Effective website privacy notices

Tue, 15 Aug 2006 08:56:51 +1200

Giving notice to website visitors about how your agency collects and uses personal information is good practice. An effective approach to this task is to use a layered privacy notice, and we have recommended '10 Steps to develop a multilayered privacy notice' as a source of detailed information.

Now, based upon continuing collaboration with a small group of NZ agencies who are piloting the layered notice approach, the Office of the Privacy Commissioner has published 'Questions & Answers About Layered Privacy Notices'. In the form of questions and answers, we state why a layered privacy notice can improve communication about how your agency handles personal information. It explains how layered notices structure information in a way that readers can recognise, gives reasons why the layered notice structure can meet the needs of agencies large and small, and introduces a simple process you can adopt to create your own.

Collaboration with pilot agencies is not yet complete. Hence, the information shared in 'Questions and Answers' is a work in progress and may expand or change as we learn from experience.

Click the link to see 'Questions and Answers about Layered Privacy Notices'.

Additional Resources

Center for information policy leadership
Ten steps to develop a multilayered privacy notice

OECD (Organisation for Economic Cooperation and Development)
Making Privacy Notices Simple: An OECD Report and Recommendations
Report annexes (This link does work but takes a couple of minutes to download)
OECD Privacy Statement Generator

APEC (Asia-Pacific Economic Cooperation)
Multi-layered Notices: A Developing Standard
Multi-layered notices Explained

Privacy Impact Assessment Handbook

Fri, 12 May 2006 11:32:15 +1200

Contents

Foreword by the Privacy Commissioner
1. Overview
2. The Information Privacy Principles
3. What is Privacy Impact Assessment?
4. Why undertake Privacy Impact Assessment?
5. Who should undertake Privacy Impact Assessment?
6. Which projects warrant Privacy Impact Assessment?
7. When to undertake Privacy Impact Assessment?
8. How to undertake Privacy Impact Assessment?
9. Elements of a privacy impact report
        A. Introduction and overview
        B. Description of the project and information flows
        C. The privacy analysis
        D. Privacy risk assessment
        E. Privacy enhancing measures
        F. Compliance mechanisms
        G. Conclusions
10. Privacy Impact Assessment - the pay-off
11. Appendices
        A. The information privacy principles
        B. Bibliography
        C. Acknowledgements

Foreword by the Privacy Commissioner

Organisations frequently approach my office asking "Will my project comply with the Privacy Act?" Sometimes this leads to the wider, and perhaps more valuable, questions:

How will my project affect the privacy of individuals?
Can I can achieve my objectives while also protecting privacy?

This handbook provides the tools to help to answer these questions.

Protection of privacy is more than simply avoiding a breach of the law. It can involve striving for something better. Privacy impact assessment is one of a range of new techniques which are increasingly being used internationally to better manage privacy risks. Others include privacy compliance audits, privacy seals and associated self-regulatory initiatives and privacy enhancing technologies. Each builds on the bedrock of the enforceable privacy rights for citizens and consumers enshrined in law.

Privacy impact assessment enables public and private bodies to make informed choices. It will often be the case that a privacy enhancing solution will be no more difficult or costly to implement than an intrusive one, if the option is identified sufficiently early in project planning.

Privacy impact assessment is being encouraged in Hong Kong, Canada and Australia as a means by which business and government can proactively identify and avoid privacy problems. In Hong Kong, privacy impact assessment is an important part of a policy approach to building trust and confidence in e-business. In Australia the process is recommended as part of any new Public Key Infrastructure system. A number of Canadian governments, federal and provincial, have or are developing policies requiring privacy impact assessment to be undertaken on new projects. The Province of Alberta has gone one step further and requires by law privacy impact assessments to be undertaken before establishing new public health information systems. A number of American institutions, including the Internal Revenue Service, have adopted internal policies requiring the use of privacy impact assessment.|

Privacy impact assessment is seen internationally as a valuable tool for businesses and governments which take privacy seriously.

I commend New Zealand organisations to employ privacy impact assessment for significant new initiatives involving the handling of personal information. Achieving and maintaining public trust in electronic service delivery is a key challenge for e-government and e-commerce. Failure to give informed consideration to privacy issues when embarking on new projects could be an expensive mistake. A privacy impact report will fill a gap in the knowledge of decision makers and enable them fully to get to grips with the issues at the right time - before decisions are taken.

B H Slane
Privacy Commissioner

1. OVERVIEW

Privacy Impact Assessment (PIA) is a systematic process for evaluating a proposal in terms of its impact upon privacy. PIA helps an agency to:

identify the potential effects that a proposal may have upon individual privacy
examine how any detrimental effects upon privacy might be overcome
ensure that new projects comply with the information privacy principles.

The contents of this handbook will be of particular value to those who are not IT specialists but have organisational responsibility for complying with data protection and privacy laws and policies. The handbook's objectives are:

to explain the benefits of Privacy Impact Assessment (PIA) for public and private agencies involved in projects with significant potential impact upon privacy
to offer a framework to enable PIA to be undertaken appropriately and effectively
to help assessors to prepare consistent, structured, high quality privacy impact reports.

The comments and suggestions in this handbook are particularly suited to projects with a technological component, especially e-commerce and e-government initiatives. However, the booklet may also help businesses, government departments and others operating off-line. The handbook is not intended to offer legal advice about the interpretation of the Privacy Act 1993 ("the Act").

Privacy Impact Assessment is a technique that should be useful to any public or private sector agency that handles personal information, particularly medium to large businesses and government departments. There are distinct advantages in outsourcing the preparation of a privacy impact report to lend impartiality to the process. That may be critical in influencing consumer or public opinion. Nonetheless, it is feasible to undertake PIA in-house, using the skills and experience of the project team and the wider organisation.

This handbook provides detailed practical guidance on how to prepare a privacy impact report:

Preliminary privacy analysis - is a PIA needed for this project?
Terms of reference - setting the task for the assessment.
Describing the project and information flows - accurately understanding, and clearly describing, the processes is essential before analysing the privacy risks.
Privacy analysis - examining all aspects of the proposed system from obtaining to destruction of data.
Privacy risk assessment - identify the risks and judge their nature and seriousness.
Privacy enhancing responses - security safeguards, privacy enhancing technologies and other management and technological solutions.
Compliance mechanisms - ensure that responses are effective in operation and trigger action if change occurs or if the measures implemented prove ineffective.

Privacy impact assessment provides an "early warning system" for agencies. The PIA radar screen will enable an organisation to spot a privacy problem and take effective counter-measures before that problem strikes the business as a privacy crisis. The process can help by:

providing credible information upon which business decisions can be based
saving money by identifying privacy issues early, at the design stage
enabling organisations to identify and deal with their own problems internally and proactively rather than awaiting customer complaints, external intervention or a bad press.

Proper assessment can make an initiative privacy enhancing without compromising business objectives or adding significant costs. PIA is a technique for any business or public body that is serious about the need to maintain customer trust and confidence.

2. THE INFORMATION PRIVACY PRINCIPLES

The Privacy Act sets out 12 information privacy principles ("IPPs") - see Appendix A. Agencies must comply with those provisions.

The IPPs are based upon international principles of fair information practice. Similar principles form the backbone of privacy and data protection legislation in an increasing number of jurisdictions throughout the world. The principles apply to the collection, accuracy, use and security of personal information. They also provide for access to, and correction of, personal information and place controls on unique identifiers.

The IPPs impose duties upon agencies, and confer rights upon individuals, in relation to personal information. Their coverage can be discerned from their general headings:

principle 1 - purpose of collection of personal information
principle 2 - source of principle of information
principle 3 - collection of information from subject
principle 4 - manner of collection of personal information
principle 5 - storage and security of personal information
principle 6 - access to personal information
principle 7 - correction of personal information
principle 8 - accuracy, etc, of personal information to be checked before use
principle 9 - agency not to keep personal information for longer than necessary
principle 10 - limits on use of personal information
principle 11 - limits on disclosure of personal information
principle 12 - unique identifiers.

In addition to the IPPs, which are relevant to all the handling of personal information by agencies, the Act contains other sets of principles, guidelines and rules applicable in certain circumstances. These include the public register privacy principles and the information matching guidelines and rules.

This handbook does not discuss the specifics of the IPPs or the other statutory principles, guidelines and rules. However, there are a number of readily available resources on the Privacy Act - see Appendix B. Information can also be obtained by consulting the Privacy Commissioner's website or by telephoning the privacy enquiries line (0800 803 909).

3. WHAT IS PRIVACY IMPACT ASSESSMENT?

The Privacy Act does not define privacy impact assessment and it is a concept that continues to evolve. The International Association for Impact Assessment defines impact assessment as "the identification of future consequence of a current or proposed action". For the purposes of this handbook, PIA is described as a systematic process that evaluates a proposal in terms of its impact upon privacy.

To be effective, PIA needs to be an integral part of the project planning process rather than an afterthought. The purpose of the assessment is to:

identify the potential effects that the proposal may have upon personal privacy
examine how any detrimental effects on privacy might be lessened.

PIA may be applied to a wide range of projects. It applies to any proposal that could intrude on reasonable expectations of privacy or the rights enshrined in the Act. It can be used with a public policy initiative or a corporate project.

A privacy impact report seeks to identify and put into a report the essential components of any proposed system that contains significant amounts of personal information and to establish how the privacy risks associated with that system can be managed. A PIA will sometimes go beyond just a "system" being assessed to consider critical "downstream" effects on people who are affected in some way by the proposal.

