Privacy Impact Assessment - dia.govt.nz · DIA is the guardian of core identity and life event...

PUBLICLY AVAILABLE of 17

Privacy Impact Assessment:

Information Sharing Agreement for Identity Services Provided by

Department of Internal Affairs 06 April 2018


1. Contents 1. Contents .......................................................................................................................................... 2

2. Glossary of terms ............................................................................................................................. 3

3. Related documents ......................................................................................................................... 6

4. Overview.......................................................................................................................................... 6

4.1. Background .............................................................................................................................. 6

4.2. AISA objectives ........................................................................................................................ 7

4.3. AISA purpose ........................................................................................................................... 7

4.4. Benefits to society ................................................................................................................... 8

5. PIA development process ................................................................................................................ 8

6. PIA scope ......................................................................................................................................... 8

7. Personal information ....................................................................................................................... 9

7.1. Types of personal information to be shared ........................................................................... 9

7.2. Information to be shared under the AISA ............................................................................... 9

8. Privacy assessment ........................................................................................................................ 11

9. Risk and benefits assessment ........................................................................................................ 15

10. Action plan................................................................................................................................. 17


2. Glossary of terms

Term Definition

Adverse action Any action that may adversely affect the rights, benefits, privileges, obligations, or interests of any specific individual.

Agreement This information sharing agreement, including any amendment made by the parties.

Application The submission of a formal request for the provision of a service.

Audit log A non-repudiable collection of records to support the formal inspection and verification to confirm whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met.

Birth registration The process of registering the birth of a child including determining the citizenship by birth status of a child born on or after 1 January 2006.

Branch A division within the Department of Internal Affairs led by a Deputy Chief Executive or an equivalent role.

Civil union celebrant

A person appointed and authorised to act as a civil union celebrant under the Civil Union Act 2004.

Civil union licence A licence to allow two parties to enter into a civil union.

Civil union registration

The process of registering the civil union of two parties.

Customer A member of the public using any of DIA’s services.

Customer centred services

A specific approach to doing business that focuses on the customer when providing services.

Customer Centred Management Solution

DIA’s solution to provide a single view of the customer, in order to manage customer interaction and provide the services they request.

Customer Identity Store

A solution to manage customers’ identity data and access requirements.

Customer object A unique identifier for a person who is a DIA customer. The identifier is not exposed to customers or staff, it is only used by DIA software to correlate database records and register entries to the customer’s identity.

Customer single view / single view of customer

An on-demand view created of a customer’s information that enables them to be treated as a unique person, rather than as a collection of seemingly unconnected life events and travel documents.

Death registration The process of registering the death of a person.

Deprivation The formal act of removing an individual’s right to New Zealand citizenship under the Citizenship Act 1977.

DIA Department of Internal Affairs

Emergency Travel Document

A document (other than a passport, certificate of identity or a refugee travel document) issued by or on behalf of the Government of New Zealand to any person who may be a New Zealand citizen for the purposes of urgently facilitating their entry into, or exit from any country, and purporting to establish the identity but not the nationality of that person.


Term Definition

Evidence of Identity

Evidence that provides confidence that an individual is who they claim to be.

Identification details

Details that identify a person.

Identity services Identity services including life events and travel documents.

Instrument of paternity

A declaration by an individual that they are the father of a child.

Issuance The action of supplying or distributing something.

Life event In relation to an individual, includes but is not limited to, the individual’s birth, death, marriage, civil union, name change, citizenship event or celebrant registration.

Marriage celebrant

A person appointed and authorised to act as a marriage celebrant under the Marriage Act 1955.

Marriage licence A licence to allow two parties to enter into a marriage.

Marriage registration

The process of registering the marriage of two parties.

Name change registration

The process of registering the change of an individual’s name.

New Zealand certificate of identity

A travel document (other than a passport or refugee travel document) issued by the Government of New Zealand to any person not a New Zealand citizen for the purposes of facilitating their entry into or exit from any country. The document states the known identity but not the nationality of that person.

