Government information sharing has been in the spotlight in Aotearoa NZ recently, following the release of two inquiry reports by the Public Service Commission (PSC) and Stats NZ respectively. These inquiries should give organisations pause for thought about the extent of their obligations when sharing personal information with third parties.
What were the inquiries about?
The inquiries relate to the alleged misuse of 2023 Census data and personal information gathered for the purposes of managing the COVID 19 pandemic. In short, the allegations were that personal information provided by or to government agencies as part of Census 2023, or for COVID 19 vaccination purposes, had been used for improper purposes by certain third-party service providers during the 2023 General Election period. Clearly, such allegations strike at the heart of public trust in government process.
What did the inquiries find?
The facts underpinning these separate but related inquiries are complex, and involve several government agencies. However, the overwhelming theme in the findings of both inquiries was the failure of government agencies to effectively ensure that personal information being shared under legitimate information sharing agreements was being managed and protected in accordance with contractual protections and assurances. The PSC made the following critical observation:
“The protections over personal information which existed in the service contracts or data sharing agreements are only one part of the overall protections required when agencies deal with sensitive personal information. The ability to monitor, audit and hold accountable the relevant contractual party to those obligations is also important.”
The inquiries fell short of making any concrete determinations in relation to compliance with the Privacy Act 2020, which is appropriate as such determinations would be a matter for the Office of the Privacy Commissioner (OPC). As such, the PSC referred matters related to Stats NZ, the Ministry of Health and Te Whatu Ora to the OPC for consideration.
How did the OPC respond?
In a media release following the referrals, the OPC stated that the inquiries showed that agencies must be “better at privacy”, and that agencies need to be “confident that personal information is protected wherever and whatever organisation is handling it”. The OPC confirmed that the following matters had been referred:
- Whether systems and controls were appropriate for personal information following its transmission by Te Whatu Ora, the Ministry of Health and Stats NZ to service providers.
- Whether there were appropriate means in place for these public agencies to be confident that their service providers were meeting their contractual privacy requirements.
- Whether personal information was collected or used by Manurewa Marae for unauthorised purposes.
- Whether separation of personal information from Census data was maintained at Manurewa Marae, and whether privacy statements were adequate to inform people about the use of their information.
What does all this mean for organisations?
The OPC’s findings will be important for both public and private sector organisations, providing clarity on the scope and extent of a discloser’s obligations in relation to the use of personal information by a recipient. However, in the meantime, here are a few things any organisation should consider before sharing personal information with third parties:
- Understand the status of the parties – The discloser will need to establish the status of each party to the information sharing, because this determines which party is liable for what under the Privacy Act. If the discloser is sharing personal information with a recipient which is a ‘controller’ (i.e. the recipient will use the information for its own purposes), then the recipient will be liable for the onward use of the information, although, the inquiries suggest that there is an obligation on the discloser to mitigate privacy risk where possible. However, if the discloser is sharing personal information with a recipient which is a ‘processor’ (i.e. the recipient will store or process the information solely on the discloser’s behalf), then the discloser will remain liable for the onward use of the information.
- Ensure there is a lawful basis to disclose – The discloser will need to make sure it has a lawful basis under the Privacy Act (or another law) to disclose the personal information to the recipient. If information is being shared with a processor, then it is permitted on the basis that this is not a ‘disclosure’ under IPP 11. However, if information is being shared with a controller, then it will need to be permitted by an exception to IPP 11, such as purpose (IPP 11(1)(a)), authorisation (IPP 11(1)(c)) or research (IPP 11(1)(h)). If the disclosure is expressly permitted or required by another law, then this will override the Privacy Act.
- Impose appropriate contractual assurances – A key element in the inquiries was the use of adequate contracts to govern the information sharing. Contracts with processors are commonplace, and most privacy professionals are well aware of the standard clauses they need to include (such as data use and disclosure limitations, security, breach notification, and data deletion). However, it may often be appropriate to put contracts in place to govern information sharing with another controller (i.e. ‘Information Sharing Agreements’). Such contracts – which are less common in the private sector than the public sector – can impose use and retention limitations on the recipient, and agree on roles and responsibilities in relation to complaints, privacy breaches or access requests.
- Maintain accountability – The inquiries made clear that it was not enough to rely solely on contractual assurances. In some cases, and particularly where the personal information being shared is sensitive or the individuals affected are vulnerable, the discloser will need to take additional steps to ‘look behind’ the contractual assurances, and ensure that the recipient is meeting its obligations. This could be practically difficult, and will certainly be time and resource heavy, but there is a growing expectation that this is done. If shortcomings are found, the discloser will need to hold the recipient to account, including by requiring the recipient to take remedial action or, in extreme cases, ending the information sharing arrangement entirely.
- Provide sufficient privacy notice – Depending on the nature of the information sharing, the discloser will need to ensure that affected individuals are given adequate privacy notice about it. Generally, privacy notice is not required for the disclosure of personal information to a processor (as this is not a ‘disclosure’ for the purposes of IPP 11), though many privacy notices do advise individuals that trusted third-party service providers will have access to their information where necessary. However, if the disclosure of personal information to another controller is routine (that is, one of the purposes for which the information was collected), then the discloser will need to make sure the disclosure is notified to affected individuals in its privacy statement. This will become even more important in 2026, when the recipient will also be required by the new IPP 3A to ensure that individuals are made aware that personal information is being indirectly collected.