PIA can be distinguished from privacy compliance audits. Privacy compliance audits are carried out on existing systems to ensure their conformity with internal rules and external requirements in relation to privacy and data protection. By contrast, PIA focuses on understanding a proposed system (or the effects of proposed change to an existing system). The aim is to identify and reduce future adverse impacts as well as to inform decision-makers about whether a project should proceed and, if so, in what form. However, the distinction is not absolute and there may be a useful inter-relationship between the different techniques. For example, the results of a privacy compliance audit on an existing system would be a valuable resource for anyone undertaking a PIA on proposed enhancements or changes to that system.

4. WHY UNDERTAKE PRIVACY IMPACT ASSESSMENT?

Privacy Impact Assessment can operate as an "early warning system" for businesses and government organisations. It can help management make better informed decisions and avoid a privacy disaster. No chief executive wants to see his or her organisation's exciting new product or initiative panned in the news media as a danger to customer privacy. While favourable publicity can never be guaranteed, acting on a privacy impact report improves the chances that any privacy headlines are good news for the business rather than a public relations (and possibly share price) disaster.

PIA can help public and private sector agencies in a number of ways:

PIA offers a tool to undertake the systematic analysis of privacy issues arising from a project in order to inform decision-makers. PIA can provide a credible source of information by assuaging alarmist fears or alerting the complacent to potential pitfalls.
In some cases bitter consumer and public reaction has led to the withdrawal of a new and expensively developed product for privacy reasons. PIA ensures that a business is the first to find out about privacy pitfalls in its project, rather than learning of them from critics or competitors. A privacy impact report can save money and protect reputation.
PIA brings privacy responsibility clearly back to the proponent of a proposal. They must "own" any problems and devise appropriate responses in the design and planning phases. It also ensures that divisions within larger businesses recognise that their projects must not jeopardise the trust vested in the wider business.
PIA encourages cost-effective solutions since it is cheaper to do things at the design phase to meet privacy concerns than attempt to retrofit after a system is operational.
PIA can make the difference between an invasive and a privacy enhancing initiative, without compromising business objectives or adding significant costs.
The Privacy Commissioner can add value to the process by reviewing a privacy impact report, rather than having to investigate the practices of the business itself. This is cost effective for the Commissioner and less intrusive for a business.

Significant risks to privacy exist in e-commerce and e-government. These risks must be confronted if trust and confidence are to prevail in the relationships with consumers and citizens. Until the hallmarks of trust and confidence are reflected in community perceptions, electronic service delivery will be impeded in realising its full potential.

5. WHO SHOULD UNDERTAKE PRIVACY IMPACT ASSESSMENT?

PIA is a technique that can be used by any agency handling personal information. The technique is especially suited to medium to large businesses and to government departments.

A variety of skills are required for undertaking an assessment and completing a privacy impact report, but a single individual need not possess them all. The person undertaking the assessment needs to have sound analytical and writing skills. He or she also needs to be familiar with information privacy and data protection approaches and analysis and the IPPs. If not personally possessing relevant technical skills or experience, the assessor would need to be able to absorb the paperwork associated with the project and to have an ability to get alongside technical people, to ask pertinent questions, be able to understand the answers and translate them into a report that can be understood by others. An enquiring mind and a talent for "lateral" thinking are valuable.

The person undertaking the assessment and writing the report will draw on the skills of others. Depending upon the nature the project, the range of necessary skills might include:

Policy development skills - including business-specific policy experience, broad strategic policy and planning skills and consultation skills.
Operational programme and business design skills - to examine proposals for the operational flow of the business, and analyse the feasibility, practicality, and efficiency of relevant aspects of the project and the responses to the privacy risks.
Technology and systems expertise - in the design attributes and operation of, for instance, mainframe and legacy systems, networking products, new Internet tools, system security, customer interface systems, financial or transactional settlement systems, or biometric tools.
Risk and compliance analysis skills - such as those associated with comprehensive financial and due diligence audits, and the emerging specialties related to computer system vulnerabilities.
Procedural and legal skills - relating to project authority, use of personal information, legal and institutional oversight mechanisms, statutory, regulatory and contractual options and potential legislative conflicts where several laws or jurisdictions are involved.
Information privacy and data protection expertise - relating to the Act, national or sectoral privacy laws in other jurisdictions, privacy provisions in relevant applicable statutes, national and international privacy standards, privacy enhancing technologies and current privacy developments.

Unless people with the right competencies are used, it is likely that the assessment process will be more difficult and protracted than necessary. The resulting analysis and conclusions may be less sound or insightful.

There will be a number of choices available to the business about who will carry out the PIA. Sometimes most of the necessary skills will reside in the team assembled to develop the project itself. Experts with particular skills may be brought in to assist with certain aspects. An agency's Privacy Officer may undertake a coordinating or checking role.

Competent privacy expertise can be accessed in New Zealand and Australia and may be brought in even when most of the work will be done by the project team. The assessor will work closely alongside the project team to fully understand the business, the project, the risks and the appropriate responses. Where the PIA is solely undertaken internally, thought should given to incorporating some external or independent oversight. One possibility is to use a privacy or data protection consultant to carry out such a check.

Another is to show the privacy impact report or a draft version of it to the Office of the Privacy Commissioner. While this is routinely done with government departments, a business intending to do so should discuss the matter in advance since the Commissioner may not be willing to consider the report on a confidential basis (the office is, for instance, subject to the Official Information Act 1982). Typically the Privacy Commissioner will be willing to receive a PIA for information and will have staff offer some feedback and constructive suggestions. If any of the content is commercially sensitive or otherwise confidential, this should be clearly marked. Showing the privacy impact report to the Commissioner does not affect an agency's obligation to comply with the Act, but the organisation will be seen as a responsible corporate citizen making diligent efforts to identify and mitigate privacy risks.

Certain projects will have significant privacy implications in more than one jurisdiction. Indeed, some initiatives will have truly global implications. In such cases, comment might be invited from the privacy commissioners of several countries before finalising the privacy impact report. A significant objective of a PIA in such projects may be to ensure that the project meets or exceeds the data protection and information privacy requirements in all the relevant countries and achieves a level of trust amongst consumers and regulators.

Occasionally the business that will ultimately use the proposed system will not itself undertake or commission the PIA. For instance, a software development company might commission an assessment of a new business computer program which will be made available commercially for others to use. In other cases a government body, an industry group, or an association of several organisations might commission a PIA for a project that may affect a number of businesses (such as a credit reporting system to be used by credit providers or a public health database into which medical practitioners might provide data). In these cases the PIA will contribute to solutions from which many businesses may benefit and to the trust which each needs in order to confidently share data.

If the planned projects are very similar, government departments, or affiliated businesses, should consider undertaking a generic or overarching PIA to avoid unnecessary duplication of effort.

6. WHICH PROJECTS WARRANT PRIVACY IMPACT ASSESSMENT?

Some projects are of such a scale or nature that the need for PIA is glaring. For example, a data-warehouse holding personal information on nearly all people in New Zealand would be an obvious candidate. Similarly, the application of cutting edge technology to an aspect of data processing where the effects are not widely understood or trusted by the public (for instance, requiring customers to undergo biometric identification to access a service). In other cases, the surveillance capacity or intrusiveness may be of such a nature as to make the merits of a PIA seem obvious. Virtually any project which will amass otherwise confidential information into accessible databases are prime candidates for a PIA - and the technique has proved especially useful in the context of public health initiatives.

However, there will be many other more mundane, but nonetheless significant projects, which will benefit from PIA. For example:

merging internal business databases to enable new forms of client profiling
centralising a multi-national company's employee records in New Zealand or elsewhere
changing the way information is collected in customer interface systems (for instance, adopting unattended kiosks, automated voice responses, smartcards, remote access tools).

PIA may be desirable to assess and address risks:

arising from a new technology or the convergence of existing technologies (for instance, intelligent transportation systems, person-location or person-tracking using cellphone or GPS technologies, combining face-recognition and CCTV)
where a known privacy-intrusive technology is to be used in new circumstances (for instance, expanding data matching or drug testing, installing video surveillance in a workplace)
in a major endeavour or change in practice with significant privacy effects (for example, the merging of major public registries into a "super registry", the adoption of new forms of required ID, shared access to other organisations' electronic data bases).

As part of a wider business privacy strategy, a business may adopt a PIA policy. A policy might include requiring a privacy impact report for new programmes or systems that involve significant collection, use or disclosure of personal information. Such a policy should also include a PIA for major changes to existing programmes. It would be unnecessary to undertake an assessment for minor changes to existing programmes or systems.

An organisation which intends to use assessment as an ongoing privacy management tool should establish a process for determining when a privacy impact report is required. This might include, for example, involving the organisation's Privacy Officer. It would also be feasible to prepare internal PIA templates or questionnaires tailored to the nature of the business and its internal policies.

7. WHEN TO UNDERTAKE PRIVACY IMPACT ASSESSMENT?

The ability to design system architecture which addresses actual or potential privacy concerns are dependent, to some extent, on early identification of privacy issues and risks. An understanding of the kinds of questions that will arise in the context of PIA, as well as a sense of where risk may lie, should therefore be incorporated into the early phases of the project and system development.

Ideally, full and detailed consideration of privacy issues should precede system design. However, sometimes it may only be possible to complete a PIA at later stages in the system development and acquisition phase. If so, the privacy impact report can be an evolving document which will become more detailed over time. Thus, even at the early stages in the diagram below, consideration may be given to the sources of potential risk. Responses can be refined in revised versions of the privacy impact report.

