What is the main takeaway from "Government agencies: IPP3A obligations for inter-agency data sharing"?
When government agencies share personal information between themselves, IPP3A still applies. Here is how to manage it.
What should NZ businesses do to stay compliant?
Document the IPP3A pathway for every third-party lookup, retain evidence with timestamps, and respond to access requests within statutory deadlines. DEIS automates pathway capture, notifications, and audit exports.
Is DEIS a legal adviser?
No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.
Government agencies are not exempt from the Privacy Act. When one agency collects personal information about an individual from another agency, IPP3A applies — the individual should be made aware of the collection.
Common inter-agency data sharing
IRD sharing income data with MSD for benefit assessments
ACC accessing health records from DHBs
MBIE sharing immigration data with Police
NZTA sharing driver licence data with courts
Approved Information Sharing Agreements (AISAs)
The Privacy Act provides for Approved Information Sharing Agreements — formal agreements between agencies that authorise specific data sharing and may modify the IPP requirements. If an AISA is in place, the agencies must comply with its terms (which may include modified notification requirements).
Without an AISA
Where there is no AISA, standard IPP3A applies. The receiving agency must take reasonable steps to notify the individual that it has collected their information from the other agency.
DEIS for government
DEIS allows government agencies to record IPP3A compliance for inter-agency data access. The system supports the AISA pathway (recording the agreement reference) and standard pathways. The evidence trail satisfies both Privacy Act requirements and government record-keeping standards.