06 December 2021

Candidate rights to privacy are important, and good privacy practice empowers board appointment considerations and research.

The Government Chief Privacy Officer function2 advice can be used by agencies to help align their processes with the requirements of the Privacy Act 2020. This advice is not legal advice and agencies should consult their own solicitors or the Office of the Privacy Commissioner for legal advice.

Note that the Ministry of Justice maintains the Criminal Record Check service which is used by most government agencies and many private employers.

Good privacy practice empowers board appointment considerations and research. The following advice can be used by agencies to help align their processes with the requirements of the Privacy Act 2020.

This advice is from the Government Chief Privacy Officer function based in the Digital Public Service branch of the Department of Internal Affairs. This section also includes further advice and resources from the Government Chief Digital Officer and the Government Chief Information and Security Officer function leaders.

Highlights from the Privacy Act 2020

Collect only what you need, for a purpose, and directly from the applicant. If any personal information is collected not from the applicant or not from a publicly available source (e.g. reference checks) document this. Be transparent about what’s being collected and what it’s being used for. Consider proactively releasing personal information to applicants once the process has finished.

Information needs to be checked for accuracy and deleted according to agencies’ document destruction schedules and the Public Records Act 2005.

Information should not be reused or shared with another agency without good reasons, and these should be thoroughly documented. These good reasons are listed in detail in Information Privacy Principles 10 and 11 (section 22 of the Privacy Act 2020).

You should have authorisation from the applicant if you’re going to share their personal information with a foreign person or entities if that foreign privacy environment does not have privacy similar safeguards as New Zealand does.

Collect information for a purpose

Personal information received from applicants should only be used for considering their appointment to a board. Personal information received during this process should not be reused without the applicant’s permission. If the purpose is to consider the applicant for multiple boards, this should be made clear when collecting the applicant’s information.

Collect, store and use only what you need. At the end of the appointment process, delete any information provided to you proactively by the applicant that is not required at the beginning of the process.

Collect information from the applicant

Information needed for appointment consideration should be collected from the applicant directly.

If further information about the applicant is needed, a clear decision should be recorded in agency notes attached to the appointment process about why more personal information needs to be collected about the individual from a third party or another source.

You can obtain and record information in the public domain without informing the applicant, such as copies of their social media profiles or news articles, within good reason related to the appointment process.

The Department of Internal Affairs has published the Identification Management Standards that provides assurance that an organisation has the right information about the right entities, helping minimise the risk of identity fraud and loss of privacy.

Transparency on collecting information

When collecting personal information, agencies should be transparent why personal information is being collected and who will be receiving it. An example can be why an agency needs to collect education qualifications to consider the applicant for a board position.

Information Privacy Principle 3 contains a list of requirements agencies must do when collecting personal information. This includes being transparent about the intended recipients who will receive the information collected, the purpose for collection, and if the information collection is authorised or required by or under law.

Fair, lawful and reasonable collection

When collecting personal information agencies should do so by lawful means, and in a way that’s fair and doesn’t unreasonably intrude on the applicant’s personal affairs.

All Public Service and non-Public Service agencies must meet the New Zealand Government Web Accessibility Standard 1.1 and the Government Web Usability Standard 1.3, which can help those with accessibility issues to have a fair method of providing personal information to agencies.

Storage and security

Reasonable security safeguards should be in place to prevent loss, unauthorised access, use, modification or disclosure, and other potential misuse of the personal information collected.

Appropriate security safeguards should be applied to both physical paper files and files saved digitally in an electronic content management system with appropriate classifications and security restrictions so that only relevant staff can view the information.

Further guidance on information security and classification can be found at Protective Security Requirements.

Access and correction

An individual may at any time request confirmation if the agency holds personal information about them, and request access to their personal information. An individual can also request an agency to correct their personal information.

Agencies should be clear how applicants can access both the personal information they provided for the appointment process and information the agency received following required checks and cross-referencing.

