Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo
  • Home /
  • Public inquiries /
  • Inquiry into the MSD’s Exercise of Section 11 (Social Security Act 1964) and Compliance with the Code of Conduct

Print | Email this page

Inquiry into the MSD’s Exercise of Section 11 (Social Security Act 1964) and Compliance with the Code of Conduct

In 2018 the Privacy Commissioner was approached by a community group concerned about the Ministry of Social Development’s (the Ministry’s) information gathering practices when conducting fraud investigations. The Commissioner found that the Ministry’s exercise of their information gathering powers is inconsistent with its legal requirements, including the Privacy Act 1993. This failure has resulted in infringements on individual privacy.

Read the Privacy Commissioner's Inquiry into the Ministry of Social Development’s Exercise of Section 11 (Social Security Act 1964) and Compliance with the Code of Conduct report, which includes the footnotes (opens to PDF). 

Executive summary

The executive summary of the report was written by Privacy Commissioner John Edwards. 

"The Ministry has powers under the Social Security Act 1964 (section 11) to collect “any information” about a person in receipt of a benefit to assess their entitlements – including retrospectively, as is the case with fraud investigations. I recognised the importance of the Ministry being able to investigate potential abuses of the social security system as part of the effective administration of the Social Security Act.

The Ministry’s exercise of its information gathering powers is regulated by a Code of Conduct (the Code), which requires that the Ministry first seek information from a beneficiary client before requiring the production of that information by a third party, unless to do so would prejudice the maintenance of the law. As the Code itself notes this provides some measure of privacy protection, as well as ensuring that individuals are kept informed about the nature of the enquiries being made about them.

In 2012 the Ministry advised its fraud investigation staff that they could bypass the requirement to seek information directly from a beneficiary and instead to go direct to third parties. The Ministry believed that an amendment to the Code enabled this.[4] The Office of the Privacy Commissioner was consulted at the time and supported the amendment but advised the Ministry that we disagreed with its interpretation of the amendment’s effect.

The 2012 practice change resulted in the Ministry using its powers to collect large amounts of highly sensitive information about beneficiaries from third parties without approaching those beneficiaries first. Information collected included, but was not limited to, text message content, domestic violence and other Police records, banking records, and billing information from a range of providers.

This change in practice was part of a suite of changes targeting beneficiary fraud. The Ministry has since advised that staff only bypass the beneficiary in certain cases deemed ‘high risk’. On average per year between 2600 and 2300 fraud investigations are categorised as ‘high risk’.

The Ministry has acted improperly in its exercise of section 11 powers and infringed on individual privacy.

Since 2012, the Ministry’s routine failure to ask beneficiaries for information before approaching third parties has likely impacted thousands of clients. Between 49-64% of investigations each year result in no formal detection of fraudulent activity.

New Zealand’s Privacy Act 1993 protects people’s ability to determine for themselves when, how, and to what extent their information is shared with others. Requesting information from the person concerned first is an important privacy safeguard – which is reflected in the drafting of section 11 and the Code. Accepting there will be cases where it is appropriate to approach third parties first, allowing people to provide relevant information to the Ministry themselves gives them greater control over their personal information, can assist to ensure that information is accurate, and may prevent the need for more intrusive investigations.

The Code contains additional safeguards around the types of information that can be collected; for example health care workers cannot be asked to provide comment on whether an individual is in a relationship. These safeguards were enacted in 1997 and reflected the limited nature of the data available to the Ministry at the time.[8] The data sources now accessible by the Ministry have increased significantly. For example, in 1997 telecommunication companies did not offer widespread text messaging services or have the capacity to provide clients’ location data.

The 2012 practice change provided for the almost unrestricted collection of extensive amounts of highly personal information on a large number of beneficiary clients. This is excessive, disproportionate to the Ministry’s legitimate needs and inconsistent with the Ministry’s legal obligations and the information privacy principles.

As part of my Inquiry we have interviewed beneficiaries and reviewed fraud investigation files provided by the Ministry. As a result, we have seen cases where individual privacy has been infringed upon. Examples have included:

  • Failing to ask beneficiary clients for information before seeking it from a third party leading to inaccurate assessments of the information
  • Overly broad requests leading to the provision of unnecessary and sensitive information (e.g. a woman’s birthing records)
  • Requests for highly sensitive information that may be unreasonable in the circumstances (e.g. every text message sent and received by an individual over lengthy periods)
  • Disproportionate collection of information.

I am disappointed to have to be making this report given this Office’s opposition to the 2012 practice change and the repeated calls on the Ministry since 1994 to improve its practices around information gathering and record keeping in fraud investigations from a range of observers.[10] Due to the poor record keeping practices and inconsistencies between fraud teams, we have been unable to establish whether the Ministry has been bypassing beneficiaries in all fraud investigations or only those categorised as ‘high risk’. While individual files contain some records of section 11 notices being issued, it is disappointing that the Ministry does not keep centralised records of when and how many section 11 notices are issued by its staff.

I have found that the Ministry has infringed on individual privacy through its improper application of section 11, its disproportionate information gathering practices, and its failure to update its policy or practice around section 11 in line with important jurisprudence and legal developments such as the New Zealand Bill of Rights Act 1990 (the Bill of Rights Act). I note also that the Ministry is required to review the Code every three years, but it has not done so since 2012.

Back to top