Government agencies: IPP3A obligations for inter-agency data sharing

Government agencies are not exempt from the Privacy Act. When one agency collects personal information about an individual from another agency, IPP3A applies — the individual should be made aware of the collection.

Common inter-agency data sharing

• IRD sharing income data with MSD for benefit assessments
• ACC accessing health records from DHBs
• MBIE sharing immigration data with Police
• NZTA sharing driver licence data with courts

Approved Information Sharing Agreements (AISAs)

The Privacy Act provides for Approved Information Sharing Agreements — formal agreements between agencies that authorise specific data sharing and may modify the IPP requirements. If an AISA is in place, the agencies must comply with its terms (which may include modified notification requirements).

Without an AISA

Where there is no AISA, standard IPP3A applies. The receiving agency must take reasonable steps to notify the individual that it has collected their information from the other agency.

DEIS for government

DEIS allows government agencies to record IPP3A compliance for inter-agency data access. The system supports the AISA pathway (recording the agreement reference) and standard pathways. The evidence trail satisfies both Privacy Act requirements and government record-keeping standards.