New Zealand citizenship

A person holds New Zealand citizenship if they have obtained New Zealand citizenship by birth, descent, grant, or otherwise than by descent, and it has neither been renounced or deprived.

New Zealand citizenship by birth

A person is a New Zealand citizen by birth if:

the person was born in New Zealand on or after 1 January 1949 and before 1 January 2006; or

the person was born in New Zealand on or after 1 January 2006, and, at the time of the person’s birth, at least one of the person’s parents was:

○ a New Zealand citizen; or

○ entitled in terms of the Immigration Act 2009 to be in New Zealand indefinitely, or entitled to reside indefinitely in the Cook Islands, Niue, or Tokelau.

New Zealand citizenship by descent

The process for obtaining New Zealand citizenship when the individual is born overseas and at least one parent is a New Zealand citizen by birth or grant (except where the individual is entitled to New Zealand citizenship otherwise than by descent).


Term Definition

New Zealand citizenship otherwise than by descent

A person born outside New Zealand shall be deemed to be a New Zealand citizen otherwise than by descent if that person's father or mother is then:

a New Zealand citizen, or a New Zealand citizen by descent, pursuant to the Citizenship Act 1977; and

either:

a head of mission or head of post within the meaning of the Foreign Affairs Act 1988;

an employee in any part of the State services, or a member of the Armed Forces, on service overseas;

a person working overseas for the public service of Niue, Tokelau, or the Cook Islands;

an officer or employee of New Zealand Trade and Enterprise (as established by the New Zealand Trade and Enterprise Act 2003) on service overseas;

an officer or employee of the New Zealand Tourism Board (as established by the New Zealand Tourism Board Act 1991) on service overseas.

New Zealand citizenship by grant

The process for obtaining New Zealand citizenship when the individual is born overseas, applies for citizenship, satisfies the Minister that the individual meets the requirements and attends a ceremony if required.

New Zealand passport

A travel document issued by the Government of New Zealand to a New Zealand citizen.

New Zealand refugee travel document

A travel document (other than a passport, emergency travel document or a certificate of identity) issued by the Government of New Zealand to a refugee to facilitate international travel.

Non-registered information

Personal information that is not recorded on a register held and maintained under an Act or Regulation.

Record flag An internal status indicating that a particular event has occurred or that further checks are required when dealing with the record.

Registered information

Personal information recorded on a register held and maintained under an Act or Regulation.

Registrar-General The Registrar-General appointed under section 79(1) of the Births, Deaths, Marriages and Relationships Registration Act 1995.

Renunciation The formal act of giving up an individual’s right to New Zealand citizenship under the Citizenship Act 1977.

Role A position established under a contract of employment, a contract of service or any Act or Regulation.

SDO Service Delivery and Operations

Business branch within DIA responsible for Identity and Passport Services, Charities Services, Births, Deaths, Marriages and Citizenship, Community Operations, Customer Services and Pou Ārahi.

Single view of customer / customer single view

An on-demand view created of a customer’s information that enables them to be treated as a unique person, rather than as a collection of seemingly unconnected life events and travel documents.


Term Definition

Social media account

An account, ‘handle’ or profile used by an individual or organisation for the purpose of facilitating access to and participation in a social media site.

Source document A document that informs the content of a public or closed register.

Supporting document

A document provided in support of an application.

Travel document A document that is a New Zealand passport, a New Zealand certificate of identity, an emergency travel document or a New Zealand refugee travel document.

3. Related documents The following documents are related to the PIA:

Draft Information Sharing Agreement (AISA) for Identity Services Provided by Department of Internal Affairs.

Public Consultation: Information Sharing Agreement for Identity Services Provided by Department of Internal Affairs.

4. Overview

4.1. Background The Department of Internal Affairs (DIA) is transforming the way New Zealanders access identity and life event services – putting customers and their whānau at the heart of what we do. Effective information sharing is essential for turning this vision into reality.

DIA is the guardian of core identity and life event services on behalf of New Zealanders; these include the registration of New Zealand births, deaths, marriages, civil unions and name changes, citizenship and New Zealand travel documents.

