There are many instances where our personal information is shared. We can do it ourselves on social media, we share it with government agencies, businesses and NGOs. Various legal instruments provide us with some protection about how our personal data is used.
Data is a powerful way to access people and provide targeted services. Personal data is shared between government agencies, businesses and third parties. Agencies are trialling new ways to share data, but this involves increased and new risks.
The Privacy Act 2020 including its Information Privacy Principles and the Data and Statistics Act 2022 set the rules for protecting and sharing our personal information. The Acts set the duty of care squarely on the shoulders of government agencies, and the Privacy Act also applies to organisations and people using personal data.
Government agencies have a strict framework to follow when data is shared which includes risk assessment and the use of Data Sharing Arrangements.
Two recently released and excellent independent reports commissioned by Stats NZ and the Public Service Commission have reported on data sharing arrangements between agencies and several organisations, primarily Ministry of Health, Whatu Ora, Stats NZ, Te Puni Kokiri, Whanau Ora Commissioning Agency, Te Pou Matakana, Waipareira Trust and Manurewa Marae.
See Independent Investigation and Assurance Review of Allegations of Misuse of 2023 Census commissioned by Stats NZ
And
Findings of an inquiry into the protection of personal information (Independent Review commissioned by the Public Service Commission)
The reports show serious gaps in the protection of sensitive personal data. In summary:
- There were poor safeguards in place for identifying and managing the possibility of conflicts of interest arising from sharing information with providers and even less with sub-contractors. Health related data sharing arrangements (DSAs) did not contain any terms relating to conflicts of interest. Neither Stats NZ nor the Ministry of Health/Whatu Ora engaged contracted providers in active discussions or monitoring of conflicts of interest. Although the focus of the report is on agency responsibilities and actions, it also seems that the contracted providers were not proactive in addressing conflicts of interest.
- There was insufficient evaluation of capability, risk, public value and due diligence before contracts were awarded (and contracts did not go through an open procurement process).
- Key safeguards were left out of some contracts such as Certificates of Confidentiality, Privacy Impact Assessments and workforce training.
- Whistleblower concerns raised internally at Stats NZ were largely ignored. Other whistleblower reports were not recorded or followed up.
- There was “light touch” due diligence around privacy protection in the early stages of contract implementation. Monitoring, auditing and accountability actions were poor.
Under Pressure
The inherent risks of data sharing were amplified by short timeframes, assumed high trust and a prioritisation of outcome success resulting in less focus on risk.
The Ministry of Health was under pressure in 2021 due to poor COVID-19 vaccination coverage with some population groups. A range of initiatives to lift vaccination rates for Māori included a contract with Te Pou Matakana to provide vaccination and other COVID 19-related services. The outcome was improved vaccination coverage.
Stats NZ was under pressure in 2023 to gather information from Māori households which had been under-reported in this and previous census collections. This information gathering was well intentioned and met the outcome of increasing census data coverage of hard to reach households.
Data sharing was high trust, with an assumption that commercial interest will ensure compliance.
Both independent reports refer to the reliance on high trust arrangements and the assumption that commercial incentives would be enough to ensure that contracted providers have robust systems and integrity controls. The PSC inquiry report did not consider trust and the commercial context to be adequate ‘back end’ safeguards. The RCG Group report recommended that more diligent risk assessment should consider the broad context in which Stats NZ and the provider operate, including the social, economic, and political environments.
What damage has been done?
- Trust in the lead agencies at the heart of this inquiry has been undermined
- Similarly trust between agencies and contracted organisations has been damaged.
- There is potential for a further drop in trust around census information gathering.
- There is potential for reluctance to use innovative ways of gathering data from hard to reach populations.
- Referrals have been made to the Privacy Commissioner and NZ Police on some of the allegations outside the scope of the inquiries. One allegation is that the census information was used for a Te Pāti Māori text message campaign in the weeks leading up to the General Election. That is a very serious allegation.
- The CE of Stats NZ and Chief Government Statistician Mark Sowden has not sought re-appointment.
- This may further damage the trust of citizens in how their information is treated. In the 2024 Privacy Survey undertaken by the Privacy Commissioner, the percentage of people who said they are "more concerned" about privacy issues over the last few years has increased to 55%, a 14% increase from two years ago. 80% want more control and choice over the collection and use of their personal information. 63% said protecting their personal information is a major concern in their lives. Around two-thirds of New Zealanders are concerned about businesses or government organisations sharing their personal information without telling them.
Stats NZ has a programme of remediation underway, and the PSC is working on a new information sharing standard. The Commission’s Conflicts of Interest Model Standards have also been reviewed and updated. The Privacy Commissioner has recently released guidance about working with third party providers.
Third Party responsibility?
There are investigations underway by the Privacy Commissioner, and we assume, the NZ Police. The independent reports note alleged failings at the provider end in identifying and addressing conflicts of interest in complying with contract requirements and in safeguarding personal data.
The Privacy Act and Data and Statistics Act are legal vehicles for applying integrity and accountability to the use and protection of our personal and sensitive data. We expect the leaders of the third party organisations to be undertaking their own internal inquiries that include sub-contractors, to be proactive in their approach to conflicts of interest and data protection, and to be upfront about both what they have done well, and where they have not met the agreed standards.