The early phase, prior to formally undertaking a PIA, may be referred to as preliminary privacy analysis. At this point, an attempt should be made to briefly document key features of the project and issues which have been identified without detailed study. Preliminary privacy analysis can assist by:

informing the decision whether to prepare a privacy impact report
defining resource requirements (such as the skills that might be needed by an assessor, whether the task is small or large)
suggesting terms of reference for the assessment
providing a tool for initiating consultation with the Privacy Commissioner.

8. HOW TO UNDERTAKE PRIVACY IMPACT ASSESSMENT

Once the organisation has undertaken a preliminary privacy analysis, selected a suitable person to prepare the report and drafted the terms of reference, it is ready to begin the assessment.

The terms of reference will describe the project to be assessed and explain how that should be integrated into the project timeline (for example, setting deadlines for the privacy impact report which fit with key project milestones). Sometimes the terms of reference will be fairly open-ended. In other cases it may be desirable to focus the assessment on particular aspects or to rule in or out particular alternatives. The terms of reference may also list resource people to whom the assessor should refer.

If the organisation does not have a clear practice on such matters, the terms of reference could also set out how a report is to be dealt with (for example, whether a draft should be provided to the Privacy Commissioner for comment and whether the completed privacy impact report will be made publicly available). Usually, there is merit in making completed privacy impact reports publicly available and organisations should consider posting the privacy impact report or a summary on their website. Openness about the findings can contribute to the maintenance of public trust and confidence in the organisation and can ensure that its fair practices and policies in relation to the handling of personal information are freely available.

9. ELEMENTS OF A PRIVACY IMPACT REPORT

There are a number of common elements that each PIA needs to cover. A table of contents for a typical privacy impact report is suggested below. A more detailed discussion of the contents follows, with suggestions about matters to be addressed and questions to be answered. It can be used as a checklist.

TABLE OF CONTENTS FOR A TYPICAL PRIVACY IMPACT REPORT

A. Introduction and overview
B. Description of the project and information flows
C. The privacy analysis:

Information collection and obtaining
Use, disclosure and retention of information

D. Privacy risk assessment
E. Privacy enhancing responses
F. Compliance mechanisms
G. Conclusions

The questions and prompts below should be seen merely as a starting point: the subject matter of a particular project will suggest other matters that ought to be addressed. Some questions will not be relevant to a particular project and the privacy impact report should expressly state this (for instance, explaining that a proposal will not involve the use of any unique identifiers or transfers of information out of New Zealand).

A. Introduction and overview

A privacy impact report needs to be written in such a way that it will easily be understood by non-technical people. The report will be read by managers, decision-makers and stakeholders. The introduction will explain the assessment process undertaken and introduce readers to the structure of the report.

The overview may be the opportunity to explain aspects of the organisation's privacy management. It might outline a company's privacy policies or commitment to good standards of data protection. If it is a large organisation, the overview it might explain relevant parts of the corporate structure. A public body might outline relevant statutory authorisations or constraints. The role and involvement of the Privacy Officer might be explained. Any reporting processes existing to ensure that management is informed of privacy issues could be outlined. The privacy impact report may be part of that process.

The privacy impact report should include certain basic details such as the identities of the authors, the date of the document and a glossary of any special terms used. It will also be useful to explain any assumptions underlying the assessment and set out the terms of reference.

B. Description of the project and information flows

A careful and accurate description of the project is of tremendous importance in a privacy impact report. Preparing good descriptive material can be challenging, since technical systems-specifications will need to be translated into ordinary language. It is important that the description remains accurate and is sufficiently precise and detailed. Appropriate flow charts can be extremely valuable.

Some suggestions:

Provide a summary of the project including a description of the needs that led to it.
Describe the information to be used in the project.
Provide diagrams depicting the flow of personal information. The flow charts should clearly illustrate how data is collected or obtained, how it circulates internally and how it is disseminated beyond the organisation. Supplementary flow charts might be useful to illustrate particular aspects such as access control and retention/destruction practices.
Explain who will have access to particular categories of personal information. Such explanations or diagrams will illustrate a "need to know" approach.

C. The privacy analysis

The privacy analysis will follow the information "life cycle" of collection and obtaining of personal information, through its use, retention, processing, disclosure and destruction. It will highlight how the project changes any previous information handling practice and how this may affect individuals. Although the analysis should not usually seek to present a legal opinion, it should highlight any area where there might be a problem in compliance with the IPPs. The report should not limit itself to compliance issues and should discuss and analyse the proposal with respect to the potential advantages and risks in information privacy terms and identify best practice wherever possible.

The privacy analysis works through issues of information collection and obtaining, then use, disclosure and retention of personal information, with a further section on risk assessment. This approach is simply one of several that are equally worthwhile. It is perfectly acceptable to integrate privacy risk assessment into the discussions of collection, use, disclosure and retention.

Naturally, the approach will be adapted to the issues at stake. In some cases the emphasis will be on only one or two issues.

Collecting or obtaining information

Describe the personal information that is collected or obtained.
Indicate the source of each item of information.
Describe what information will be collected directly from the individual. Explain the circumstances and means of collecting (for instance, whether information is collected as part of an existing activity or transaction or whether there will be a specific collection for the purposes of the project).
Explain aspects of the project that are directed towards compliance with IPPs 1-4.
Where the information is collected as part of an existing process, explain the purposes for which information is currently obtained and how these will be changed as a result of the project.
Where the purposes differ from the current purposes, outline how the individuals concerned will be made aware of the new purposes. Might individuals be surprised or concerned by the new purposes? Is there any sensitivity associated with the collection directly from the individual through an existing process? Will it be mandatory or voluntary?
If information is to be collected from someone other than the individual concerned or obtained from some other database or source, explain how this is proposed to be done. Where information is to be obtained from an existing database, list the purposes for which information is held in that database and explain the extent to which the purposes of the project are compatible with those purposes.
If information is to be obtained indirectly, explain why direct collection from the individual is not planned.
Outline the proposed steps to make individuals aware of the project's purposes and use of the information.
Outline what authorisation is relied upon to obtain information. For instance, with a public body this might be a provision in a particular law or it might be based on the agreement of the individual concerned.
Are there special sensitivities about the information to be collected (for instance, racial origins or religious affiliations, information about children) or the means of collection (for instance, the use of biometrics, fingerprinting, video or audio-recording or the tracking of a person's location)?
If a website is involved, are cookies transmitted or received? Is behaviour-specific information in cookies used? Is there a documented procedure concerning the type of information logged or cached about customers?
Will unique identifiers be demanded, collected or otherwise involved in the collection process?
Is information to be sourced from public registers? If so, consider the public register privacy principles as well as the IPPs.

Use, disclosure and retention of information

This will be an important part of any privacy impact report. The appropriate approach may vary considerably and the material below merely sets out typical matters to address. The nature of a particular project will dictate whether more or less attention needs to be paid to particular aspects of use, disclosure or retention.

Describe all intended uses of personal information. Indicate the purpose of each. Explain whether the purposes are consistent with those for which the information was collected or obtained.
In a similar way, describe and explain issues of disclosure.
Which staff, classes of personnel, agents or contractors will have access to the information? For what purposes? How will the access or disclosure be controlled?
How are individuals whose information is to be used or disclosed made aware of the purpose of that use or disclosure? Is their authority to be obtained? Are individuals permitted to opt out and if so how is that to be done?
Does the use of the information involve any information matching procedure? If so, the privacy impact report will need to consider some special issues if public bodies are involved. The Office of the Privacy Commissioner can provide further guidance but the privacy impact report will, in particular, need to consider the information matching guidelines in section 98 of the Act.
Are there special sensitivities about the uses? For instance, automated decision-making affecting individuals, surveillance or profiling. Might the uses lead to disciplinary action for individuals or some form of adverse outcome?
Will personal information be transferred outside New Zealand? If so, outline aspects of the transfer including details of the receiving country. Explain steps to be taken to protect the information and the interests of the people concerned.
If the Privacy Commissioner has issued a relevant code of practice, the privacy impact report should describe how the project will comply.
What are the retention and destruction practices?
Will unique identifiers or public register information be used?

D. Privacy risk assessment

The risks of the project can now be summarised and assessed. (Alternatively, the risk assessment may be integrated into the privacy analysis of the collection and obtaining of personal information and its use, disclosure and retention. There may nonetheless be value in briefly summarising the results and comparing the identified risks in a single place.)

The risks associated with failing to address the privacy implications of a given proposal can take many forms, and may include:

failing to comply with either the letter or the spirit of the Act, or fair information practices generally, resulting in criticism from the public or Privacy Commissioner or complaints under the Act
stimulating public outcry as a result of a perceived loss of privacy or a failure to meet expectations regarding the protection of personal information
loss of credibility or public confidence when the public feels that a proposed project has not adequately considered or addressed privacy concerns
underestimating privacy requirements with the result that systems need to be redesigned or retro-fitted at considerable expense.

An important consideration is the expectations of the general public, customers, clients or employees. Proposals may be subject to public criticism even where the requirements of the Act have been met. If people perceive their privacy is seriously at risk, they are unlikely to be satisfied by a company which justifies its actions merely by pointing out that technically it has not breached the law.

Risks to privacy can arise in many circumstances. Collecting excessive information, using intrusive means of collection, or obtaining sensitive details in unexpected circumstances all represent risks to the individual. Unexpected or unwelcome use or disclosure of that information, or its retention for an unduly long period, put privacy at risk. One task of the PIA is to sort out which risks are serious and which are trivial. The privacy impact report should identify the avoidable risks and suggest cost-effective measures to reduce them to an appropriate level.