Personal information relating to DIA’s identity and life event services is collected under different pieces of legislation and for different purposes. As a result, we need to be clear about the intended uses of this information where these uses go beyond the core purposes that the information was initially collected for. This also enables us to give New Zealanders visibility and a clear understanding about how their personal information, held by DIA, will be used to facilitate and streamline service delivery.

DIA already uses the personal information it holds to streamline application processes for its customers. For example, customers applying for a New Zealand passport are not required to provide their birth or citizenship certificate to prove their entitlement to hold a passport. The relevant information is confirmed using an internal, ‘behind the scenes’ check which is facilitated by existing Information Matching Agreements.


At present DIA can only use the personal information that it holds about an individual (customer) to view a single identity or life event for the individual. In future, DIA proposes to create a temporary joined up view to link all of the customer’s identity and life event information for the purpose of streamlining services.

DIA also uses identity and life event information for law enforcement purposes, such as prevention, detection, investigation, prosecution and punishment of related offences, and to improve the quality and consistency of the information we hold.

The new agreement will replace the following existing agreements:

Births, Deaths and Marriages / DIA Passport Application Processing Information Matching Programme July 2003

Citizenship / Passport Application Processing Information Matching Programme August 2003

Citizenship / Births, Deaths and Marriages Application Processing Information Matching Programme 2009

Citizenship / Births Information Matching Programme 2005

4.2. AISA objectives The information sharing agreement has been developed under Part 9A of the Privacy Act 1993 to

enable the Department of Internal Affairs (DIA) to share personal information about individuals

between business units to assist with the provision of identity services.

The objectives of the agreement are to:

a) enable DIA to provide customer centred services;

b) gain customer service efficiencies and reduce compliance load for customers associated with provision of personal information through facilitating increased collaboration;

c) enable prevention, detection, investigation, litigation of civil proceedings and prosecution of crime relating to life events or travel documents, and the punishment of related offences;

d) enable cleansing and updating of records upon the death of an individual or deprivation or renunciation of their New Zealand citizenship; and

e) apply Privacy by Design principles in the development and operation of the information sharing.

4.3. AISA purpose The purpose of the information sharing is to:

a) create an on demand, temporary single view of an individual DIA customer to facilitate provision of identity services;

b) notify customers of services they may be entitled to;

c) enable evidence of identity validation;

d) ensure, when applying for additional identity services, that customers are not required to provide identity and life event records that DIA already holds;

e) ensure eligibility requirements are met prior to the registration of a life event;

f) ensure eligibility requirements are met prior to the issuance of a travel document;

g) ensure eligibility requirements are met for roles that require New Zealand citizenship;

h) cleanse or update identity and life event records upon the death of an individual;


i) update identity and life event records upon the renunciation or deprivation of an individual’s New Zealand citizenship; and

j) enable prevention, detection, investigation, litigation of civil proceedings and prosecution of crime relating to life events or travel documents and the punishment of related offences.

4.4. Benefits to society The AISA provides the following benefits to society:

to create an on demand, temporary joined up view of each customer’s details so that we can treat our customers as people;

a reduction in the amount of information that must be supplied to DIA when applying for services to ensure that customers do not have to resupply information we already hold about them;

visibility and a clear understanding about how customers’ personal information, held by DIA, will be used to facilitate and streamline service delivery;

increased trust in DIA provided identity services; and

enhanced fraud protection for identity and life event information held by DIA.

5. PIA development process This PIA has been developed based on:

The draft Information Sharing Agreement;

Conversations with staff from relevant business units

Feedback from the legal team within the Department of Internal Affairs;

Feedback from the Government Chief Privacy Office; and

Consultation with the Office of the Privacy Commissioner.

6. PIA scope This Privacy Impact Assessment (PIA) is being conducted to support the case for approval of the information sharing agreement as an Approved Information Sharing Agreement (AISA) under Part 9A of the Privacy Act 1993. That approval requires an Order in Council. The approval process is rigorous and includes the requirement to conduct public consultation.

The PIA addresses the privacy implications and risks that will result from the proposed AISA becoming operational. It does not consider the proposed implications and risks associated with the use of the information. These will be addressed in the PIA(s) relating to the services that use the received information.

