• Home /
• Privacy Act 2020 /
• Information/Data sharing /
• Information matching/Data Matching

Privacy Act 2020

What is information matching?

The Privacy Commissioner has a regulatory role to monitor the use of information matching by government departments. (The term ‘data matching’ is commonly used in other countries.)
Part 7 sub-part 4 and Schedule 6 of the Privacy Act provide a set of rules dealing with the supervision and operation of authorised information matching programmes.

Public reporting on information matching

Information matching provisions are authorised by statute and these are listed in Schedule 5 of the Privacy Act 2020. Our list of the information matching provisions and the matching programmes operated under those provisions provides links to descriptions and annual reports of the results of all operating information matches can be found here. Our comments on proposed legislation authorizing information matches, and the 5-yearly reviews of each information matching provision can be found here.

A person's privacy can be affected by information matching when agencies are:

• using information obtained for one purpose for an unrelated purpose
• 'fishing' in government records with the hope of finding wrongdoing by someone
• automating decisions affecting individuals and removing human judgment
• presuming people guilty simply through their being listed in a computer or requiring people to prove their innocence
• multiplying the effects on individuals of errors in some government databases; and
• undermining personal information by dispersing information obtained by one agency in confidence onto a variety of other agencies' databases.

If unchecked, information or data matching would seriously undermine people's trust in government. To address the risks, the Privacy Act regulates the practice of information matching in the public sector. It does this by having the following controls put in place:

• authorisation - making sure that only programmes clearly justified in the public interest are approved
• operation - ensuring that programmes are operated consistently with fair information practices
• evaluation - subjecting programmes to periodic reviews and possible cancellation. 

Public reporting on information matching

Operating programmes: Detailed descriptions and annual reports of the results of all operating authorized information matches.

Information Matching Reports and Reviews: The Commissioner's comments on proposed legislation authorizing information matches, and other reports on information matching programmes.

Information Matching (Compliance) Auditing

Part 7 of the Privacy Act regulates the operation of government information matching to minimise the privacy risks and maintain public confidence in the fair handling of data. The Privacy Commissioner oversees compliance with the controls in Part 7.

In response to the growth and changing nature of authorised information matching programmes, the compliance audit approach to reporting has been developed. The audit approach assesses compliance with the Privacy Act information matching controls in two parts:

• The documentation audit, looks at departmental documentation, policies, codes of practice and guidelines
• The process audit, focuses upon the agency management and staff involved in operating the programme.

The Privacy Act requires that the Commissioner review the operation of each information matching provision every five years. In these reviews under section 184 the Commissioner recommends whether a provision should continue, be amended or be cancelled. These updates are included in each year’s Annual Report, which can be found here.