Consider the following:

How might individuals be affected by the risks identified?
What is the likelihood of the risks? What is the range of possible adverse outcomes from least to most severe?
Try to put yourself "in the shoes" of an affected person. How would an ordinary employee react if this scenario were to eventuate? Would a customer be surprised, or concerned, to see his or her details put to this use? If security were to be breached, or procedures not followed what might be the effect on individuals as a result?
Do the public or customers have heightened sensitivities about the data in the proposed system?
Will the information remain in New Zealand? If data were to be transferred outside New Zealand there are special sensitivities.
How might the Privacy Commissioner, or relevant statutory bodies or regulators, view the risks in question?

The report should include:

a description of specific privacy risks that have been identified
an analysis of options considered to lessen or avoid those risks
a list of any residual risks that cannot be resolved and an analysis of the possible implications of those risks in terms of the effects on individuals, public or stakeholder reaction and the project's success.

E. Privacy enhancing responses

Having identified any privacy risks associated with the proposal, what is to be done? Suitable responses can range from doing nothing, through to abandoning the project altogether. For most projects, the response is likely to be somewhere in the middle. There will typically be privacy risks associated with the proposal justifying a management or technical response. PIA provides a way to select from a range of privacy enhancing responses appropriate to the identified risks.

Security responses

One set of privacy enhancing responses will involve security safeguards appropriate to the sensitivity of the information and the particular data handling practices. IPP5 requires that all reasonable steps be taken to ensure that personal information held by an agency is protected against loss, unauthorised access, use, modification or disclosure, or other misuse. The security measures should respond to the risks as identified in the privacy impact report. The OECD has coined a "proportionality principle" in its guidelines on protection of information systems which states:

Security levels, costs, measures, practices and procedures should be appropriate and proportionate to the value of, and degree of reliance on, the information systems and to the severity, probability and extent of potential harm, as the requirements for security vary depending upon the particular information systems.

Privacy impact assessment does not seek merely to identify the strongest information security. It seeks to identify the most appropriate levels of security. A privacy impact report should canvass the options available to address a particular privacy risk and provide supporting reasoning and information about any conclusions or recommendations on security safeguards.

Other privacy responses

Examining privacy enhancing responses to the identified risks does not simply involve a recitation of encryption levels, access controls and other security features. It should also address the information and management needs of the project. Does the business really need to know a particularly sensitive item of information or can it proceed without it? Are the organisation's interests best served by adding transaction data to its data warehouse or should it be erased when no longer needed? Should a particular use of information only proceed if a customer or employee opts-in rather than operating on an opt-out basis?

One significant question is often not asked at all: does the business need personal information about identifiable people to fulfil its purposes? There are now a range of technologies available which allow for financial transactions to be completed electronically on an anonymous basis (sometimes referred to as Privacy Enhancing Technologies or PETs).

As a starting point, the following points may be considered:

Have security procedures for the collection, transmission, storage and disposal of personal information, and access to them, been documented? The PIA should give special attention to the security procedures relating to the areas that have been found to constitute a risk.
Are privacy controls in place for the project? For instance, "need to know" policies and procedures for personal information access, physical security and access controls, IT security and access controls.
Have technological tools and system design techniques been considered which may enhance both privacy and security (e.g. encryption, technologies of anonymity or pseudonymity, PETs)?
Has there been an expert review of all the security risks and the reasonableness of countermeasures to secure the system against unauthorised or improper collection, access, modification, use, disclosure and disposal?
Have staff been trained in requirements for protecting personal information and are they aware of policies regarding breaches of security or confidentiality? Are there plans for updated training as a result of the project under review?
Are there authorisation controls defining which staff may add, change or delete information from records?
Is the system designed so that access and changes to data can be audited by date and user identification? Does the system "footprint" inspection of records and provide an audit trail?
Are user accounts, access rights and security authorisations controlled and recorded by an accountable systems or records management process?
Are access rights only provided to users who actually require access for the stated purposes of collection or consistent purposes? Is user access to personal information limited to that required to discharge the assigned functions?
Are the security measures commensurate with the sensitivity of the information recorded?
Are there contingency plans and mechanisms in place to identify security breaches or disclosures of personal information in error? Are there mechanisms in place to notify security breaches to relevant parties to enable them to mitigate collateral risks?
Are there adequate ongoing resources budgeted for security upgrades with performance indicators in systems maintenance plans?
What steps are to be taken to make affected individuals aware of the project as it affects their information? Is this to be a one-off exercise or are there ongoing implications?

F. Compliance mechanisms

A PIA should also consider how the privacy risks of the project will continue to be appropriately controlled into the future. If an agency already has good privacy compliance processes in place it may be a simple matter of slotting this project into them. A pro-active business or government agency may, for example, have an effective Privacy Officer or privacy team and an existing business-wide programme of compliance audits. However, if there is no well developed existing structure in place for privacy management the privacy impact report should canvass the future privacy management of the project.

The privacy impact report remains relevant for the project as long as the fundamental assumptions upon which it was based remain unchanged. However, what happens if an important part of the system is redesigned after completion of the privacy impact report or if external circumstances, such as customer expectations, significantly change? Experience may also show that faith in a particular safeguard was misplaced. Can privacy be effectively protected if there is no response to such new information?

Systems design is a dynamic process. Change may be likely if a privacy impact report is completed before a project "goes live". However, the privacy impact report must be completed before this point if it is to be useful in project decision-making. It may be appropriate to produce an interim privacy impact report followed by a final report. Alternatively, a completed report may be followed by a revised privacy impact report. For relatively minor changes it may be sufficient to attach a small addendum, noting the relevant change and analysing the implications (if any), so that this may be read with the original privacy impact report.

Consider:

Have arrangements been made for audit, compliance and enforcement mechanisms for the proposed project, including fulfilling the commitments made by management following adoption of the privacy impact report?
Has a procedure been established to log and periodically review complaints and their resolution with a view to improving information management practices and standards?
Does the business have a policy to require significant future changes to the system to be subject to PIA?

G. Conclusions

While the format of the summary will vary depending on the organisation's needs and the nature of the proposal. It might convey some of the following information:

Description of the proposal including objectives, parties involved, timing and key milestones, resource requirements, benefits to the business or public, and pointers to more detailed information about the proposal.
List of relevant privacy requirements including applicable law, business policies and codes of practice.
The specific privacy risks.
Options for addressing or mitigating those risks, along with the implications of principal options examined.
Brief analysis of experience in other organisations, in New Zealand or elsewhere, which have addressed similar risks and whether their approaches were successful.
Identification of any residual risks that cannot be addressed through the proposed options and, where possible, the likely implications of those residual risks in terms of public reaction, project success and other business interests;
A proposed privacy communications strategy, where appropriate, so that stakeholders are effectively informed.

Appendices may be used to improve readability. For instance, a brief discussion or summary of an aspect of data processing may be sufficient in the body of the privacy impact report with fuller details in an appendix. A table summarising and comparing issues that have been dealt with in various places in the report could be brought together in a conclusion or appendix. The appendix also provides a place to attach or list relevant documentation that the assessor has taken into account.

10. PRIVACY IMPACT ASSESSMENT - THE PAY-OFF

The cost of preparing a privacy impact report can be justified.

Building trust in electronic service delivery and maintaining competitive advantage

Demonstrating that privacy interests will be appropriately managed in a particular project offers a means of building and sustaining high levels of trust and confidence in e-commerce and e-government. If privacy practice and the protection of personal information are exemplary this will reflect favourably upon the organisation's reputation. It may also facilitate growth by reinforcing loyalty and expanding the customer base. The use of PIA in important projects demonstrates a seriousness about fair information practices.

Businesses who are able to sustain a high level of trust and confidence can differentiate themselves from their rivals. Differentiation not only adds value to brands and their position in the marketplace, but also offers a competitive advantage.

Pro-active approach to privacy risk management

Privacy risks certainly exist in relation to e-commerce and e-government. There is every indication that the litigation risk will escalate and with some businesses this will not originate in New Zealand but from customers overseas. On a business-to-business basis, affiliates and others dealing with New Zealand-based electronic traders will increasingly seek tangible proof of compliance with privacy policies and commitment to data protection principles. Preparation of a privacy impact report is part of a demonstration of this. An investment in a privacy impact report may be regarded as one strategy for managing privacy risk.

The human factor

Senior management need to provide clear leadership on privacy issues in the new electronic environments. This can be achieved by championing a culture that is respectful of customers and citizens and implements effective privacy policies. Employing PIA on significant systems is one such policy. Inadequate leadership in this area will result in an environment in which employee judgment calls will substitute for thoughtful policies and best practice procedures. PIA can help management to identify and minimise risks.

11. APPENDICES

A. THE INFORMATION PRIVACY PRINCIPLES

Principle 1: Purpose of collection of personal information

Personal information shall not be collected by any agency unless-

(a) The information is collected for a lawful purpose connected with a function or activity of the agency; and
(b) The collection of the information is necessary for that purpose.

Principle 2: Source of personal information

(1) Where an agency collects personal information, the agency shall collect the information directly from the individual concerned.
(2) It is not necessary for an agency to comply with subclause (1) of this principle if the agency believes, on reasonable grounds,-
(a) That the information is publicly available information; or
(b) That the individual concerned authorises collection of the information from someone else; or
(c) That non-compliance would not prejudice the interests of the individual concerned; or
(d) That non-compliance is necessary-
(i) To avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; or
(ii) For the enforcement of a law imposing a pecuniary penalty; or
(iii) For the protection of the public revenue; or
(iv) For the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
(e) That compliance would prejudice the purposes of the collection; or
(f) That compliance is not reasonably practicable in the circumstances of the particular case: or
(g) That the information-
(i) Will not be used in a form in which the individual concerned is identified; or
(ii) Will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
(h) That the collection of the information is in accordance with an authority granted under section 54 of this Act.