The PIA does not examine the existing arrangements facilitating information sharing within DIA. These arrangements are well established, and this PIA is not an audit of existing practices. The proposed AISA will have no effect on the majority of these existing operational processes. Upon becoming operational the AISA will replace four of the existing internal agreements.

This PIA also does not examine the dissemination of information from DIA to other agencies. The proposed AISA will have no effect on the current external information sharing arrangements.


7. Personal information

7.1. Types of personal information to be shared Under the AISA, DIA will share personal information internally relating to identity and life events

about an identifiable individual. Information that is not about an individual will not be shared under

the agreement.

The following diagram depicts the information flows:

Customer Single View

Customer Services

Citizenship

Passports

Births, Deaths,

Marriages

7.2. Information to be shared under the AISA Personal information that can be shared under the AISA is as follows:


Provided Information Allowable Purposes Detailed in the AISA

Information contained within the birth register and copies of related source documents, excluding the following records:

Pre-adoptive birth registrations

Pre sexual assignment or reassignment birth registrations

All

Information contained within the death register and copies of related source documents

All

Information contained within the marriage register and copies of related source documents

All

Information contained within the civil union register and copies of related source documents

All

Information contained within the name change register and copies of related source documents

All

Information contained within name change lodgements and copies of related source documents

All

Information contained within the marriage and civil union celebrant registers and copies of related source documents

Clause 3.2 paragraphs (a) – (e), (h) and (j)

Information contained within the citizenship by grant register and copies of related source documents

All

Information contained within the citizenship by descent register and copies of related source documents

All

Information from the register of citizenship confirmed under the Citizenship Act 1977 or under another Act and copies of related source documents

All

Information contained within the citizenship renunciation and deprivation registers and copies of related source documents

Clause 3.2 paragraphs (a) – (g), (i) and (j)

Information contained within overseas death certificates All

Information contained within overseas name change certificates All

Information contained within overseas marriage and civil union dissolution certificates

Clause 3.2 paragraphs (a) – (f) and (j)

New Zealand passport records, copies of related application forms and supporting documents

All

New Zealand emergency travel document records, copies of related application forms and supporting documents

Clause 3.2 paragraphs (a) – (d) and (f) – (j)

New Zealand certificate of identity records, copies of related application forms and supporting documents


New Zealand refugee travel document records, copies of related application forms and supporting documents


Contact records All

Record flags All

Phone number(s) All

Contact address(es) All


Provided Information Allowable Purposes Detailed in the AISA

Mailing address(es) All

Email address(es) All

Details regarding preferred communication channels, including social media account details

All

8. Privacy assessment The following table details the summary of personal information involved, its use, and implications of

the provisions of the AISA in accordance with the Information Privacy Principles.

Description of the privacy principle

Summary of personal information involved, its use, and implications of the provisions of the AISA

Modified Link to risk assessment

Principle 1 - Purpose of the collection of personal information

No additional information will be collected as a result of this AISA. One or more parties are already collecting this information to carry out its functions.

The AISA permits parties to collect necessary information connected to a function or activity, with a lawful purpose. Information obtained through the AISA must be for one of the purposes specified in the agreement.

No R01

R03

Principle 2 – Source of personal information

The AISA permits authorised parties to collect information utilising the customer single view, rather than to seek it directly from the individual, if it meets the purposes of the agreement as depicted in section 7.1.

The AISA does not allow collection directly from a business unit within DIA, public register or closed register.

Yes R01

R03

Principle 3 – Collection of information from subject

Privacy notices are provided to customers when the original information is collected. These notices will be updated to ensure the new purposes contained in the AISA are covered.

The AISA allows information to be collected utilising the customer single view, rather than from the individual concerned.

No R03

R05

R07





Principle 4 – Manner of collection of personal information

It is a requirement for all parties to ensure personal information is collected by lawful means, and is not collected in a manner that is unfair or intrudes unreasonably on the individual concerned.

The AISA does not modify the requirement to comply with this principle.

