Notes from the Asia-Pacific region: Inquiries into Census, COVID-19 data highlight government agencies' Privacy Act obligations

Government information sharing has been in the spotlight in Aotearoa New Zealand recently, following the release of two inquiry reports by the Public Service Commission and Stats NZ, respectively.

The reports relate to the alleged misuse of 2023 Census data and personal information gathered for purposes of managing the COVID-19 pandemic. In short, it is alleged that personal information provided by or to government agencies as part of the 2023 Census, or for COVID-19 vaccination purposes, had been used by certain third-party service providers for improper purposes during the 2023 general election. Clearly, such allegations strike at the heart of public trust in government process.

The facts underpinning these separate but related inquiries are complex and involve several government agencies. I would recommend anyone with an interest read both reports in full. However, the overwhelming theme in the findings of both inquiries was government agencies' failure to effectively ensure personal information being shared under legitimate information sharing agreements was being managed and protected in accordance with contractual protections and assurances.

The PSC report stated, "The protections over personal information which existed in the service contracts or data sharing agreements are only one part of the overall protections required when agencies deal with sensitive personal information. The ability to monitor, audit and hold accountable the relevant contractual party to those obligations is also important."

The inquiries fell short of making any concrete determinations related to compliance with the Privacy Act 2020, which is appropriate as such determinations would be a matter for the Office of the Privacy Commissioner. As such, the PSC referred matters related to Stats NZ, the Ministry of Health and Health New Zealand to the OPC for consideration.

In a press release following the referrals, the OPC confirmed the following matters had been referred:

• "Whether systems and controls were appropriate for personal data following its transmission by (Health New Zealand), the Ministry of Health and Stats NZ to service providers.
• Whether there were appropriate means in place for these public agencies to be confident that their service providers were meeting their contractual privacy requirements.
• Whether personal information was collected or used by Manurewa Marae for unauthorised purposes.
• Whether separation of personal data from Census data was maintained at Manurewa Marae, and whether privacy statements were adequate to inform people about the use of their information."

Ultimately, while the inquiry reports were important to surface potential privacy issues, it will be the OPC's inquiry that establishes whether these government agencies did in fact fall short in obligations under the Privacy Act.

Raising distinct "Schrems" vibes — albeit without the cross-border element — the OPC's findings will be important for both public and private sector organizations, providing clarity on the scope and extent of a disclosing agency's obligations in relation to the use of personal information by a receiving agency.

These are questions privacy professionals grapple with every day, and the OPC has an opportunity to flesh out the limited NZ Privacy Act provisions related to controllers and processors in a practical way.

Daimhin Warner, CIPP/E, is the country leader, New Zealand, for the IAPP.