We take privacy and security of information seriously - Annual Report 2019 - 2020
We have taken significant steps towards implementing a privacy- and security-by-design approach to the way we look after the information we hold. Our information privacy and security teams work with project teams throughout the organisation to ensure that risks are identified and mitigated as early as possible.
The benefits of this new model were particularly obvious during the initial COVID-19 response. We integrated privacy and security experts into multidisciplinary teams (together with IT, service delivery, legal, data and analytics, communications, and fraud) so we could deliver the required complex initiatives at pace, and with real-time advice and direction to ensure privacy and security risks were well understood and managed safely.
Making sure we use information responsibly
With information collection and use comes the responsibility to respect the rights of individuals whose information is collected, and to apply consistent legal and ethical standards. Our ‘by design’ approach to project development has enabled us to build further on our Privacy, Human Rights and Ethics (PHRaE) framework [1].
Even though we have been under pressure to deliver new services at pace, we worked hard to ensure that we are open and transparent with clients and the public about how we use information.
We are one of the five foundation agencies [2] for the Data Protection and Use Policy (DPUP), which Cabinet endorsed in December 2019. We are now starting to take active steps to implement the DPUP in some of our core activities, such as our contractual arrangements with community service providers.
Reviewing privacy protections in serious fraud investigations
Following the Privacy Commissioner’s publication in early 2019 of the results of an inquiry into our use of powers in relation to serious fraud investigations, we initiated a programme of work to implement the inquiry’s recommendations, and to ensure we are respecting the rights of clients under investigation.
That work is now well advanced, but not yet completed as there was a delay while key staff were redeployed to deal with the COVID-19 response.
Approved information-sharing agreements
As lead agency, we are responsible for reporting against two approved information-sharing agreements (AISAs) with other agencies. One AISA is with the Ministry of Education and Oranga Tamariki for providing services to help disengaged youth move into education, employment or training, and the other is with the New Zealand Customs Service for the supply of information regarding arrivals into and departures from New Zealand.
The reports on these AISAs can be found at Appendix 3.
Footnotes
- The PHRaE framework enables projects to meet legal and ethical responsibilities by ensuring that the privacy, human rights and ethical risks associated with personal information use are appropriately identified and managed early on in the development of new initiatives. It comprises an interactive tool and a team of specialists who work alongside development teams. Retun to text
- The others are the Ministries of Education and Health, Oranga Tamariki, and the Social Wellbeing Agency. See https://swa.govt.nz/assets/Documents/Data-Protection-and-Use-Policy-Proactive-Release.pdf. Retun to text