No R03

Principle 5 – Storage and security of personal information

All communications between parties will be via secure electronic connections using encryption.

All parties will be required to maintain personal information securely in accordance with the New Zealand Information Security Manual (NZISM).

These requirements will not change under the AISA.

No R02

R03

Principle 6 – Access to personal information

Current DIA processes for accessing personal information will be applied when a request for access to information is received. The AISA will not alter this process.

Information provided as a result of a privacy request will include any information received under the AISA.

DIA will assist any persons wishing to file a complaint about a possible interference with privacy.

Current DIA processes for handling privacy requests will remain unchanged under the AISA.

No R03

R04

R06

Principle 7 – Correction of personal information

Changes to personal information provided by the customer will be shared between business units. This will increase the accuracy of the identity and life event information held.

Each party is required to comply with this principle and the AISA does not detract from this requirement.

DIA will assist any persons wishing to file a complaint about a possible interference with privacy.

Current DIA processes for handling privacy requests will remain unchanged under the AISA.

No R03

R04

R06





Principle 8 – Accuracy etc. of personal information to be checked before use

Information disclosed by DIA business units must meet DIA standards for suitability for purpose, and any caveats or warnings about the quality, accuracy, or suitability of the information must be conveyed to the recipient.

The single customer view will be enabled by the creation of a unique identifier (customer object) and used to match currently held records relating to an individual. The matching process will ensure that the most up to date information is used and will therefore improve data quality.

No R03

R08

Principle 9 – Not to keep personal information for longer than necessary

Information will be retained only for as long as there is a business purpose to hold it or as required under the Public Records Act 2005. This remains unchanged and all parties will be required to comply.

Where there is a disposal authority in place this will be followed.

No R03

Principle 10 – Limits on use of personal information

The AISA only permits parties to use information received for the purposes specified in the agreement.

Yes R03

Principle 11 – Limits on disclosure of personal information

The AISA allows one business unit to disclose information to another business unit regarding an individual utilising the customer single view for the purposes specified in the AISA.

Most of the information being shared under the AISA is currently being shared under existing information sharing arrangements.

No information obtained under the AISA can be on shared with other parties except as required by law or in order to comply with a court order.

Yes R03

R05





Principle 12 – Unique identifiers

A new unique identifier, the ‘customer object’, will be created in the Customer Identity Store.

The Customer Identity Store contains links to the various life event and or travel document information related to each individual customer. The customer object is recorded within the relevant life event and/or travel document record(s). This allows a single view of the customer to be created on demand within the Customer Centred Management Solution. The ‘customer object’ is for system usage only as it is not visible to customers or staff without privileged access (e.g. database administrators).

It is possible that a unique identifier from one party may be shared internally to ensure all respective parties are referring to the same individual. However, it will be treated as another data item and not used as a unique identifier by the parties that did not assign it to the individual in the first place.

No R03

IN-CONFIDENCE of 17

9. Risk and benefits assessment This section describes the privacy risks identified through the PIA process and how it is proposed to mitigate and manage these.

Ref Description of the risk(s) Privacy principle

Mitigations

R01 Information is disclosed or used for purposes unrelated to the agreement. 1, 2 Clause 7 of the agreement lists the types of information that may be shared.

Clause 8 of the agreement details the purposes for which it can be used and explicitly prohibits use of information for any other purpose.

Clause 14 of the agreement imposes requirements on the parties to restrict disclosure of information unless the disclosure is required by law or to comply with a court order.

Clause 14 of the agreement imposes requirements on the parties to abide by the Public Sector Standard of Integrity and Conduct.

Clause 14 of the agreement imposes requirements on the parties to formally investigate any inappropriate access or disclosure.

Clause 14 of the agreement imposes the requirement for a regular audit of the operation of the agreement.

Clause 14 of the agreement imposes requirements on the parties to ensure that the information is only used for the specified purposes.

R02 Insecure storage or transfer of information. 5 Clause 14 of the agreement imposes requirements on the parties to appropriately secure information at rest and in transit.

Clause 14 of the agreement imposes requirements on the parties to restrict disclosure of information unless the disclosure is required by law or to comply with a court order.



