Collection of NGO client data is excessive and disproportionate – Privacy Commissioner

Written by

Privacy Foundation NZ

Published on


Source: Office of the Privacy Commisioner –

A Ministry of Social Development (MSD) policy requiring social service providers to disclose information about all their clients is excessive and inconsistent with the privacy principles, says Privacy Commissioner John Edwards.

The Privacy Commissioner’s report, Inquiry into MSD Collection of Client-Level Data from NGOs, examines the privacy impact of the funding contracts. The new contracts make the provision of personal, identifiable, client data a requirement for receiving government funding, with no ability to ‘opt out’.

The Commissioner acknowledged that “no NGO receives government funding as of right, and it is not only legitimate but important that Government takes steps to ensure the efficacy of any programme it funds. It needs good information in order to do so.”

However the report finds that there has been insufficient consideration given to the possible unintended consequences of the policy change, and insufficient consideration of alternative means of achieving Government’s legitimate aims without risking those consequences.

“There is a real risk that the new arrangement will deter some people who are most in need from seeking support or assistance. Not only could that put those people at further risk, and increase pressure on the NGOs, the ultimate result could be that those individuals become “invisible” to Government and policy makers,” said Mr Edwards.

Privacy risks

The report identifies three main privacy risks from collecting information this way:

  • Individuals may choose to stay away from seeking help at all – leading to worse outcomes for individuals and society as a whole
  • Individuals may choose to provide incorrect information in order to preserve their privacy – leading to inaccurate or useless data for analysis
  • NGOs may allow those clients who are reluctant to have their sensitive information given to MSD to access services without providing their personal information – leading to reduced funding and risks to NGOs’ long-term viability and the “invisibility” to the system of a significant cohort of individuals in need of support.

Lack of clear purpose for collection

One of the report’s main findings is that MSD has not clearly explained its purpose for requiring individual client information.

NGOs have reported to us that MSD has not been able to definitively say what the client level information will be used for, who it will be disclosed to, and more importantly, what kinds of potential future uses will be ruled out.

Mr Edwards said he would like to see MSD explore less privacy-invasive means of achieving government’s legitimate objectives. One of the options that warrants further thought would be to have Statistics New Zealand receive the information, and provide the analysis to the Ministry on an anonymised basis.

“My expectation is that data requirements for funding purposes should have sufficient flexibility to enable people to access services safely and not be deterred from seeking help or support – and thereby be put in greater harm – because of a concern about the confidentiality of the visit.”

Mr Edwards noted that “this programme heralds a new way of delivering, funding and assessing public services under the social investment strategy. It is very important, for the success of future programmes that it proceeds with caution, and takes steps to build and maintain the trust of the New Zealanders it is intended to help.”


  • MSD should consider alternative methods for accomplishing its goals, such as having the information collated and analysed by Statistics New Zealand.
  • MSD must ensure its information collection practices do not deter vulnerable individuals from receiving necessary help. MSD should consider how it can meet its policy objectives in ways that infringe less on personal privacy and reduce the risk of unintended adverse consequences for New Zealand’s most vulnerable people.
  • MSD must ensure that its purposes for collecting, holding, using and disclosing information are specific, relevant to its functions and clearly conveyed, and the information collected is necessary to achieve these purposes.
  • MSD must ensure that its security procedures for holding, using and disclosing ICLD are robust, well-documented and transparent.


Notes for Editors

  1. The Privacy Commissioner’s Inquiry into MSD Collection of Client-Level Data from NGOs has been carried out under section 13 of the Privacy Act 1993. Section 13 includes a wide range of functions, such as the ability to inquire into any matter where privacy may be infringed; the ability to provide advice to a Minister; the ability to make suggestions in the interests of privacy, and the ability to make public statements.
  2. The collection and supply to MSD of individual client-level data is a contractual requirement for all MSD-funded NGOs beginning in contracts for the 2016/2017 financial year.
    1. Phase one is from 1 November 2016 – 30 June 2017, during which time MSD will collect identifiable data but the collected information will not be used in a way that identifies individuals.
    2. Phase two is from 1 July 2017, where data will be collected for identifiable use. Under the contracts, NGOs will not be funded for any service that is not connected with an identifiable individual.
  3. MSD funds more than 2,300 NGOs or “social services providers” to deliver around 4,300 contracts supporting children, individuals and families annually. These contracts are linked to MSD’s four service lines – Work and Income, Child, Youth and Family, Family and Community Services, and the Ministry of Youth Development.
  4. The kinds of services provided by NGOs are diverse and include budgetary advice, counselling in response to sexual violence or trauma, respite care for children whose families are in distress, settlement support services for refugees and migrants, elder abuse and neglect services, support for people living with HIV, anti-bullying programmes and others. [We note that after sharing a draft copy of our report with MSD, sexual violence support services received email correspondence from the Ministry on 15 March 2017 informing them that their services would have a minimum 12 month delay in collecting and providing client level data to MSD.]
  5. The information MSD is requiring NGOs to pass on as a condition of funding is: client name, date of birth, gender, primary ethnicity, iwi, number of dependents and date of birth of the youngest dependent (Note: This point has been corrected from the original version).
  6. NGOs already provide aggregated data about the numbers of people receiving services and the results achieved.  Some NGOs already provide detailed information about gender and ethnic breakdown of clients, but NGOs object to the identifiable nature of the information being sought by MSD under this new policy.

A copy of the Inquiry into MSD Collection of Client-Level Data from NGOs report can be viewed here.

A copy of this media release can be downloaded here.

For more information, contact Charles Mabbett: 021 509 735.