errors in some government databases; and
undermining personal information by dispersing information obtained by one agency in confidence onto a variety of other agencies' databases.

If unchecked, information or data matching would seriously undermine people's trust in government. To address the risks, the Privacy Act regulates the practice of information matching in the public sector. It does this by having the following controls put in place:

authorisation - making sure that only programmes clearly justified in the public interest are approved
operation - ensuring that programmes are operated consistently with fair information practices
evaluation - subjecting programmes to periodic reviews and possible cancellation.

Any agency, whether government or non-government can share information in accordance with the Privacy Principles or as authorised in Privacy Codes of Practice issued by the Privacy Commissioner that have privacy rules for personal information in specific areas, such as health, telecommunications, and credit reporting.

Government agencies can be authorised through legislation or Orders in Council to over-ride some of the Privacy Principles.

Legislation can authorise agencies to share information. Some of these provisions are listed in Schedule 5 of the Privacy Act 2020 and are monitored by the Privacy Commissioner as information matches.

The Privacy Act also authorises sharing of:
a) Identity information (Part 7 Sub-part 2)
b) Law enforcement information (Part 7 Sub-part 3)

The Privacy Act also empowers the Executive to authorise information sharing through regulations by Orders in Council. These are known as Approved Information Sharing Agreements (AISAs).

Information Matching / Data Matching

The Privacy Commissioner has a regulatory role to monitor the use of information matching by government departments. (The term ‘data matching’ is commonly used in other countries.)

Part 7 sub-part 4 and Schedule 6 of the Privacy Act provide a set of rules dealing with the supervision and operation of authorised information matching programmes.

Public reporting on information matching

Information matching provisions are authorised by statute and these are listed in Schedule 5 of the Privacy Act 2020.

Our list of the information matching provisions and the matching programmes operated under those provisions provides links to descriptions and annual reports of the results of all operating information matches.

Information Matching Reports and Reviews - Our comments on proposed legislation authorizing information matches, and the 5-yearly reviews of each information matching provision.

Approved Information Sharing Agreements (AISAs)

AISAs are approved by Order in Council and enable personal information to be shared between (or within) organisations for the purpose of delivering public services. The information sharing provisions are Part 7 sub-part 1 of the Privacy Act.

Public reporting on AISAs

AISAs are listed in Schedule 2 of the Privacy Act

We provide a summary of the current AISAs (including links to reports about the AISAs).

The lead agency for the AISA must publish a copy of the agreement online, and must report on activity as specified by the Privacy Commissioner (see s13 of the Privacy Regulations 2020).

Guidance for agencies

An online training module 'An A to Z of AISAs' teaches you what an AISA is, how to build a case for one, how to develop one and how to get one approved.

“An A to Z of Approved Information Sharing Agreements (AISAs)” (March 2015)