Commitment to management of personal information and privacy
We recognise the way we handle personal information is important in maintaining the levels of trust and confidence to which we aspire.
Personal information is acquired by Police in many ways and many forms. It is a highly valued and a key component of our work that enables us to prevent, investigate, detect and prosecute offending; and to keep our communities safe. We acknowledge that our work would be challenging without the trust you have in us to look after the information you give us, and to use it wisely and within the law.
We also acknowledge our responsibilities to comply with the Privacy Act. It includes management responsibilities for personal information within an agency like New Zealand Police. The way we manage personal information and the rights of individuals to have some control over it are spelt out in the following sections.
Engaging with technologies
New Zealand Police is also committed to being transparent about its use of new and emergent technologies.
With this in mind, we have strengthened our governance processes, backed by a formal policy introduced in September 2020. The policy provides guidance for Police staff who are given opportunities to use or test new technology, and outlines the steps required to be taken before new technology can be trialled or introduced. It also applies in situations where extra functionality is being added to an existing technology.
The strengthened governance and policy guidance were recommendations made in a July 2020 assurance report (PDF 1MB), which also recommended that there be ‘deep dive’ assessments undertaken on technologies which have already been rolled out within Police. The first of the ‘deep dives’ to go through the strengthened governance and oversight arrangements was a Privacy Impact Assessment (PIA) on proposed upgrades to the image management work of Police’s National Biometric Information Office (PDF 481KB).
Over time, it is expected that further ‘deep dive’ PIAs, or briefer privacy analysis documents, will be made available, as other technology capabilities are run through the enhanced governance and oversight process. The intention is that such documents will be progressively uploaded to this part of the Police website.
When you report a crime or an incident we will generally collect sufficient information about you and the event to enable us to deal with the matter effectively.
There are potentially other circumstances where we will collect information from you or about you to enable us to fulfil our general purposes to prevent, investigate, detect and prosecute offending. Examples of when we collect information about you may include:
- Checking your driving, either by stopping you or capturing a speed camera image
- Evaluating your competence to own a firearm
- Vetting you for a safety-sensitive role in the community
- Responding to your request for assistance, either because you are the victim of a crime or crash, or because you have witnessed or have information about a crime or crash
- Investigating your behaviour or actions that amount to offending
- Engaging you to assist us with reducing crime or victimisation, reducing road trauma, or reducing social harm in our communities
- Participating in joint investigations with other New Zealand enforcement agencies such as the Department of Corrections, New Zealand Customs Service or Oranga Tamariki–Ministry for Children; or international enforcement agencies with whom we have a relationship.
In many circumstances we will tell you why we are collecting information from you and what we will use it for. In some circumstances, the reason why we are asking you for your personal information will be obvious through our interaction with you. In other circumstances, giving personal information to us is, by law mandatory and we will advise you when that is the case and consequences of not doing so. An example is your obligation to provide certain information if we stop you when you are driving a vehicle. You may be obliged to provide us with your driver’s licence or your full name, address, date of birth, occupation and telephone number.
You may be involved in activity where we may not tell you about information we have collected, particularly if to do so would prejudice our ability to maintain the law (including our role to prevent, detect, investigate and prosecute offences)(see examples under “Use and Disclosure).
There may be circumstances where information is collected automatically for a limited purpose, such as Emergency Caller Location Information (ECLI). See the section about ECLI for further details.
When you visit or engage with us online through our website, for example when making an online 105 non-emergency report, we will automatically acquire information about your online interaction in addition to the personal details that you provide to us. This information would include the IP address (Internet Protocol) that you used to communicate with us.
Use and disclosure of your personal information
Unless we are permitted by law, we will only use or disclose your information for the purposes for which it was originally obtained. In some instances, the information may be forwarded on to others, and generally you will be made aware of those circumstances as the occasion arises, and if we are able to share that detail with you.
These instances may include:
- As a victim or witness of crime, presenting your evidence to Court
- As an offender, providing details and evidence about you to Court
- Sharing information with Victim Support services to assist you following your involvement in a crime or crash
- Providing information to the New Zealand Transport Agency about traffic accidents
- Providing a vetting response to an agency that contemplates engaging you in its service.
