link to page 14
Single Agency Privacy Impact Assessment Template – DATA IN module
This module is for any new single agency analytics activity, conducted by the Joint
What the module covers
ACT 1982
Border Analytics Centre (JBAC) on behalf of a border agency, that requires the
collection of new personal information from an external source. The module assists
This is a DATA IN PIA module. A new module must be completed for each external
the requesting border agency to assess the lawfulness of the collection of new
dataset JBAC proposes to collect on behalf of the Requesting Agency for the
personal information.
[1]
purposes of the activity. It should be noted that if an external dataset has already
been collected by the border agency under a lawful purpose (e.g. call record data
The objective of the JBAC PIA process and modules is to
enable single agency
that has been lawfully obtained from a telecommunications provider under a
analytics, to better deliver border enforcement functions, in a way that is open,
statutory power) then this is not considered to be an “external dataset” as it has
safe, and mindful of the people behind the data.
already been lawfully collected by the border agency.
Governance and accountability
The process in brief
INFORMATION
Single agency analytics activities must be initiated by a border agency (the
Requesting Agency). The Requesting Agency is responsible for assessing privacy or
1.
Requesting Agency initiates analytics activity with JBAC
other risks raised by an activity and approving the activity. The Requesting Agency
2.
JBAC completes sections 1 and 2 (in consultation with the Requesting
must involve its privacy and/or legal team as reviewers of this PIA. JBAC can assist
Agency)
involved border agencies to identify or develop analytics activities and manage
3.
Requesting Agency completes section 3 (in consultation with JBAC)
associated privacy risks, but JBAC cannot approve analytics activities or outputs.
4.
JBAC completes section 4 to reflect outcome of section 3
5.
Requesting Agency’s privacy/legal representatives review completed PIA
and add feedback
6.
Subject to feedback, PIA is signed by Requesting Agency and privacy/legal
reviewer
7.
Activity may commence subject to actions or conditions identified in PIA
Section instructions, a glossary at Appendix 1, and explanatory notes at Appendix
2, provide more detail on completing the DATA IN PIA module. Tables are colour-
coded (as above) to indicate who should complete them.
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
1 of
15
Single-Agency Privacy Impact Assessment – DATA IN module
Complete a separate DATA IN module for each external dataset required for the activity.
ACT 1982
1. Governance and contact information
This section records which border agency initiated the analytics activity and the contact details for key staff involved. Note, JBAC will always be involved
What’s this for? as the analytics service provider.
Who should
JBAC will complete this section on behalf of the Requesting Agency.
complete this?
INFORMATION
Date PIA commenced
28/03/2022
JBAC contact person for this
s 9(2)(g)(ii) OIA
activity
Requesting Agency
NZCS
s 9(2)(g)(ii) OIA
Privacy/legal representative for
Requesting Agency
2. Overview of the activity
What’s this for? This section explains the analytics activity, for the purpose of assisting the Requesting Agency to make the data collection assessment.
Who should
JBAC will complete this section on behalf of the Requesting Agency.
complete this?
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
2 of
15
link to page 14
1. What is the name of this activity?
Right Wing Extremism (“RWX”) s 6(c) OIA
2. Briefly describe the activity, including
s 6(c) OIA
ACT 1982
the problem/s it is seeking to address
INFORMATION
s 6(c) OIA
3. How does this activity support the
NZCS
Requesting Agency’s lawful purposes and
deliver public benefit? [2]
4. What external datasets are required
Dataset
Data elements
Source
Time period
Relevance to activity
for this activity?
s 6(c) OIA
[JBAC – add more rows as required before
protecting the form]
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
3 of
15
s 6(c) OIA
ACT 1982
INFORMATION
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
4 of
15
link to page 14
s 6(c) OIA
ACT 1982
INFORMATION
5. Where will the analytics dataset be
stored and processed? [3]
6. How long will the analytics dataset be
retained?
7. What are the intended outputs of this
No
Analytics models and forecasts (non-
Yes
Identifiable intelligence outputs
activity?
identifiable)
s 6(c) OIA
8. Briefly describe the outputs
All outputs will be subject to a PIA-OUT where
We would refer identified RWX individuals (both overseas based and
analytics or forecasting were to be involved. None is
NZ based) to the Customs Counter Terrorism Unit. s 6(c) OIA
envisaged at this stage.
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
5 of
15
link to page 14 link to page 14
s 6(c) OIA
ACT 1982
9. Relevant attached documents
3. External data collection assessment
This section assesses the lawfulness of the collection of the external dataset required to build the analytics dataset for the activity. Where appropriate,
What’s this for? explain your answers in the right-hand column.
