He kaupapa nui ki a mātau te matatapu me ta haumarutanga We take privacy and security of information seriously

We are regularly provided with large amounts of personal information. Keeping this information private and secure is extremely important to us.

Making sure we use information responsibly

We are committed to respecting the privacy, human rights, and ethical interests of our clients. We believe that using personal information in a safe and respectful way will achieve better outcomes for the owners of the information as well as for the Ministry.

We are embedding a te ao Māori approach into our information privacy and security design and assurance, to ensure that we include Māori data sovereignty requirements in our approach to being kaitiaki of people’s personal information.

We have developed further tools as part of our Privacy, Human Rights and Ethics (PHRaE) Framework, and have further matured our approach to building PHRaE thinking into how we design and deliver new products and services.

Our focus has been on integrating our privacy and security experts into service delivery teams. These experts can provide timely joined-up advice and risk assessments that consider all aspects of information use, so that risk can be designed out and new or improved products and services have privacy and security considerations built in from the beginning.

We want to make sure that those protections do not erode over time. We have initiated assurance activities over key risk areas and monitor our progress in improving our privacy and security maturity. This is an area we will continue to grow and improve.

Reviewing privacy protections in serious fraud investigations

Following the Privacy Commissioner’s publication in early 2019 of the results of an inquiry into our use of powers in relation to serious fraud investigations, we have updated the Code of Conduct that governs how we use our statutory powers under Schedule 6(2) of the Social Security Act 2018. 

We consulted with the Privacy Commissioner on the development of the Code, and with other key stakeholders such as Community Law.

The new Code and the associated protections and assurance activities came into force on 1 March 2021. We will review the Code after 12 months to ensure that it remains fit for purpose and is being appropriately applied in our integrity intervention services.

Sharing information with other agencies

As lead agency, we are responsible for reporting against two approved information-sharing agreements (AISAs) with other agencies. One AISA is with the Ministry of Education and Oranga Tamariki for providing services to help disengaged youth move into education, employment or training, and the other is with the New Zealand Customs Service for the supply of information regarding arrivals into and departures from New Zealand.

The reports on these AISAs can be found in Appendix 3.


  1. Data sovereignty typically refers to the understanding that data is subject to the laws of the nation within which it is stored. Indigenous data sovereignty perceives data as subject to the laws of the nation from which it is collected. Māori data sovereignty recognises that Māori data should be subject to Māori governance. It supports tribal sovereignty and the realisation of Māori and iwi aspirations.