Examples where we may not advise you of use or disclosure of your personal information include:
- When we are investigating your behaviour and applying to Court for a production order or a search warrant
- Where we are assisting another enforcement agency to investigate your behaviour
- Where we release information to prevent or lessen a serious threat to public health or safety
- If we are investigating your behaviour and telling you would prejudice our ability to investigate, prevent and detect your or your associates’ offending
- Where we release information about you to prevent or lessen a serious threat to your life or health, or that of another person or group of people
- Providing intelligence information to other agencies to assist with maintaining the law (for example, providing information to Oranga Tamariki about possible child abuse and neglect)
- Sharing information with community members to enable us to investigate or prevent crime or crashes.
- If you are involved in an episode of family violence the Family Violence Act 2018 enables Police to use and disclose information about you and your circumstances if it is necessary to:
- help with a family violence risk or needs assessment;
- help with a decision or plan that is related to family violence; and/or
- help ensure that a victim is protected from family violence.
- Sharing of information about you will occur at regular multi-agency family violence meetings. Organisations that attend or support this meeting may include: Ara Poutama (Department of Corrections), Ministry of Health including the District Health Board, Oranga Tamariki, Accident Compensation Corporation (ACC), Ministry of Education and Ministry of Social Development as well as non-government organisations including organisations such as Women’s Refuge or Iwi providers.
- Only information that is relevant to facilitate the assessments, plans and safety (as outlined above) will be shared. Information shared will only be used for those specified purposes.
Keeping your personal information secure
We consider personal information is an important asset in achieving our purpose, vision and goals. Keeping information secure is vital to us, and we acknowledge that it is essential to keeping your trust and confidence in us.
All of the information that we hold, whether it is in a digital or hard-copy form, is robustly secured both physically and technically; and we have expectations of our staff that they will actively contribute to keeping all of our information safe and sound. Staff that fall short of our expectations are held to account for their actions. Information is protected in accordance with the best industry practices that are available to Police on a commercial and reasonable basis. We also implement physical, technical, and organisational measures consistent with NZ Government security policy to prevent unauthorised access, unauthorised or accidental loss, destruction, or damage to your personal information. In the context of digital information, we use secure servers and any external server providers are scrutinised to ensure we acquire a level of security that adequately protects our infrastructure and which meets the exacting standards set out by the NZ Government security policy.
We also require our staff to use personal information holdings for our business purposes only, and that they take all reasonable steps to ensure the information they intend to use is accurate, up-to- date and not misleading. The integrity of information is crucial to the way we conduct our business.
Building our privacy maturity
The Government Chief Privacy Officer (GCPO) has issued core expectations in a Privacy Maturity Assessment Framework to assist government agencies to adopt good practices in the management and governance of personal information. Good practice, governance and management are significantly influenced by the nature and extent of the personal information that an agency holds.
As already noted, Police holds a broad array of personal information that is acquired from multiple sources. Our personal information holdings include:
- Biographical details of suspects, offenders, their associations and intelligence about them
- Biometric information about offenders including photographs, fingerprints and DNA profiles
- Details about victims of crimes
- Details of people who hold firearms licences
- Details of people who engage with the road transport system such as drivers, road accident victims and vehicle owners
- Information about people involved in emergencies such as natural disasters or search and rescue events
- Details about all of our Police employees.
Interactions with our information holdings are complex and important to how we serve our communities. We also acknowledge that the way we use personal information, and our overall stewardship of it, directly contributes to the trust and confidence which the public have in Police.
Understandably, then, we are committed to improving our maturity levels in managing your personal information.
We use the Privacy Maturity Assessment Framework established by the GCPO to measure our performance and set our aspirations for the future.
The Privacy Maturity Assessment Framework
The Framework assesses the management of personal information against nine elements, a larger range of attributes and rates performance against a five-point maturity scale ranging from ad hoc at the lower end to optimised at the upper end.
The above diagram outlines the 9 core expectations. Each element consists of a number of attributes and criteria against which privacy maturity can be assessed.
Maturity is assessed through a continuum of five possible levels as shown on below.