Principle 3: Collection of information from subject

(1) Where an agency collects personal information directly from the individual concerned, the agency shall take such steps (if any) as are, in the circumstances, reasonable to ensure that the individual concerned is aware of -
(a) The fact that the information is being collected; and
(b) The purpose for which the information is being collected; and
(c) The intended recipients of the information; and
(d) The name and address of -
(i) The agency that is collecting the information; and
(ii) The agency that will hold the information; and
(e) If the collection of the information is authorised or required by or under law -
(i) The particular law by or under which the collection of the information is so authorised or required; and
(ii) Whether or not the supply of the information by that individual is voluntary or mandatory; and
(f) The consequences (if any) for that individual if all or any part of the requested information is not provided; and
(g) The rights of access to, and correction of, personal information provided by these principles.

(2) The steps referred to in subclause (1) of this principle shall be taken before the information is collected or, if that is not practicable, as soon as practicable after the information is collected.

(3) An agency is not required to take the steps referred to in subclause (1) of this principle in relation to the collection of information from an individual if that agency has taken those steps in relation to the collection, from that individual, of the same information or information of the same kind, on a recent previous occasion.

(4) It is not necessary for an agency to comply with subclause (1) of this principle if the agency believes, on reasonable grounds -
(a) That non-compliance is authorised by the individual concerned; or
(b) That non-compliance would not prejudice the interests of the individual concerned; or
(c) That non-compliance is necessary -
(i) To avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; or
(ii) For the enforcement of a law imposing a pecuniary penalty; or
(iii) For the protection of the public revenue; or
(iv) For the conduct of proceedings before any court or tribunal being proceedings that have been commenced or are reasonably in contemplation); or
(d) That compliance would prejudice the purposes of the collection; or
(e) That compliance is not reasonably practicable in the circumstances of the particular case; or
(f) That the information -
(i) Will not be used in a form in which the individual concerned is identified; or
(ii) Will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.

Principle 4: Manner of collection of personal information

Personal information shall not be collected by an agency-
(a) By unlawful means; or
(b) By means that, in the circumstances of the case, -
(i) Are unfair; or
(ii) Intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Principle 5: Storage and security of personal information

An agency that holds personal information shall ensure -
(a) That the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against -
(i) Loss; and
(ii) Access, use, modification or disclosure, except with the authority of the agency that holds the information; and
(iii) Other misuse; and
(b) That if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information.

Principle 6: Access to personal information

(1) Where an agency holds personal information in such a way that it can readily be retrieved, the individual concerned shall be entitled -
(a) To obtain from the agency confirmation of whether or not the agency holds such personal information; and
(b) To have access to that information.

(2) Where, in accordance with subclause (1)(b) of this principle, an individual is given access to personal information, the individual shall be advised that, under principle 7, the individual may request the correction of that information.

(3) The application of this principle is subject to the provisions of Parts IV and V of this Act.

Principle 7: Correction of personal information

(1) Where an agency holds personal information, the individual concerned shall be entitled -
(a) To request correction of the information; and
(b) To request that there be attached to the information a statement of the correction sought but not made.

(2) An agency that holds personal information shall, if so requested by the individual concerned or on its own initiative, take such steps (if any) to correct that information as are, in the circumstances, reasonable to ensure that, having regard to the purposes for which the information may lawfully be used, the information is accurate, up to date, complete, and not misleading.

(3) Where an agency that holds personal information is not willing to correct that information in accordance with a request by the individual concerned, the agency shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the information, in such a manner that it will always be read with the information, any statement provided by that individual of the correction sought.

(4) Where the agency has taken steps under subclause (2) or subclause (3) of this principle, the agency shall, if reasonably practicable, inform each person or body or agency to whom the personal information has been disclosed of those steps.

(5) Where an agency receives a request made pursuant to subclause (1) of this principle, the agency shall inform the individual concerned of the action taken as a result of the request.

Principle 8: Accuracy, etc., of personal information to be checked before use

An agency that holds information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.

Principle 9: Agency not to keep personal information for longer than necessary

An agency that holds personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.

Principle 10: Limits on use of personal information

An agency that holds personal information that was obtained in connection with one purpose shall not use the information for any other purpose unless the agency believes, on reasonable grounds,-
(a) That the source of the information is a publicly available publication; or
(b) That the use of the information for that other purpose is authorised by the individual concerned; or
(c) That non-compliance is necessary -
(i) To avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; or
(ii) For the enforcement of a law imposing a pecuniary penalty; or
(iii) For the protection of the public revenue; or
(iv) For the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
(d) That the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to-
(i) Public health or public safety; or
(ii) The life or health of the individual concerned or another individual; or
(e) That the purpose for which the information is used is directly related to the purpose in connection with which the information was obtained; or
(f) That the information-
(i) Is used in a form in which the individual concerned is not identified; or
(ii) Is used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
(g) That the use of the information is in accordance with an authority granted under section 54 of this Act.

Principle 11: Limits on disclosure of personal information

An agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes, on reasonable grounds -
(a) That the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained; or
(b) That the source of the information is a publicly available publication; or
(c) That the disclosure is to the individual concerned; or
(d) That the disclosure is authorised by the individual concerned; or
(e) That non-compliance is necessary -
(i) To avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, investigation, prosecution, and punishment of offences; or
(ii) For the enforcement of the law imposing a pecuniary penalty; or
(iii) For the protection of the public revenue; or
(iv) For the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
(f) That the disclosure of the information is necessary to prevent or lessen a serious and imminent threat to-
(i) Public health or public safety; or
(ii) The life or health of the individual concerned or another individual; or
(g) That the disclosure of the information is necessary to facilitate the sale or other disposition of a business as a going concern; or
(h) That the information -
(i) Is to be used in a form in which the individual concerned is not identified; or
(ii) Is to be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
(i) That the disclosure of the information is in accordance with an authority granted under section 54 of this Act.

Principle 12: Unique Identifiers

(1) An agency shall not assign a unique identifier to an individual unless the assignment of that identifier is necessary to enable the agency to carry out any one or more of its functions efficiently.
(2) An agency shall not assign to an individual a unique identifier that, to that agency's knowledge, has been assigned to that individual by another agency, unless those two agencies are associated persons within the meaning of section OD7 of the Income Tax Act 1994.
(3) An agency that assigns unique identifiers to individuals shall take all reasonable steps to ensure that unique identifiers are assigned only to individuals whose identity is clearly established.
(4) An agency shall not require an individual to disclose any unique identifier assigned to that individual unless the disclosure is for one of the purposes in connection with which that unique identifier was assigned or for a purpose that is directly related to one of those purposes.

B. BIBLIOGRAPHY

New Zealand materials

There are a number of books and other resources available on the Act and only a few are listed here. Current information can be obtained from the Privacy Commissioner's website and by contacting the privacy enquiries line.

Privacy Commissioner's website: www.privacy.org.nz
Privacy enquiries line: 0800 803 909
Elizabeth Longworth and Tim McBride, The Privacy Act: A Guide, 1994
Dr Paul Roth, Privacy Law and Practice, Butterworths, two volume loose-leaf service.

Published articles

The following articles each provides a slightly different perspective on PIA. Readers having difficulty locating the articles can obtain copies from the Office of the Privacy Commissioner.

David Flaherty, "Privacy Impact Assessment: An essential tool for data protection", 7/5 Privacy Law & Policy Reporter, October 2000, 85.
Blair Stewart (ed), "PIAs - An early warning system", 3/7 Privacy Law and Policy Reporter, November 1996, 134. This is an edited account of a conference panel session featuring Blair Stewart, Elizabeth Longworth, David Flaherty and Nigel Waters.
Blair Stewart, "Privacy Impact Assessment: Towards a better informed process for evaluating privacy issues arising from new technologies", 5/8 Privacy Law & Policy Reporter, February 1999, 147.
Blair Sterwart, "Privacy Impact Assessment: Some approaches, issues and examples", in Hong Kong Privacy Commissioner for Personal Data, E-Privacy in the New Economiy: Conference Presenations, March 2001, 67. This article listed more than 55 PIAs prepared between 1997 and 2001 in Hong Kong, Canada and New Zealand, A few are available on the Internet and many on request from the organisations concerned.
Nigel Waters, "Privacy Impact Assessment - Traps for the unwary", 7/8 Privacy Law & Policy Reporter, February 2001, 161.
Frank White, "The Use of Privacy Impact Assessments in Canada", 4/7-8 Privacy Files, 2001.

Guidance Note for Departments Seeking Legislative Provision for Information Matching

Tue, 17 Oct 2006 11:31:48 +1300

Information Matching Privacy Impact Assessments

16 May 2008

OFFICE OF THE PRIVACY COMMISSIONER

1. Introduction

1.1 Information matching - or data matching as it is called overseas - is an application of computer technology which carries particular privacy risks. Its use warrants careful scrutiny. Guidelines and rules have been developed and incorporated into law as part of the Privacy Act which seek to identify those circumstances where information matching is most clearly justified in the public interest notwithstanding some detriment to individual privacy.

1.2 Experience overseas and in New Zealand has been that the benefits of information matching are often exaggerated and the costs underestimated. The guidelines therefore also try to ensure that the benefits of a particular proposal outweigh the costs. The guidelines and rules also ensure that any information matching is undertaken in a way that minimises the effect on privacy through careful data management and respect for individual rights.

