Collection of client data "excessive and disproportionate"
Collection of NGO client data is excessive and disproportionate - Privacy Commissioner
6 April 2017
A Ministry of Social Development (MSD) policy requiring social service providers to disclose information about all their clients is excessive and inconsistent with the privacy principles, says Privacy Commissioner John Edwards.
The Privacy Commissioner’s report, Inquiry into MSD Collection of Client-Level Data from NGOs, examines the privacy impact of the funding contracts. The new contracts make the provision of personal, identifiable, client data a requirement for receiving government funding, with no ability to ‘opt out’.
The Commissioner acknowledged that “no NGO receives government funding as of right, and it is not only legitimate but important that Government takes steps to ensure the efficacy of any programme it funds. It needs good information in order to do so.”
However, the report finds that there has been insufficient consideration given to the possible unintended consequences of the policy change, and insufficient consideration of alternative means of achieving Government’s legitimate aims without risking those consequences.
“There is a real risk that the new arrangement will deter some people who are most in need from seeking support or assistance. Not only could that put those people at further risk, and increase pressure on the NGOs, the ultimate result could be that those individuals become “invisible” to Government and policy makers,” said Mr Edwards.
The report identifies three main privacy risks from collecting information this way:
· Individuals may choose to stay away from seeking help at all – leading to worse outcomes for individuals and society as a whole
· Individuals may choose to provide incorrect information in order to preserve their privacy – leading to inaccurate or useless data for analysis
· NGOs may allow those clients who are reluctant to have their sensitive information given to MSD to access services without providing their personal information – leading to reduced funding and risks to NGOs’ long-term viability and the “invisibility” to the system of a significant cohort of individuals in need of support.
Lack of clear purpose for collection
One of the report’s main findings is that MSD has not clearly explained its purpose for requiring individual client information.
NGOs have reported to us that MSD has not been able to definitively say what the client level information will be used for, who it will be disclosed to, and more importantly, what kinds of potential future uses will be ruled out.
Mr Edwards said he would like to see MSD explore less privacy-invasive means of achieving government’s legitimate objectives. One of the options that warrants further thought would be to have Statistics New Zealand receive the information, and provide the analysis to the Ministry on an anonymised basis.
“My expectation is that data requirements for funding purposes should have sufficient flexibility to enable people to access services safely and not be deterred from seeking help or support - and thereby be put in greater harm - because of a concern about the confidentiality of the visit.”
Mr Edwards noted that “this programme heralds a new way of delivering, funding and assessing public services under the social investment strategy. It is very important, for the success of future programmes that it proceeds with caution, and takes steps to build and maintain the trust of the New Zealanders it is intended to help.”
· MSD should consider alternative methods for accomplishing its goals, such as having the information collated and analysed by Statistics New Zealand.
· MSD must ensure its information collection practices do not deter vulnerable individuals from receiving necessary help. MSD should consider how it can meet its policy objectives in ways that infringe less on personal privacy and reduce the risk of unintended adverse consequences for New Zealand’s most vulnerable people.
· MSD must ensure that its purposes for collecting, holding, using and disclosing information are specific, relevant to its functions and clearly conveyed, and the information collected is necessary to achieve these purposes.
· MSD must ensure that its security procedures for holding, using and disclosing ICLD are robust, well-documented and transparent.