Clause 14 of the agreement imposes mandatory reporting to the Office of the Privacy Commissioner for all material privacy breaches.

Clause 15 of the agreement specifies how parties should respond in the event of a suspected or confirmed security breach.

R03 Inadequate policies and procedures to preclude information being collected, modified, used, stored, disclosed, and destroyed other than in accordance with the constraints and restriction detailed.

All Clause 14 of the agreement imposes requirements on the parties to restrict disclosure of information unless the disclosure is required by law or to comply with a court order.

Clause 14 of the agreement imposes requirements on the parties to abide by the Public Sector Standard of Integrity and Conduct.



Clause 14 of the agreement imposes requirements on the parties to verify that personal information shared is of an adequate standard and quality, and that it is not used without being robustly confirmed against the source information held.

Clause 14 of the agreement imposes requirements on the parties to ensure information is only used for the specified purposes.

Clause 14 of the agreement imposes requirements on the parties to ensure processes are in place for the disposal of information once it is no longer required.

IN-CONFIDENCE of 17

Ref Description of the risk(s) Privacy principle

Mitigations

Clause 15 of the agreement specifies how parties should respond in the event of a suspected or confirmed security breach.

R04 Difficulties experienced by individuals in obtaining access to and requesting correction of their personal information.

6, 7 Clause 16 of the agreement requires all parties to assist with any investigation by the Privacy Commissioner and to have adequate procedures in place to respond to complaints about the interference with privacy.

Current DIA processes for access and correction requests remain unchanged as a result of the AISA.

R05 Individuals being unaware of the existence of the AISA and its implications for them and their personal information.

3, 11 Clause 12 of the agreement provides information about where the AISA is publicly available and can be accessed.

R06 Individuals having difficulties in filing a complaint regarding an interference with privacy. 6, 7 Clause 16 of the agreement requires all parties to assist with any investigation by the Privacy Commissioner, and to have adequate procedures in place to respond to complaints about the interference with privacy.

R07 Individuals being unaware of when they may be subject to an adverse action and not understanding their rights under the Privacy Act .

3 Clause 11 of the agreement lists what adverse action parties may take as a result of receiving information under the AISA. This clause also details the circumstances upon which adverse action may occur without notice.

Clause 12 of the agreement requires the AISA to be made available on DIA’s website and at one of their offices for public inspection.

R08 Details regarding life events and travel documents are attributed to the wrong individual. 8 Clause 14 of the agreement imposes requirements on the parties to verify that personal information shared is of an adequate standard and quality, and is not used without being robustly confirmed against the source information held.

IN-CONFIDENCE of 17

10. Action plan This section describes what actions are being taken and the person responsible.

Ref Agreed action Who is responsible

A01 Operating procedures relating to the operational aspects of the agreement will be developed.

All parties

A02 All parties will ensure that appropriate policies and procedures are in place to ensure the terms of the agreement are met, and that these are reviewed regularly.

All parties

A03 Regular staff training on the policies and procedures relating to the agreement.

All parties

A04 The agreement will be consulted with the Privacy Commissioner. Te Ara Manaaki Policy and Privacy Team

A05 DIA will conduct regular internal first line assurance and internal audit of the operation of the agreement to check the safeguards are operating as intended; that they remain sufficient to protect the privacy of individuals; and to ascertain whether any issues have arisen in practice that need to be resolved.

Manager Branch Development & Support, SDO

A06 Post a notification on DIA’s website in accordance with Clause 12 of the agreement.

Te Ara Manaaki Policy and Privacy Team

A07 A hard copy of the agreement will be made available for inspection at DIA Wellington.


A08 Update relevant privacy notices at collection point to reflect the information sharing provision under the agreement.


A09 Post a link to the DIA web page containing the AISA on the Office of the Privacy Commissioner website.

Office of the Privacy Commissioner

Privacy Impact Assessment - dia.govt.nz · DIA is the guardian of core identity and life event...

Documents

Transcript of Privacy Impact Assessment - dia.govt.nz · DIA is the guardian of core identity and life event...