1.3 Consultation with key stakeholders is central to the privacy impact assessment process as it helps to ensure that key issues are noted, addressed and communicated. Consideration should be given to a privacy impact assessment which includes working with public reference groups. This can help foster broad community awareness and confidence in the proposal.

1.4 The note is directed towards the process that departments should follow in proposing an information matching programme and in pursuing legislative authority to undertake such matching. It does not describe information matching¹ or explain how it should be carried out.

1.5 This note should be read together with:

Part X of the Privacy Act 1993;²
the information matching guidelines (copy appended);³
the information matching rules.4

1.6 Reference may also be had to:

reports submitted by the Privacy Commissioner to the Minister of Justice on proposed information matching programmes;
the Commissioner’s annual reports.

Further details of such resources are given at part 6 below.

2. Cabinet office requirements

2.1 The guide to Cabinter and Cabinet Committee Processes, accessible via http://cabguide.cabinetoffice.govt.nz/ requires a Minister to indicate whether a proposed bill or regulation complies with the principles and guidelines set out in the Privacy Act and, if the bill or regulation raises privacy issues, to indicate whether the Privacy Commissioner agrees that it complies with all relevant principles.

2.2 Departments should undertake an analysis of any information matching proposal in terms of the information matching guidelines at an early stage in the public policy making process. The benefits of doing so, regardless of the ultimate outcome, are quite obvious. If a problem is encountered in relation to the information matching guidelines it is as well that this be identified at an early stage so that the appropriate responses can be considered by departments in the first instance and, later, if necessary, by the Commissioner and Ministers.

3. Examination of proposed legislation by Privacy Commissioner

3.1 The Privacy Commissioner has the express function under s.13(1)(f) of the Privacy Act (copy appended) to examine any proposed legislation which provides for the collection or disclosure of personal information which might be used for the purposes of an information matching programme. The Commissioner is to report the results of the examination to the Minister of Justice. The Commissioner is directed to have particular regard, in carrying out that examination, to the information matching guidelines set out in s.98 of the Act.

3.2 The Privacy Commissioner is required to carry out the functions under s.13(1)(f) in relation to “proposed legislation”. It will only be possible for the Privacy Commissioner to complete such an examination when the form of that proposed legislation has been settled. At the very latest, this will be where a bill has been introduced to Parliament. However, depending upon the Parliamentary timetable it may be possible for the detail of the legislation to be known in draft form between the time that its introduction has been approved by Cabinet but before actually being introduced into the House. In some cases this will be an ideal time for the examination to be carried out. Departmental co-operation at that point, and at earlier stages, will assist to ensure that the ability to complete the examination does not delay passage of the legislation.

3.3 To facilitate the Commissioner’s examination of a proposal in terms of the information matching guidelines it is recommended that a Department prepare its own written assessment of the proposal in terms of each of the guidelines. This assessment document is referred to in this note as an “Information Matching Privacy Impact Assessment” or “IMPIA”. In relation to the Commissioner’s function to examine information matching proposals, it is suggested that the department seeking legislative authority should produce this to the Commissioner. The preparation and supply of a written Privacy Impact Assessment will greatly assist in completing these tasks and in ensuring that any department’s proposal for information matching has been fully considered in terms of the guidelines.

4. Information Matching Privacy Impact Assessment

4.1 A privacy impact assessment document is useful for several reasons. It may serve as an internal working document at an early stage of a programme’s development, for example when a proposal is discussed with a department’s own Minister or other officials and when options are being evaluated. The document will also have a value in relation to informal discussions with the Privacy Commissioner and her staff before final decisions are made to commit to a matching programme or before finalising its exact shape. At the later stages of a proposal’s development the document may be useful in relation to the preparation of cabinet committee papers. An assessment document will certainly be of assistance in explaining a department’s position when the Privacy Commissioner undertakes her examination under s.13(1)(f).

4.2 An assessment document should include the details set out in appendix B.

4.3 Two copies of the assessment are required at the time the Commissioner’s examination under s.13(1)(f) is undertaken. One is for the Commissioner’s permanent record and one will be submitted with the Commissioner’s report to the Minister of Justice. An electronic version is also desired for internal use.

4.4 In some cases the Commissioner may accept assurances contained in the assessment document and not enquire further. For this reason, it is essential for the Commissioner to receive an assessment document signed off by a person of sufficient authority in the department to assure the Commissioner that it represents the intentions of the department and that undertakings will be carried out. Normally the Commissioner will expect an assessment document to be signed off by the Chief Executive of all departments involved. In other cases, the Chief Executive might write to the Privacy Commissioner indicating the officials who will be working on the assessment and the senior official who will sign off the document, having the authority of the department to do so.

5. Liaison with the Office of the Privacy Commissioner

5.1 It is not necessary to involve the Privacy Commissioner in all stages of the development of an information matching proposal since some proposals may be considered and rejected for departmental reasons. However, where a proposal is not immediately rejected it will make sense, in most cases, for a department to make early contact with the Commissioner to give a preliminary indication as to its intention. Formal contact should commence with a letter to the Privacy Commissioner. Later contact is likely to be with the Assistant Commissioner and staff assisting her.

5.2 Liaison with the Commissioner’s office will be of value while an IMPIA is under preparation. Although the Commissioner’s staff will not indicate concluded views they may be able to give indications as to likely concerns and help isolate issues. Discussions could assist to dispel concerns as to privacy aspects or to suggest some course of action, such as a limitation of the scope of a proposal or the undertaking of a pilot match, to meet privacy concerns.

5.3 Following enactment of an information matching provision, there will need to be continuing departmental liaison with the Office of the Privacy Commissioner in respect of implementation and reporting issues arising under Part X of the Act. Departments must ensure that implementation remains consistent with the assurances given in the IMPIA and should keep the Commissioner’s office informed of any significant operational changes planned.

6. Further Information

6.1 When the Privacy Commissioner reports the results of an examination of a matching proposal to the Minister there is often detailed comment upon aspects of the information matching guidelines and rules. Awareness of what the Commissioner has said on previous occasions in respect of the guidelines and matching rules will assist officials preparing IMPIAs. Copies of the reports from October 1995 - March 1998 have been combined into a convenient compilation.5 Later reports are available individually. The Office of the Privacy Commissioner has also extracted comment from various reports and included it in a resource document for the assistance of officials preparing assessments.6

6.2 Officials are welcome to telephone the Commissioner’s office if they wish to speak to someone about an information matching matter or in regard to the preparation of an assessment document. It is suggested that enquiries be directed as follows:

• consultation on any proposal to Cabinet to obtain authorisation for a new matching programme or to amend an existing information matching provision, preparation of an IMPIA – Data Matching Compliance Adviser or the Team Leader Technology;
• preparation of reporting formats, implementation of authorised programmes, monitoring of existing information matching programmes – Data Matching Compliance Adviser or the Team Leader Technology.

Appendix A
Extracts from the Privacy Act 1993

13. Functions of Commissioner - (1) The functions of the Commissioner shall be - ...
(f) To examine any proposed legislation that makes provision for-
(i) The collection of personal information by any public sector agency; or
(ii) The disclosure of personal information by one public sector agency to any other public sector agency, -
or both; to have particular regard, in the course of that examination, to the matters set out in section 98 of this Act, in any case where the Commissioner considers that the information might be used for the purposes of an information matching programme; and to report to the responsible Minister the results of that examination.

98. Information matching guidelines - The following matters are the matters referred to in section 13(1)(f) of this Act to which the Commissioner shall have particular regard, in examining any proposed legislation that makes provision for the collection of personal information by any public sector agency, or the disclosure of personal information by one public sector agency to any other public sector agency, in any case where the Commissioner considers that the information might be used for the purposes of an information matching programme:
(a) Whether or not the objective of the programme relates to a matter of significant public importance:
(b) Whether or not the use of the programme to achieve that objective will result in monetary savings that are both significant and quantifiable, or in other comparable benefits to society:
(c) Whether or not the use of an alternative means of achieving that objective would give either of the results referred to in paragraph (b) of this section:
(d) Whether or not the public interest in allowing the programme to proceed outweighs the public interest in adhering to the information privacy principles that the programme would otherwise contravene:
(e) Whether or not the programme involves information matching on a scale that is excessive, having regard to -
(i) The number of agencies that will be involved in the programme; and
(ii) The amount of detail about an individual that will be matched under the programme:
(f) Whether or not the programme will comply with the information matching rules.

Appendix B
Content of Information Matching Privacy Impact Assessment

(a) Cover sheet and table of contents

(b) Introductory section: Setting out certain key details and short summary information such as:
(i) the title of the proposal;
(ii) name of the department proposing the programme;
(iii) other agencies involved;
(iv) contact details for policy and technical issues for each of the agencies;
(v) summaries of some of the details that follow in (c) to (h);
(vi) the date at which the version of the IMPIA has been prepared.

(c) Description of proposal: Including:
(i) the objective of the proposals;
(ii) summary of the proposed operation of the programme. Include details about likely processes involved, what information is to be disclosed, how information will be matched, when s.103 notices will be sent, information flows (diagrams) and any other relevant processes;
(iii) where proposed legislation has already been drafted the relevant clauses should be attached and referred to.

(d) Timing: Description of the stage that the proposal has reached, the processes followed so far and the time frame to which the Department intends to work.

(e) The problem: Details of the problem to which the programme is addressed (including reference to any supporting documentation such as select committee reports, departmental studies, surveys, etc).

