Doing a proportional agency risk assessment

The standard for providing non-government third parties with access to, or collection of, government-held personal information requires that agencies do a proportional agency risk assessment.

A proportional agency risk assessment means that only some risk assessments will require a thorough and detailed analysis of the information sharing process and controls.

Based on their own risk perspectives, agencies will determine when an information sharing agreement requires a thorough and detailed analysis.

Use information your agency already has

A proportional agency risk assessment can be informed by information the agency already knows.

When legally binding agreements are needed

The output of a proportional agency risk assessment can highlight that a legally binding agreement between the agency and third party is required when sharing personal information.

Refer to the legally binding agreements guidance for more information. This guidance will be available soon.

Information sharing standard

Existing contracts and assessing risk

Having an existing contract or other legally binding agreement with a third party does not automatically mean that the existing information sharing controls meet the objectives of the standard.

The risk assessment should be used to find out if any clauses need to be added to an agreement to meet the objectives of the standard.

If an existing contract or agreement is being reviewed, any original risk assessment done at the time when the contract or agreement was created should be reviewed as part of this process.

Risk assessment guidance from the Privacy Commissioner

Any agency doing a proportional agency risk assessment should read and apply the Privacy Commissioner’s Poupou Matatapu: doing privacy well framework. This framework has guidance on assessing risk.

Poupou Matatapu: doing privacy well — Office of the Privacy Commissioner

Assessing Risk — Office of the Privacy Commissioner

Areas a risk assessment should cover

A proportional agency risk assessment must consider:

• the need, purpose, reason and legal authority
• the type and content of personal information being shared
• the length of term, frequency and quantity of sharing
• processes to act in accordance with legislation
• oversight of personal information held by the third party
• action in the event of an issue.

Each of these is described below.

The need, purpose, reason and legal authority

Personal information is shared to resolve a public service need and for a defined purpose and reason, under a legal authority in the Privacy Act 2020 or another law.

Privacy Act 2020 — New Zealand Legislation

Risks to consider:

• the nature of the personal information, the purposes for which it was collected by the agency, and the purposes for which access is being provided to the third party
• the legislative basis for access and collection of personal information
• how to make sure the agency only shares personal information that is necessary for the purpose of the agreement with the third party
• are there any ethical issues with sharing personal information and what are those issues
• the level of implied or explicit authorisation by the individual whose personal information is being shared.

The GCDO has guidance on whether an agency should share personal information and the ethics of sharing personal information.

Consider if sharing information is appropriate

The type and content of personal information being shared

Some aspects of the personal information being shared can increase the risk of harm to the individual if it is shared without appropriate controls in place.

Risks to consider:

• the sensitivity of the personal information for the individual whom the information is about
• the classification of the personal information by the agency as defined by the Government Information Security Classification System Policy 2022
• the anonymity of the information
• if the information is subject to an obligation of confidence
• any additional risks if the personal information being shared is Māori data, and if additional mitigations are required as a result.

Classification system: guidance on classifying — Protective Security Requirements

Māori Data Governance Model: what is Māori data — Te Kāhui Raraunga

The length of term, frequency and quantity of sharing

How much and how often the personal information is shared can increase potential risks and how compliance can be reported by the third party.

Risks to consider:

• the quantity of personal information shared
• the method used to share personal information
• the length of the agreement if the agreement has a set end date, or if the agreement is tied to the completion of a project or initiative
• timing of a regular assurance and reporting cycle for ongoing agreements without a set end date.

Processes to act in accordance with legislation

Legislation such as the Privacy Act 2020 and the laws government agencies operate under include principles and requirements to properly manage personal information. Agencies also have obligations under Model Standards issued by the Public Service Commission.

Model standards: information gathering and public trust — Public Service Commission

Risks to consider:

• the appropriate frameworks, policies and operating practices to collect, store, use and disclose personal information
• any other relationships held by the third party which may increase the chance of cross-matching information
• the ability of the agency to adhere to the Privacy Act’s information privacy principles
• the information systems that the agency and third party use
• the appropriate people in the third party who are authorised to access the personal information
• any conflicts of interest the third party may have
• any legislative protections in other laws that may apply when sharing personal information
• any professional codes of conduct the agency and third party must adhere to.

Privacy Act 2020: information privacy principles — Office of the Privacy Commissioner

Oversight of personal information held by the third party

An agency needs to have oversight of what the third party does with the personal information it has shared. The agency also needs to have assurance that the personal information is being handled properly by the third party.

Risks to consider:

• the ability for the agency to obtain assurance from the third party and how the third party can provide that assurance
• the sub-contracting relationships the third party has with other third parties who may use personal information
• the capability of the third party to protect the personal information shared.

Action in the event of an incident

Privacy and security incidents cannot be mitigated entirely by the agency or the third party. Both parties need to know what to identify if an incident such as a breach or a near-miss happens and how to inform each other and the appropriate authorities.

Risks to consider:

• an agency’s legislative powers to intervene with the third party
• how an agency and a third party can identify a suspected privacy or security breach
• how an agency and a third party can report a notifiable privacy breach to the Privacy Commissioner as soon as practicable and in a timely manner
• any other potential non-compliance to the agreement.

Breach management: response and reporting — Office of the Privacy Commissioner

Contact us

For further information, to ask questions or give feedback, email the Government Chief Digital Office (GCDO).

Email: gcdo@dia.govt.nz