INFORMATION
Who should
The Requesting Agency identified at section 1 must complete this assessment for each dataset being collected to ensure that they are satisfied they
complete this?
have a lawful basis to collect it.
A. Dataset:
s 6(c) OIA
Dataset
Data source
1. Are you satisfied that you have a
No, we do not think there is a lawful basis
Action required
lawful basis to collect this dataset? IPP 2
Our enabling legislation
This is part of a broader Customs effort in
Proceed
[4]
accordance with s 3(c) of the Customs and Excise
Act 2018 “to facilitate border control through risk
management”, here, NZCS is looking to improve its
risk management at the border through
identification of possible high risk individuals with
RWX beliefs or connections
Yes
Principle 2(2)(a) – publicly available
[5]
s 6(c) OIA
Proceed
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
6 of
15
link to page 14 link to page 14 link to page 14 link to page 14 link to page 14
Principle 2(2)(g)(ii) - research
[6]
Proceed
Principle 2(2)(d)(i) – maintenance of the la
w [7]
Proceed
Principle 2(TBC – Privacy Bill) – serious threat
Proceed
[8]
ACT 1982
Other
Proceed
2. Are you satisfied that the personal
Not sure, we need more information
Action required
information in this dataset – including
data fields or time periods – is
No, we need to refine the data requirements
Action required
reasonably necessary for this activity? IPP
1 [9]
Yes, the dataset is necessary
s 6(c) OIA
Proceed
NZCS is concerned to identify any potential RWX
INFORMATION
threats both inside and outside of New Zealand.
This information will help identify potential threats
for further risk assessment and possible
interventions.
s 6(c) OIA
3. Could the people this data relates to
Proceed
view this collection as unfair or
Proceed
unreasonably intrusive? IPP 4 [10]
Yes
Action required
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
7 of
15
s 6(c) OIA
ACT 1982
4. Are there any statutory restrictions on
No
No
N/A
Proceed
the use or retention of some or all of the
Yes
Action required
information in the dataset?
5. Do relevant JBAC and/or Requesting
Yes
s 6(c) OIA
Proceed
INFORMATION
Agency staff have the correct security
clearances to access this dataset?
No
Action required
5. Privacy/Legal team comments
s 9(2)(h) OIA
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
8 of
15
6. Can the collection and use of this
Yes - Approved by:
dataset proceed?
Yes, but:
We need more information to establish data relevance
We need to refine the data requirements s 6(c) OIA
ACT 1982
We need to address statutory restrictions [populate R2]
This could be perceived as unfair or unreasonably intrusive [populate R4]
We need to ensure correct security clearances are in place [populate R5]
Other [populate other]
No - Because:
We have no lawful basis to collect [populate R3]
Other [populate other]
INFORMATION
4. Privacy risks, mitigations and actions
This section captures any risks generated by the outcome of section 3. JBA or the Requesting Agency can also add more risks and mitigations here. Some
What’s this for? risks that cannot be mitigated will require an action (such as removing an external dataset) and others will require mitigations (such as refining data
requirements, establishing data destruction rules or data refresh processes).
Who should
JBAC will complete this section on behalf of the Requesting Agency but the Requesting Agency may also add content as required.
complete this?
Risk
Mitigation/Action
Responsible Date complete
s 6(c) OIA
R1 No
We are collecting information
Chief Data
that is not necessary for the purposes of
Scientiest,
the activity
JBA
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
9 of
15
s 6(c) OIA
ACT 1982
R2 NO
There are statutory restrictions
N/A
that must be met
INFORMATION
R3 No
The Requesting Agency has no
N/A
lawful basis to collect a dataset
R4 No
A dataset is being collected in a
s 6(c) OIA
CTS
way that could be viewed as unfair or
Counter-
unreasonably intrusive
Terrorism
R5 No
The Requesting Agency needs to
N/A
ensure the correct security clearances are
in place
Other
N/A
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
10 of
15
5. Data collection sign off
This section captures Requesting Agency approval for the collection of the external dataset and also records that this PIA has been reviewed by the
What’s this for? Requesting Agency’s Privacy Officer or team. An activity cannot proceed until this section has been completed.
ACT 1982
Who should
Requesting Agency approval must be manager level or above.
complete this?