In 2016 Police assessed its management of personal information maturity as mostly ‘developing’. In 2017 we assessed our maturity as mostly ‘defined’. By 2020, we assessed that we'd achieved further improvement, remaining mostly 'defined', but with some elements moving towards becoming 'embedded', as depicted in the diagram below:
Our longer term goal is to continue to improve our information maturity, acknowledging that further progress will take time, given Police’s size and complexity, and the different functions and purposes for which we acquire personal information.
After the 2020 assessment round, the GCPO reviewed the Privacy Maturity Assessment Framework and introduced a draft framework (PMAF 2021) based on work by the Social Wellbeing Agency. It springboards off a Data Protection and Use Policy about what ‘doing the right thing’ looks like in the social sector around collecting and using people’s data and information. Building and maintaining trust is key.
PMAF 2021 was introduced to agencies as a trial in 2021 to enable the framework to provide feedback to the GCPO about the new content.
PMAF 2021 is divided into four key reporting sections - core expectations; leadership; planning, policies and processes; and privacy domains. Each of the assessment areas are measured against three maturity levels currently described as Informal, Basic and Managed. Additionally, the value attached to the criteria in each reporting section is capable of being weighted according to its importance. Both the maturity levels and the weighting of criteria are expected to change in the final model to be used in 2022.
Our trial reporting this year is in summary form, and the next official self-assessment is likely to have different values and outcomes from this year’s test assessment. Unlike previous yearly assessments, the trial model does not arrive at an overall maturity level. It calculates a maturity level for each criterion in a section.
PMAF 2021 reaffirmed the overall trend observed in previous self-assessments. Police continues to make steady improvements in how it manages personal information. As reported in previous years, though, there remain areas that require focussed attention.
Key areas of development
We have previously highlighted the need to report all forms of privacy incidents, whether they be actual breaches or ‘near misses’. This is an activity that significantly contributes to risk and assurance expectations. And Police’s comprehensive Data Breach Management policy (PDF 348KB) reflects the Privacy Act 2020 notifiable breaches regime. Our agency reporting is increasing year-on-year, suggesting a maturing privacy culture. However, there remains room for further improvement.
We will continue to evaluate our practices and maturity in managing personal information on a yearly basis and report the results. In 2022, we are likely to use the updated version of PMAF 2021 and will introduce a new diagram to reflect our journey towards privacy best practice and culture.
We have operated a New Zealand Police website at www.police.govt.nz for several years. Our rules about this website inform you:
- that you can browse our website without providing personal information
- what personal information we collect, use and disclose in accordance with the law (for specific services like news alerts or job postings)
- how you can contact us is you have any queries or concerns about our privacy policies
You can browse our website without providing personal information
You can access and browse our site without disclosing your personal information. We do not automatically record personal information and we do not link information that is recorded automatically with personal information about specific individuals. We do not attempt to identify users or their browsing activities unless they choose to give us personal information.
We automatically record some non-personal information
If you visit our website to read or download information, we automatically record some non-personal statistical information, including;
- the type of browser you use
- the type of operating system you use
- the screen resolution of your PC
- the date and time you access our site
- the pages you have accessed, the links clicked on, and the documents downloaded
- the internet address from which you accessed our site (i.e. IP address)
- the search terms you used to find content on our website, and
- the last site you visited from which you accessed any New Zealand Police website.
New Zealand Police also use the Google Analytics tool to collect and view non-personal visitor statistics so we can:
- discover what information is most and least used
- determine technical design specifications, and
- help make our site more useful to our visitors.
Cookies are text files placed on your computer to collect standard internet log and visitor behaviour information in an anonymous form – that is, cookies do not collect personal information.
- for managing subscriptions to news alerts to ensure that only you can change your subscriptions
- wherever a “math question” or other CAPTCHA is used to prevent automated spam submissions
- to remember the options you selected when using a mobile device.
You have the ability to accept or decline cookies by modifying the settings on your browser. Disabling cookies will not stop you from using the New Zealand Police website but it will mean that:
- you can no longer subscribe, manage your subscriptions or unsubscribe, and
- you will not get improved browsing experiences that cookies enable.
When do we collect personal information on the website?
