Privacy Law and Policy Reporter
In 1991 legislative authority was given to carry out data matching under eight statutes. The explicit trade-off was the enactment of NZ's in 1991 (later subsumed into the Privacy Act 1993).
The NZ approach is to establish each new matching program with its own specific statutory authorisation. The legislative approach acknowledges that usually data matching (called `information matching' in the NZ Act) will involve a collection, use or disclosure of personal information which would not otherwise be consistent with the information privacy principles and the statutory provision legitimises what might otherwise be a breach. The Privacy Act empowers the Privacy Commissioner to examine any proposed legislation that provides for data matching having regard to six statutory guidelines. Those guidelines follow a similar approach to that taken by the Australian Privacy Commissioner in relation to data matching in the Commonwealth. The Government's Cabinet Office Manual also requires departments to signify whether any proposed legislation will contravene the matching guidelines.
In April 1995 a new data-matching provision was introduced into Parliament in the Electoral Reform Bill. The Commissioner submitted a report on that provision and it was enacted, with some amendment, consistent with the Commissioner's recommendations, in December 1995. The provision authorises a match between the electoral roll and the list of visitors to NZ and illegal aliens (generally known as `overstayers' in NZ). The Commissioner's report criticised the lack of any data showing that a significant number of visitors or overstayers actually had enrolled to vote and recommended a pilot match to produce statistical information to confirm the extent of any problem. However, there was insufficient time to undertake a pilot statistical match given both the legislative and electoral timetables.
As part of the 1996 budget process the Government introduced major new initiatives in relation to low and middle income families and beneficiaries seeking work. Two data-matching programs were contained in the Tax Reduction and Social Policy Bill. One, involving the Accident Rehabilitation and Compensation Insurance Corporation and the Inland Revenue Department would verify eligibility of claimants of a new tax credit and the other related to the exchange of information between the NZ Income Support Service and NZ Employment Service. The latter provision regularises an exchange which had taken place for a number of years but which was proposed to be significantly expanded as work testing was extended to more beneficiaries. That match also had a controversial feature, dropped following representations the Privacy Commissioner, which would have authorised by statute the use of on-line computer information transfers as part of the matching process. The NZ information matching rules prohibit on-line matching except with the approval of the Privacy Commissioner. The use of legislation to bypass the approval process was criticised.
As a result of experience in examining the electoral roll match the Commissioner identified the need to have departments more closely consider the matching guidelines early in the governmental processes. Accordingly, the Commissioner circulated to departments early in 1996 a guidance note requiring departments proposing matching to produce an `information matching privacy impact assessment'. The process bears some similarity to the `program protocol' under the Commonwealth guidelines and the preliminary assessment document under the Canadian Treasury Board requirements. The two matches in the Tax Reduction and Social Policy Bill were the first to be examined under that process. A third program is also under consideration relating to a provision in a law reform bill to match names and addresses between the Department of Courts and Department of Social Welfare to trace fines defaulters.
In the first four years of privacy controls on data matching no new proposals were brought forward to Parliament. However, since December 1995, three new matches have been authorised in short order and another is before Parliament. It is thought that others are probably under active consideration. The Privacy Commissioner through the new assessment processes, which were the subject of a workshop held with government departments in May 1996, has sought to impress the need for careful departmental consideration of Privacy Act requirements for matching programs at an early developmental stage. It is hoped that as a result any privacy issues arising from new proposals can be sorted out before matters reach Parliament.
Blair Stewart is Manager,
Codes and Legislation, in the Office
of the Privacy Commissioner, NZ.
Blair Stewart is Manager, Codes and Legislation, in the Office of the Privacy Commissioner, NZ.