Requesting Agency
Data collection approved by
Privacy review by
s 9(2)(g)(ii) OIA
s 9(2)(g)(ii) OIA
INFORMATION
Date: 13/06/2022
Date: 17/05/22
s 9(2)(g)(ii) OIA
Date: 20/06/22
JBAC
PIA reviewed by
s 9(2)(g)(ii) OIA
Date: 4 June 2022
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
11 of
15
Appendix 1: Glossary
This
Means
Activity
an agreed and authorised (by the Requesting Agency) use of data analytics to produce a set of outputs th
ACT 1982at may include analytics
models, forecasts or identifiable intelligence outputs.
Adverse action
any action that may adversely affect the rights, benefits, privileges, obligations, or interests of any specific individual; including
any decision:
i.
to make an assessment of the amount of any tax, levy, or other charge, or of any contribution, that is payable by any
individual, or to alter any such assessment:
ii.
to investigate the possible commission of an offence:
iii.
to make a deportation order in relation to the individual, to serve the individual with a deportation liability notice, or to
deport the individual from New Zealand.
INFORMATION
Analytics forecasts
forecasts designed to look forward at possible future patterns of border risk using historical information. These products contain
no personal information.
Analytics models
models that identify a class of goods, craft and/or people who present an increased or decreased risk at the border. The output of
analytics models offers a score based on weighted predictors. These products contain no personal information but may be used
by border agencies to create personal information (as a result of running the model).
Border agencies
DIA, DOC, MBIE, MPI or NZCS.
CRISP-DM
Cross Industry Standard Process for Data Science (CRISP-DM). CRISP-DM is an open standard process model that describes
common approaches used by data mining experts. It has six stages – business understanding, data understanding, data
preparation, modelling, evaluation, and deployment.
Data analytics
the discovery, interpretation, and communication of meaningful patterns in data.
Data exploration
the comparison of datasets and data fields through the use of analytical techniques, methods and modelling, in order to better
understand the relationship between datasets or data fields for the purposes of generating analytics outputs.
Data refinement
the possible result of the data exploration process, where datasets or data fields found not to be relevant to desired outputs are
purged from the analytics dataset.
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
12 of
15
Dataset
a distinct category of data held by the Requesting Agency, by a third-party agency or that is publicly available. Each dataset will
include data fields that may relate to identifiable individuals.
DIA
Department of Internal Affairs.
DOC
Department of Conservation.
ACT 1982
Enabling legislation
the legislation which sets out a border agency’s statutory functions and powers and includes the Customs and Excise Act 2018,
Biosecurity Act 1993 and Immigration Act 2009.
Identifiable intelligence outputs
the result of an analytical process which produces identifiable information. The output may identify previously unknown
relationships or indicate a known or unknown level of risk for an individual.
JBAC
Joint Border Analytics Centre; MPI, NZCS and MBIE/Immigration analytics experts delivering technical solutions and insights at the
request of border agencies. The team is operationally focused.
MBIE
Ministry of Business, Innovation and Employment, which includes Immigration New Zealand.
INFORMATION
MPI
Ministry for Primary Industries.
NZCS
New Zealand Customs Service.
Personal information
any information about an identifiable individual (natural person), including but not limited to personal identifiers (like name and
address) and any information linked to personal identifiers (like events or entities). By combining datasets and linking fields with
certain individuals (for example using the IR Number or name and address), analytics activities may create new personal
information about identifiable individuals.
Requesting Agency
the border agency that has initiated the activity, will provide the platform within which the activity will be completed, and will be
the sole recipient of any identifiable intelligence outputs.
Unlawful discrimination
discrimination based on any grounds prohibited by the Human Rights Act 1993, including sex, martial status, religious belief,
colour, race, ethnic origin, disability, age, political opinion, and sexual orientation.
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
13 of
15
Appendix 2: Explanatory Notes
1982
[1]
In the absence of specific legislation that permits border agencies to collect or disclose personal information, the Privacy Act and IPPs apply. The IPPs are a flexible
set of principles intended to ensure that agencies can achieve their goals in a privacy protective way. In summary, they require an agency to:
ACT
1.
Scope – Collect only the personal information it needs for a lawful purpose connected with its functions.
2.
Source – Collect personal information directly from the person concerned, unless an exception applies.
3.
Notice – Tell people certain things when collecting personal information directly from them.
4.
Manner – Collect personal information in ways that are lawful and, in the circumstances, fair and not unreasonably intrusive.
5.
Security – Take reasonable steps to protect personal information from harm.
6.
Subject access – Give people access to the personal information it holds about them.
7.
Correction – Let people correct personal information if it is incorrect.
8.
Accuracy – Take reasonable steps to ensure personal information is accurate and up-to-date before using it.
INFORMATION
9.