(f) Information matching guidelines: Detailed analysis (rationale, justification and cost/benefit) of the proposal in terms of the 6 information matching guidelines set out in s.98 (including reference to any supporting data such as results from pilot matches etc). Within this material, or in separate following sections, there should also be analysis of the proposal in respect of the:
(i) The information privacy principles (detail those principles for which compliance may be an issue) – relevant to guideline (s.98 d):
(ii) 8 information matching rules - relevant to guideline (s.98 f)

(g) Part 10 compliance: Explanation as to compliance with ss.99 to ss.104 of Part 10 of the Privacy Act.

(h) Draft information matching agreement and TSR: Where development of a proposal is well advanced a draft information matching agreement and Technical Standards Report may be attached, and referred to, if these have been prepared.

(i) Confidential material: Departments should indicate if any part of the document is sensitive, perhaps placing this in a confidential annex. If sensitivity is asserted it should be made clear whether that ceases when the policy decisions or implementing bill is made public.

(j) Sign-off: Normally by the chief executives of each department involved.

Footnotes
1 Definitions of “information matching programme” and other key terms are found in the Privacy Act 1993, s.97.
2 Privacy Act, ss.97-109.
3 Privacy Act, s.98.
4 Privacy Act, Fourth Schedule.
5 Office of the Privacy Commissioner, Examination of Proposed Information Matching Programmes October 1995 - March 1998, 1998, $25.
6 Office of the Privacy Commissioner, “The Privacy Commissioner’s views on the Information Matching Guidelines”, updated from time to time.

Information held by Clubs and Societies

Mon, 16 Jun 2008 09:58:18 +1200

Introduction

The Privacy Commissioner sometimes receives enquiries from voluntary organisations, clubs and societies (we have called these groups “societies” in this paper). These societies ask us how they can protect their members’ privacy.

Sometimes, we also receive complaints that these organisations have breached privacy.

The most common issues are whether societies can collect information about members, whether they can publish membership lists to members or give them to other people, and whether people have a right to access minutes of meetings.

Does the Privacy Act cover societies?

Yes. The Privacy Act applies to any organisation or individual which falls within the definition of “agency”. “Agency” means:

“any person or body of persons, whether corporate or unincorporate, and whether in the public sector or in the private sector ...”

So the Privacy Act does apply to a society – whether or not it has been legally incorporated.

What type of information does the Privacy Act cover?

The Privacy Act only applies to “personal information”. This is information about an identifiable, living human being.

Information doesn’t have to be sensitive or “private” to be personal information. Anything about a person is personal information.

So, personal information commonly includes:
• information about members and former members (for example, name, address and phone number, offices held, awards, skills, references and photographs);
• information about people other than members such as individuals to whom service organisations give assistance.

This information can be held in various forms – in minutes of meetings, newsletters and correspondence, and on membership databases, websites and so on.

There may be times when disclosure is a necessary condition of membership – if so, the society should spell that out clearly.

Use and disclosure

As long as the society has told people what the information will be used for, and whom it may be disclosed to, it will generally be able to use and disclose it in those ways without any problem.

From time to time, the society may wish to use or disclose the information in a different way from the way it anticipated when it collected the information. For example, the society may have a new website, and may wish to put photographs on the site. Where the photograph was taken for the purpose of publication – for example, a team photo – putting it on the internet may still technically be within the purpose for which it was taken. However, it is still best, wherever possible, to check that members are happy with this new use of the information. Not everyone wants their photograph or their name on the internet.

The AGM is a good time to discuss such matters, or it can be raised at other meetings, and mentioned in the newsletter so people have a chance to comment.

Many of our enquiries – and some complaints – relate to using member details to pass on information about other products and services. For example, a bowling club may use contact information for the purpose of a competition draw, but if members do not know that those details are also passed to the life insurance company sponsor, so it can approach them for business, then many members may be annoyed. They may even leave the club, and the club’s reputation may suffer too.

There may be times when a society needs to use or disclose information in ways that it did not anticipate, for example, if there is a criminal investigation or a court case. Check principles 10 and 11. They set out when the society will be able to use and disclose the information – even without the member’s consent.

If membership lists or directories are distributed to members, it is useful to include a notice that the information is to be used only in connection with club membership and may not be used for any other purposes such as direct marketing or for soliciting donations to other organisations.

Clubs and societies should also consider who, within the organisation, will be able to see any of the personal information collected and held by the organisation, for example, membership lists.

Accurate information

All societies want to have accurate information to work with. After all, the information isn’t much use unless it is correct.

Principle 8 requires agencies to take reasonable steps to check that personal information is accurate, up to date, complete, relevant, and not misleading before that information is used.

A common way for a society to ensure that it has accurate information is to use annual subscription notices to encourage members to check their details and send in corrections, updates, or changes of address.

Access to information

Most of our complaints about societies arise because a member has asked the society for information about himself or herself, and the society has ignored the request or has kept some information back.

People have a right to access information about themselves. This includes material like:
• references to the person in minutes of a meeting;
• correspondence that the person has had with the society;
• decisions made about the person;
• details of complaints made about the person;
• material from their personal file, if they work for the society.

Problems particularly seem to arise where a society is investigating complaints about a member, or is disciplining a member. It is important that the society does not make an already difficult situation worse by failing to respond properly to requests by members for access to personal information about themselves.

There are certain circumstances in which a request for access can be refused. For example:
• Individuals can only access information about themselves under the Privacy Act, not information about other people. For example, at a committee meeting decisions may have been made about various members. The requester can only get the information that is about him or her. The society can take information about other people out of the document.
• Sometimes, it may be an unjustified breach of another person’s privacy to provide some of the information.
• In employment situations, confidential references can generally be withheld.

Of course, societies need to be familiar with their own rules and constitution. If members have the right under the rules to see unedited minutes of meetings, then a member who requests access to the minutes should always be able to see them.

Storage and security

Under principle 5, agencies such as societies need to have reasonable security safeguards to prevent unauthorised use or unauthorised disclosure of personal information.

For instance, information about members should be stored carefully. Societies should decide who may access information, and for what purposes. They will need to decide how much of the stored information needs to be made available. For instance, an unlisted telephone number or address may not need to be made available to a volunteer whose only role is to keep a record of meeting attendances.

Societies also need to be careful when disposing of personal information such as old membership lists, old computers or old photocopiers that have stored information on a hard drive. If the society has a lot of personal and other information, it may be worth getting a secure bin from a document destruction service. Otherwise, purchase a small shredder, and shred all personal information before throwing it away.

If a computer is being thrown away, destroy the hard drive. If it is being on-sold, get some advice on how to ensure that no information remains on the hard drive.

Retention of information

Principle 9 requires agencies to keep information only for as long as it is required for its lawful purpose. Some laws state that certain information such as accounts must be kept for a certain period of time. Otherwise the society should consider its purpose in holding the information, and decide when that purpose no longer applies. For instance, a society may not have a lawful purpose in maintaining an individual’s details for a contact list once that individual has left the society.

Privacy officers

Every society should have at least one person who is reasonably familiar with personal information handling and privacy – or who is tasked with finding out about it. That person is the “privacy officer”. He or she takes responsibility for knowing how the society needs to handle personal information so that it can do its job while protecting privacy at the same time.

We offer training for privacy officers where we can – call us on 0800 803 909 or check our website at www.privacy.org.nz under “Training and Education”.

How the Privacy Commissioner can help

We have an enquiries service: call 0800 803 909 (or in Auckland, 09 302 8655), or email enquiries@privacy.org.nz.

While we can’t give specific legal advice on individual problems, we are happy to help by giving general advice, for example, about how the Privacy Act works.

Our website has a lot of information that is useful for all agencies. Check us out at www.privacy.org.nz.

People have a right to complain to the Privacy Commissioner if they believe that a society has breached the Privacy Act. If a person does make a complaint, we encourage the person and the society to think about how their dispute can be resolved. If the society has made a mistake, we may be able to give some advice about how to put things right, and to check that the same mistake won’t happen again.

For more information about our complaints processes, check our website or ask our enquiries team for information. See below to download a pdf version of "Information held by Clubs and Societies".

This guidance material is designed to provide some assistance with queries raised by the Privacy Act. It is not legal advice. If you require more specific information about the Act, please contact this office or seek legal advice. We welcome comments on this guidance material.

Fact Sheets are also available from the Office of the Privacy Commissioner setting out in full the information privacy principles referred to in this paper.

Issued by the Privacy Commissioner, PO Box 10-094, Wellington, June 2008
Freephone: 0800 803 909
Email: enquiries@privacy.org.nz
Internet address: www.privacy.org.nz

Guidance Note to Applicants seeking Exemption under Section 54 of the Privacy Act 1993

Fri, 12 May 2006 11:48:53 +1200

This guidance note is intended to assist anyone who may be contemplating applying under section 54 of the Privacy Act for an exemption. It has no formal legal status and in all cases persons are referred to the wording of section 54 of the Act itself (the text of which is appended to this note).

1.0 Introduction

1.1 Section 54 of the Privacy Act empowers the Privacy Commissioner to authorise an agency to collect, use or disclose personal information even though that collection, use or disclosure would otherwise be in breach of information privacy principles 2, 10 or 11. Before granting an exemption the Commissioner must be satisfied that in the special circumstances of the case:

the public interest in that collection or use or disclosure outweighs to a substantial degree any interference with the privacy of the individual that could result from that collection, use or disclosure; or
that collection, use or disclosure involves a clear benefit to the individual concerned that outweighs any interference with the privacy of the individual that could result from that collection or use or disclosure.

The Commissioner is not permitted to grant an authority if the individual concerned has refused to authorise the collection or use or disclosure.

The Commissioner may impose conditions on any authority.