Demand for these requests may occur from unsuccessful applicants who will want to know more about why they were not successfully appointed. You may wish to provide a direct link to your agency’s privacy statement available on your agency’s website, which will include contact details for the agency’s privacy officer.

Agencies should consider proactively releasing information to applicants when the appointment process has finished; see the note about Delete when no longer needed below.

Accuracy before use

While most personal information received by an agency will be accurate, agencies will need to decide how valid certain personal information is for appointing an applicant to a board. For example, agencies should record their decision on why a reference letter that’s several years old may be accepted or not accepted.

Consideration should be given for open-source material collected during the appointment process. Social media posts that are several years old may not accurately reflect the individual as they are today. Reporting in overseas media about the individual, especially in countries where press freedom is strictly limited, may be unfairly biased and inaccurate.

Delete when no longer needed

Information collected should be deleted when no longer required. This includes personal information of unsuccessful applicants. The Public Records Act 2005 has requirements on how long information should be kept by Public Service agencies.

Agencies should consult their document destruction schedule for guidance on how long to keep personal information. Archives New Zealand can provide further information and guidance.

It’s an offence under the new Privacy Act 2020 (section 212) to destroy information when an agency knows that a request for that information has been made. Agencies may consider proactively providing personal information to successful and unsuccessful applicants to minimise the risk of deleting information that may be requested by an applicant.

Limits on use of personal information

Personal information submitted by applicants for a position should only be used for that purpose. There are several exceptions listed in Information Privacy Principle 10. Officials in agencies should consult their privacy officer for advice on appropriate reuse of personal information.

Limits on disclosure of personal information

Agencies should not disclose personal information to another person or agency unless the agency believes on reasonable grounds that one of the reasons in Information Privacy Principle 11 applies. As above, officials should consult with the privacy officer for advice about sharing information with another person or agency.

It’s important that applicants are aware that their information may be shared with another agency for a set purpose so that they’re informed and aware when they provide authorisation; an agency can share information with another person or agency if the applicant authorises it.

If an agency receives information from an applicant that is demonstrably false, and that agency knows that the individual has supplied the same false information to another agency, the first agency can consider sharing the evidence that the information supplied is false. The agency must consider this with their privacy officer before sharing.

Disclosing personal information overseas

This affects Limits on disclosure of personal information above only.

If an agency needs to share information with a foreign person or entity such as a previous employer, education institute, or government function, the agency must be confident that the applicant’s personal information will be treated in a way that is similar to New Zealand’s privacy safeguards in the Privacy Act 2020.

When an agency begins to check with a foreign person or entity about an applicant’s personal details, and the agency doesn’t believe that foreign country has comparable privacy safeguards to New Zealand, the applicant should be informed by the agency that they’ll be checking with those specific foreign people or entities, and that those foreign people or entities may not be required to hold their personal information with privacy safeguards comparable to New Zealand.

The above is not required if the foreign person or entity:

  • does business in New Zealand
  • is subject to privacy laws in that country in which, similar to the Privacy Act 2020, the foreign person or entity is required to protect the information (for instance an agency may set up appropriate clauses in a contract)
  • is in a prescribed binding scheme or country. Information Privacy Principle 12 covers this in more

Officials should consult with their privacy officer if they’re not confident a foreign person or entity is not subject to privacy laws comparable to the Privacy Act 2020, and should record their decision making. Further guidance on sharing information with foreign people and entities, including a decision-tree, is available from the Office of the Privacy Commissioner.

Unique identifiers

Unique identifiers are only to be used if it’s necessary to do one or more functions efficiently. Agencies should strongly consider if it’s necessary to assign unique identifiers to individuals for the purpose of board appointments. Information Privacy Principle 13 covers more information about unique identifiers and their use.


2The Government Chief Privacy Officer function is an all-of-government functional leader based in the Digital Public Service branch of the Department of Internal Affairs.