As privacy concerns continue to make headlines, recent inquiries into the handling of personal data within New Zealand's public sector serve as reminders to all organisations, regardless of sector, of the critical importance of safeguarding the personal information that has been entrusted to them. This article explores the findings from the recent privacy inquiries and provides guidance on how all businesses can strengthen their data protection measures to ensure compliance.

Stats NZ and PSC Inquiries

In early June 2024, the media reported that personal information provided by, or to, government agencies as part of the collection of data for the 2023 Census, or for COVID-19 vaccination purposes, had been used for improper purposes. These allegations centred around claims that Census and COVID-19 vaccination data collected at Manurewa Marae was misused to benefit a Te Pāti Māori campaign.

Following the allegations, Stats NZ commissioned an independent investigation, titled “Independent Investigation and Assurance Review of Allegations of Misuse of 2023 Census Information” (Stats NZ report). A related investigation by the Public Service Commission looked at how government agencies protected personal information provided for 2023 Census and COVID-19 vaccination purposes - the “Inquiry into how government agencies protected personal information for the 2023 Census and COVID-19 vaccination programme” (PSC Inquiry).

Findings

In relation to the Census data, the PSC Inquiry focussed on Stats NZ’s engagement with the third party, Te Pou Matakana (the Whanau Ora Commissioning Agency / WACA). WACA had been engaged by Stats NZ to assist in collecting Census data from Māori individuals. The PSC Inquiry found that concerns raised by Stats NZ staff as to privacy risks, conflicts of interest, and poor data handling processes were not adequately addressed at the outset of the engagement. Further, while an information sharing agreement with WACA was in place and contained privacy safeguards, including provisions for certificates of confidentiality, privacy impact assessments and workforce training plans, Stats NZ had failed to implement these safeguards.

In relation to the COVID-19 vaccination data, the PSC Inquiry noted that the data sharing agreements that were in place between the Ministry of Health, Health NZ and the relevant service providers did not allow for audits to ensure that the service providers were meeting their contractual obligations, and there were no safeguards applied over files once these were downloaded by providers’ authorised staff, leaving personal data vulnerable to misuse.

Actions following the PSC Inquiry

Following the PSC Inquiry, the Public Service Commission has instructed agencies to temporarily suspend entering new or extended contracts with certain third parties until those contracts are reviewed for adequacy.

The Government Chief Digital Officer, supported by the Public Service Commissioner, has issued a draft “Standard for providing third parties with access to government-held personal information” (Standard) for consultation with government agencies and some select non-government agencies. The final Standard will be published in April and is expected to come into force on 1 July 2025. Compliance will be mandatory for core public sector agencies, and those agencies will need to ensure that any information sharing arrangements with non-government third parties entered after 1 July 2025 meet the Standard.

Meanwhile, several queries related to the PSC inquiry have been referred to the Privacy Commissioner, who is currently investigating the matter.

A reminder on the need to protect Personal Information

These inquiries underscore the need for all agencies handling personal information to uphold their obligations under the Privacy Act 2020 and comply with the Information Privacy Principles (IPPs) to protect the personal information with which they have been entrusted.

While the inquiries relate to recent high-profile incidents of late, they are certainly not isolated incidents. For example, in January, suppressed case details were mistakenly disclosed on the District Court website, prompting immediate action from the Ministry of Justice who described the incident as “a serious error”, especially given that a pre-publication checking process was in place to prevent suppressed information from being made public.

Strengthening data protection practices is not only a legal requirement but a crucial step towards maintaining the public's confidence in how personal information is managed and protected.

The findings of the inquiries and the lessons that can be learnt from the incidents they covered, are equally important not only for the public sector, but also for private sector agencies and NGOs. Privacy issues are receiving more media attention, highlighting a key message: privacy must be a priority. The Privacy Commissioner’s 2024 Survey found that 70% of respondents would consider changing service providers over poor privacy practices, and two-thirds view privacy protection as a major concern. New research just out from Kordia shows 35% of business leaders said cyber-attacks or data leaks via third-party suppliers were their biggest business concern.

Practice points

1. Review contractual arrangements: Where personal information is to be shared with third parties, businesses should carefully review the contract terms to ensure they are robust and address key issues such as how the information will be protected and what happens if a privacy breach occurs (our earlier article here explores some of those considerations in more detail). For public sector agencies, information sharing agreements with non-government third parties will need to be reviewed and updated for compliance with the new Standard.
2. Conduct regular audits: Contracts with third-party providers should provide for a right to audit the provider’s privacy practices, and businesses should ensure they are routinely exercising those audit rights. Audits should focus on assessing a third party’s compliance with the contractual requirements, legal requirements, and best practices.
3. Utilise Privacy Impact Assessments (PIAs): At the outset of any new engagement, businesses should take the time to assess the potential risks to personal information and ensure appropriate mitigation strategies are in place. PIAs are a proactive way to identify and address privacy concerns before they arise.
4. Assess and improve security measures: Businesses should conduct regular risk assessments and update their security protocols to address emerging threats, and ensure they are applying appropriate diligence on their providers’ security protocols. This includes consideration of things such as access controls, encryption methods, and data retention practices.
5. Comprehensive training programs: Human errors are one of the primary reasons why privacy breaches occur. Regular training sessions, supported by clear internal guidelines, help to ensure that staff are equipped to prevent, identify, and address potential data protection issues.
6. Incident response management: Businesses should have robust policies and procedures in place for responding to data breaches, and should test those policies and procedures on a regular basis through simulated breach exercises. A strong breach management plan ensures swift action to mitigate damage and maintain compliance.
7. Ensure compliance with upcoming legislative changes: Businesses should start preparing for compliance with the requirements of the Privacy Amendment Bill, which is currently before Parliament. The Bill introduces a new requirement (IPP 3A) which will require businesses to inform affected individuals about certain matters when collecting their personal information from a source other than the individual concerned. The new IPP 3A is expected to come into effect on 1 June 2025.

Get in touch

If you would like to know more, please get in touch with one of our contacts.

Special thanks to Priya Prakash for her assistance in writing this article.