We collect personal information when you:
• fill in an online form
• subscribe to a service (such as news releases or job postings), or
• correspond with us.
For example, when you sign up to receive news releases or media reports, we will collect your email address, or when you fill in the change of details form for firearms licence, you submit personal information such as name, address and contact details.
Subscribing to a service
If you subscribe to a service through the website, we record your email address in a database. We use your email address only for the purpose of sending you the service. We will not disclose your email address to any third parties.
Subscribing to news releases or incident alerts implies that you have given your consent to receive emails from us as defined in the Unsolicited Electronic Messages Act 2007. You can unsubscribe at any time by visiting the subscription page for the service you wish to terminate, entering your email address and choosing “Unsubscribe”.
What is your personal information used for?
If you choose to provide personal information when adding material to the New Zealand Police website, it may be viewable by site administrators, certain Police staff and contractors (including third parties) providing administrative, maintenance or other services relating to the website. We do not currently run online forums or similar user-generated discussion sites viewable to members of the public, but in any case please do not transmit personal information of a sensitive nature through the website.
We only use your personal information for the purpose specified at the point of collection (for example, to email a news release to you).
We will not give your personal information to other Government agencies, private sector organisations or anyone else unless:
- you have consented
- you would reasonably expect that information of that kind is usually passed on to those organisations (for example, companies providing services such as web hosting to Police)
- it is for the purpose of preventing or mitigating cyber threats
- it is otherwise required or authorised by the Privacy Act or any other law ( for example, to prevent offending, for law enforcement or to prevent or lessen a serious threat to anyone’s health and safety)
- it will be used in a way that will not identify you (for example, in the context of statistical or research work).
Requesting access to, or correction of, your personal information
You can ask to view or correct information we hold about you. Unless the staff member dealing with your access request knows you, we will ask you to identify yourself. We will need to sight a primary and secondary form of identification, one of which has to be a photograph of you. A form for this purpose is contained on our website. The form sets out how you go about establishing your identity.
We will usually allow you to have access to the information that we hold about you, in the way that you prefer, unless there is good reason to the contrary. We will discuss the options with you. The nature of our information holdings means we may also responsibly withhold information from you in accordance with grounds set out in the Privacy Act. We will discuss that sort of outcome with you.
We will always attempt to provide you with access to your information in a timely manner, but how long we take will always be dependent on the nature of your request, and the volume of information we have to deal with to meet your request. In responding to your request, we will keep in mind the expectations of the Privacy Act. If you are defending criminal charges in Court, your request will be managed according to the provisions of the Criminal Disclosure Act.
You can use the same form to ask us to correct information that we hold about you. The law permits us to decline to correct information where we do not believe any correction is appropriate. However we will assist you to have a suitable statement attached to the relevant record.
If you have concerns about how we have managed your information you can lodge a complaint online by filling out our form and specifying the privacy concern you have.
Alternatively, or as well, you could contact the Privacy Commissioner:
Office of the Privacy Commissioner
PO Box 10 094, The Terrace,
Freephone (0800) 803 909
Emergency Caller Location Information
A system has been created that allows automatically generated information about the location of an emergency caller to be made available, at the time of the call, to emergency services. Emergency Caller Location Information (ECLI) is obtained from two sources:
- Where a caller is using an enabled mobile device, this device will automatically send high-precision location information to the emergency services.
- Where a caller is using any mobile device, the emergency call will trigger the sharing by network operators of lower-precision location information derived from the location of the cell tower closest to the mobile device.
The system is managed by the Ministry of Business, Innovation and Employment and the process and system has been included in a Code of Practice issued by the Privacy Commissioner. The Ministry maintains a Location Area Service which processes ECLI and makes it available to Police and other emergency services.
ECLI is automatically sent to emergency response agencies such as Police, local ambulance services and the New Zealand Fire Service.
The ECLI will enable emergency response agencies to determine the location of the caller and an emergency incident. This will assist emergency response agencies to be more efficient and effective when responding to emergencies.
Police will only hold the ECLI for the purpose of responding to an emergency call and will keep a record of the information that was relied upon to respond to the call.
Check out our pages on “Calling Emergency 111”.