This is a single section from Chapter 8. Read the full chapter here.

Does the legislation authorise personal information sharing?

New legislation should only provide authority for personal information sharing where the sharing cannot be undertaken using one of the existing mechanisms in the Privacy Act 2020 (for example, an approved information sharing agreement), or where using those mechanisms is not sufficient for the policy purpose.

Disclosing information about identifiable individuals between agencies for the purposes of delivering public services can be appropriate provided the privacy risks are managed well. However, information sharing to deliver public services must have clear legal authority. That authority may already be provided under the Privacy Act by the exceptions to the information privacy principles or by a code of practice.[1] For example, information may be disclosed for a purpose directly related to the purpose for which it was obtained or when disclosure is necessary to prevent or lessen a serious threat to public health or public safety. There may also be existing authority under Part 7 Subpart 2 (identity information), Part 7 Subpart 3 (law enforcement information), or Part 7 Subpart 4 (information matching) of the Privacy Act.

If there is no such authority, or the available authority is partial or uncertain, an approved information sharing agreement (AISA) under Part 7 Subpart 1 of the Privacy Act 2020 may provide the necessary authority without the need to resort to a new Act. AISAs are information sharing agreements approved by the Governor-General, by Order in Council on the recommendation of the relevant Minister. An AISA may grant an exemption to, or modify, one or more of the privacy principles or a code of practice (except in respect of principles 6 and 7 relating to access and correction rights). The Office of the Privacy Commissioner has published guidance for creating AISAs.[2] Departmental legal advisers, the Office of the Privacy Commissioner, and the Ministry of Justice should be consulted to ascertain whether there is already authority for information sharing or whether an AISA could provide that authority.

If there is no existing authority for proposed information sharing between agencies and an AISA would be insufficient or inappropriate, new legislation may be required. Generally, a new Act to authorise information sharing will only be required to overcome a statutory prohibition or restriction preventing it. However, in some cases, a new Act may be justified in other circumstances, for example where an Act would provide greater transparency than for the disclosure to be regulated under 1 or more AISAs. However, this should be weighed against the risk that a specific legislative disclosure regime will forgo the flexibility inherent in the Privacy Act, the safeguards provided by that Act, and the benefit of case law developed around it.


[1] Privacy Act 2020, Part 3.

[2] Privacy Commissioner An A to Z of Approved Information Sharing Agreements (AISAs) (2015).

This page was last modified on