1.2 A number of enquiries have been received by the Commissioner in relation to exemptions which could not be granted because they concern circumstances not contemplated by section 54 or because the necessary supporting information has not been supplied. Accordingly, this guidance note seeks to remind potential applicants as to the purpose of section 54 and to indicate the sort of information that should be supplied in support of an application.

2.0 Limit on scope of authorisations which may be granted under section 54

2.1 Section 54 clearly sets out a number of limitations on the authorisations which may be granted. In the paragraphs that follow some of these limitations are discussed. Presently only a few applications have been formally dealt with. From time to time it is anticipated that this guidance note will be revised to take account of the decisions reached by the Commissioner in particular cases.

2.2 The Commissioner is only empowered to authorise an agency to "collect, use or disclose" personal information. The power does not, for instance, extend to the authorisation of the assignment of a unique identifier or the retention of information.

2.3 The Commissioner may authorise an agency to collect, use or disclose personal information even though that collection, use or disclosure would otherwise be in breach of "principle 2 or principle 10 or principle 11". It would appear that an authorisation granted under section 54 will not authorise an agency to collect information which would otherwise be in breach of principle 1, 3 or 11 or to use, retain or disclose personal information in breach of principles 5, 8, 9 or 12. The exemption process has no relevance to access or correction requests under principles 6 or 7. Nor can an exemption validate actions which would be in breach of the public register privacy principles or any other part of the Privacy Act.

2.4 There are two separate grounds for granting an application under section 54(1). The first of these stresses the public interest outweighing to a substantial degree any interference of the privacy of the individual. The second emphasises a clear benefit to the individual concerned that outweighs any interference with the privacy of the individual. Applicants will need to provide information as to the matters contained in paragraphs (a) or (b).

2.5 Section 54(1) requires the Commissioner to be satisfied that paragraph (a) or paragraph (b) applies "in the special circumstances of the case". The Commissioner will consider the special circumstances on a case by case basis. However, the section requires there to be something "special" about the particular case. It is suggested that the section is not intended to cover an ordinary and routine collection, use or disclosure. Such routine matters are more appropriately dealt with in a code of practice, if at all.

2.6 Subsection (3) makes it quite clear that the Commissioner is not empowered to grant an authority where the individual concerned has refused to authorise the collection or, as the case requires, the use or disclosure of information for a particular purpose.

3.0 Applicants should provide supporting information

3.1 An applicant should supply sufficient supporting information with an application to satisfy the Commissioner as to the special circumstances of the case and to the application of either paragraph (a) or paragraph (b) of subsection (1). If the applicant does not supply sufficient information the Commissioner will request further details. If no information is supplied, or the information does not satisfy the Commissioner, the application will not be granted.

3.2 It will assist the Commissioner if applicants can be as precise as possible. However, any applicants having difficulty framing an application, particularly those without legal assistance, may ask the Commissioner's staff for assistance.

3.3 The applicant should first of all make it clear whether an authorisation is sought for:

collection;
use;
disclosure;
or a combination of collection, use and disclosure;

of personal information.

3.4 The applicant should then explain the "special circumstances". Section 54 seems primarily designed for "one-off" situations. If the circumstances giving rise to an application are likely to arise again and again, or are a routine part of an agency's activities, it is likely that an exemption will be inappropriate. Consideration should instead to given to seeking a code of practice (see Privacy Act, sections 46-53).

3.5 The applicant should identify whether an authorisation is being sought under paragraph (a) or under paragraph (b) of subsection (1).

3.6 If the application is under section 54(1)(a) the applicant should explain what he or she believes the "public interest" is in the collection, use or disclosure. If the application is under section 54(1)(b) the applicant should explain what is believed to be a "clear benefit to the individual concerned". The applicant's views as to why that public interest or personal benefit outweighs, to a substantial degree any interference with the privacy of the individual that could result from the collection, use or disclosure will assist the Commissioner in that decision. However the Commissioner can still process the application even if no views are expressed as to the weight to be given.

3.7 The Commissioner is not permitted to grant an authority where the individual concerned has refused to authorise the collection, useor disclosure. The application should indicate whether any such indication has been given. Depending upon the circumstances it may also be appropriate for the applicant to indicate what steps have been taken to ascertain the views of the individual or individuals concerned if this is possible. Where it is not possible to ascertain views in advance it may be possible to indicate how any authorisation might apply to a person later objecting to the collection, use or disclosure (eg. if such an individual can elect to have their information handled in a different way).

3.8 The Commissioner may impose conditions on applications that she grants. It makes sense for an applicant to give some thought to the kind of conditions that would seem reasonable and which are acceptable. It is not essential to specify those but it will certainly assist the Commissioner.

3.9 In summary, an application for a section 54 exemption should:

explain whether the authorisation is sought for collection, use or disclosure, of personal information;
outline the "special circumstances" of the case;
state whether the application is being sought under subsection (a) of section 54(1) ("the public interest") or under paragraph (b) ("clear benefit to the individual concerned");
explain why the applicant believes that either the public interest or the benefit to the individual concerned outweights any resulting interference with the privacy of individuals;
suggest suitable conditions, if appropriate;
explain whether any individual concerned has objected to the collection, use or disclosure and whether any steps have been taken to ascertain the views of any individuals who will be affected by the exemption.

4.0 Conditions

4.1 Examples of the sort of conditions that might be considered by the Commissioner include:

a limit on the duration of the authorisation;
notice to affected individuals by letters or public notices;
a requirement to take steps to ensure that the special circumstances leading to the need for the exemption are put right or are avoided into the future;
the adoption of arrangements which enhance privacy in a way that differs to that required by principles 2, 10 or 11;
where the authorisation will affect information relating to more than one person, a mechanism to enable individuals to "opt out" of the collection, use or disclosure;
a report to the Commissioner at some appropriate point concerning the exercise of the authorisation, in some cases including an audit of compliance with conditions.

5.0 Further information

5.1 Details of the exercise of the section 54 authorisation power are given each year in the Privacy Commissioner's annual report. Extracts from the annual reports are given below illustrating some of the authorisations granted.

5.2 If you wish to discuss a proposal for a section 54 application, please speak in the first instance to one of the Commissioner's enquiries officers.

This guidance note has been released in draft form as the Privacy Commissioner welcomes comment on it and may revise the note as a result of any suggestions. Comments may be sent to the Privacy Commissioner, PO Box 10094, Wellington.

Guidance note - 12 May 1997

Appendix A - Section 54

54. Commissioner may authorise collection, use or disclosure of personal information -
(1) The Commissioner may authorise an agency to collect, use, or disclose personal information, even though that collection, use, or disclosure would otherwise be in breach of principle 2 or principle 10 or principle 11, if the Commissioner is satisfied that, in the special circumstances of the case, -

(a) The public interest in that collection or, as the case requires, that use or that disclosure outweighs, to a substantial degree, any interference with the privacy of the individual that could result from that collection or, as the case requires, that use or that disclosure; or

(b) That collection or, as the case requires, that use or that disclosure involves a clear benefit to the individual concerned that outweighs any interference with the privacy of the individual that could result from that collection or, as the case requires, that use or that disclosure.

(2) The Commissioner may impose in respect of any authority granted under subsection (1) of this section such conditions as the Commissioner thinks fit.

(3) The Commissioner shall not grant an authority under subsection (1) of this section in respect of the collection, use, or disclosure of any personal information for any purpose if the individual concerned has refused to authorise the collection or, as the case requires, the use or disclosure of the information for that purpose.

Appendix B

Extracts from Privacy Commissioner’s annual reports concerning section 54 authorisations

1993/94 annual report
In one case I provided the authorisation requested. My authorisation under section 54 arose from the reorganisation of electricity supply arrangements, and allowed a local body to provide to an energy trust a list of those eligible to be ratepayers so that they could be allocated voting powers within the limited time in which this had to be done. I did not receive any complaints about the application of my authorisation.

1994/95 annual report
In only one case did I give authorisation as requested, and this covered the disclosure by newspaper advertisements of a list of the names of a substantial number of shareholders who were entitled to payment from the liquidation of a company. The liquidation had taken a particularly long time and, despite considerable research by the liquidator’s staff, there remained many shareholders who could not be traced by other economic means.

1995/96 annual report
I granted only one authorisation under section 54 during the 1995/96 year. This was the disclosure between the Residual Health Management Unit and the Public Trustee of the names of several thousand former patients of psychiatric hospitals. There had been an arrangement prior to 1987 whereby the money of patients receiving hospital care for psychiatric illnesses had been invested by the hospitals with interest accumulating into a separate fund rather than being allocated to the individual patients at the time. With the reorganisation of the health sector in 1993, it was decided that this substantial fund should be allocated and paid out to the patients concerned or to their beneficiaries. The Residual Management Unit was given the task of administering the payment of the fund. By then, of course, most of the patients were no longer in hospital and the Unit advertised extensively to ask for claims to be lodged by any people who believed they were entitled to some of the money. The Unit had established that there were in the order of 13,000 former patients who would apparently be entitled to share in this money. By the time the Unit approached me it had paid out claims to some 4,000 people, but were still trying to locate about 8,000 more. The Unit believed that many former patients may have placed their affairs in the hands of the Public Trustee, who would be able to claim on behalf of the patient or their beneficiaries.

I was satisfied that there was in this case a clear benefit to the individuals concerned that outweighed the interference with their privacy. I therefore authorised the unit and the Public Trustee to disclose to each other the names and certain other details so that the Trustee could compare that list with its own records and either initiate claims as appropriate or advise the Unit of how the individuals it sought might be contacted. I granted the authorisation upon conditions that the information disclosed was not used for any other purpose and was not retained for any longer than was necessary for the purpose of matching and the lodging of claims.