Retention – Retain personal information for no longer than is required.
10.
Use – Use personal information only for the purposes for which it was collected, unless an exception applies.
11.
Disclosure – Not disclose personal information, unless an exception applies.
12.
Unique identifiers – Take care when assigning or using unique identifiers.
Many IPPs – including principles 2 and 10 – contain exceptions that ensure legitimate information processing is possible. Thus, even where a border agency ’s enabling
legislation is silent on the matter of collecting or using personal information for analytics activities, the Privacy Act is likely to permit it, provided that it is necessary an d
OFFICIAL
proportional and relates to the Requesting Agency’s lawful functions.
The Privacy Commissioner and Government Chief Data Steward released a set of
principles for the safe and effective use of data and analytics (‘Analytics Principles’), intended
THE
to promote transparency and a best-practice approach to the use of data and analytics for supporting operational decision-making.
1.
Deliver clear public benefit – it’s essential government agencies consider, and can demonstrate, positive public benefits from collecting and using public data.
2.
Ensure data is fit for purpose – using the right data in the right context can substantially improve decision-making and analytical models, and will avoid generating
potentially harmful outcomes.
3.
Focus on people – keep in mind the people behind the data and how to protect them against misuse of information.
UNDER
4.
Maintain transparency – transparency is essential for accountability. It supports collaboration, partnership, and shared responsibility.
5.
Understand the limitations – while data is a powerful tool, all analytical processes have inherent limitations in their ability to predict and describe outcomes.
6.
Retain human oversight – analytical processes are a tool to inform human decision-making and should never entirely replace human oversight.
[2]
It is essential that the Requesting Agency consider, and can demonstrate, positive
public benefits from collecting, analysing and using personal information. A clear
link to Requesting Agency’s lawful purposes (as set out in its enabling legislation) is also required to ensure that an activity is legitimate and necessary.
RELEASED
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
14 of
15
[3]
Analytics datasets relating to single agency analytics activities will usually be
stored and processed within the Requesting Agency’s system, in accordance with the
JBA single agency SOPs. Where JBAC proposes to store or process datasets on another platform, this must be stated in the PIA.
[4]
The burden of establishing that an exception applies to permit a collection or use of personal information rests with the Requesting Agency seeking to rely on it. The
Requesting Agency may seek further clarity from JBAC where this is required in order to establish whether an exception applies.ACT 1982
[5]
Principle 2(2)(a) permits the collection of personal information if the information is contained in a publicly available publication. This exception is likely to permit the
collection of personal information from publicly accessible online sources, including websites or social media platforms, or from the news media.
[6]
Principle 2(2)(g)(ii) permits the collection of personal information if the information is to be used for statistical or research purposes and will not be published in an
identifiable form. This exception is likely to permit the collection of relevant personal information for the purposes of generating analytics models and forecasts, but should
not be applied where the Requesting Agency intends to generate identifiable intelligence outputs.
[7]
Principle 2(2)(d)(i) permits the collection of personal information where this is necessary to avoid prejudice to the maintenance of the law, including the prevention,
detection, investigation, and prosecution of offences. This exception is likely to permit the collection of relevant personal information for the purposes of generating
targeted analytics forecasts (intended to detect or prevent offences) or identifiable intelligence outputs. Note, ‘necessity’ includes considerations of data minimisation and
proportionality.
INFORMATION
[8]
Principle 2 will be amended by the Privacy Bill to include a serious threat exception. Once amended, this exception will permit the collection of personal information
where this is necessary to prevent or lessen a serious threat to public health or safety or the life or health of an individual. This exception may permit the collection of
relevant personal information for the purposes of generating or disseminating identifiable intelligence outputs to respond to an imminent threat.
[9]
Data minimisation is an important element of the privacy framework. Agencies should collect and use only the minimum amount of personal information necessary
to meet their lawful purposes. In the initial stages of an analytics activity, lawful purposes will include exploring and assessing datasets available to establish how useful each
will be. Effort should be made initially to ensure that exploration datasets shared are broadly relevant to the activity and, later, to remove any datasets or data fields that are
not found to be relevant to the activity.
[10]
Principle 4 requires an agency to collect personal information in a manner that is not unlawful or, in the circumstances, unfair or unreasonably intrusive. This
principle incorporates concepts of fairness and proportionality and will require the Requesting Agency to consider whether the collection of a dataset for the purposes of a
particular analytics activity could be viewed as unfair or intruding into the personal affairs of affected individuals to a greater extent than the ends would justify.
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Single Agency DATA IN PIA – [XRW]
Page
15 of
15