Joint-Agency Privacy Impact Assessment Template
This PIA template should be completed for any new joint-agency analytics activity
What the PIA covers
ACT 1982
conducted by the Joint Border Analytics Centre (JBAC) on behalf of two or more
The template relates only to activities that are managed in accordance with the
border agencies. The template assists the involved border agencies to assess the
Joint Border Analytics MOU and the JBAC SOPs for joint-agency activities. Thus,
lawfulness of data sharing, including data minimisation. It also assesses the
general privacy matters, including transparency, subject access and correction,
lawfulness, necessity and relevance of any identifiable intelligence outputs
data storage, security and JBAC access (IPPs 3, 5, 6 and 7) are addressed in the MOU
produced as a result of the activity.
and SOPs. This PIA addresses activity-level privacy matters, including data col ection
The objective of this PIA process and template is to
enable joint-agency analytics,
and disclosure, data use, accuracy and retention (IPPs 1, 2, 4, 8, 9, 10 and 11), and
to better deliver border enforcement functions, in a way that is open, safe, and
compliance with data analytics principles.
[1]
mindful of the people behind the data.
A section 3 data sharing assessment (or ‘data in’ PIA) must be completed for every
INFORMATION
Governance and accountability
joint-agency activity but a section 4 output dissemination assessment (or ‘data
Joint-agency analytics activities must be initiated by a border agency (the Lead
out’ PIA) is only required where the output is identifiable intelligence.
Agency). Each involved border agency is responsible for assessing privacy or other
The process in brief
risks raised by an activity and approving the activity. Each involved border agency
must involve its privacy and/or legal team as reviewers of this PIA. JBAC can assist
1. Lead Agency initiates analytics activity with JBAC
involved border agencies to identify or develop analytics activities and manage
2. JBAC completes sections 1 and 2 and Appendix 1 (in consultation with
associated privacy risks, but JBAC cannot approve data sharing, analytics activities
involved border agencies)
or outputs.
3. Involved border agencies complete sections 3 and 4 as required (in
consultation with JBAC)
4. JBAC completes section 5 to reflect outcome of section 3 and 4
5. Involved border agencies’ privacy/legal representatives review completed
PIA
6. Subject to feedback, PIA is signed by each border agency approver and
privacy/legal reviewer
7. Activity may commence subject to actions or conditions identified in PIA
Section instructions, a glossary at Appendix 2, and explanatory notes at Appendix
3, provide more detail on completing the PIA template. Tables are colour-coded (as
above) to indicate who should complete them.
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
1 of
31
Joint-Agency Privacy Impact Assessment
1. Governance and contact information
ACT 1982
This section records which border agencies initiated the analytics activity, the roles of any border agencies involved in the activity, and the contact
What’s this for? details for key staff involved. Note, JBAC wil always be involved as the analytics service provider.
Who should
JBAC wil complete this section on behalf of the involved border agencies.
complete this?
Date PIA commenced
7 July 2020
INFORMATION
JBAC contact person for this
s 9(2)(g)(ii) OIA
activity
Border agencies involved in this
NZCS (non-JBAC)
MPI
MBIE
DIA
DOC
activity
Lead Agency
Lead Agency
Lead Agency
Lead Agency
Lead Agency
Data Provider
Data Provider
Data Provider
Data Provider
Data Provider
Data Recipient/User
Data Recipient/User
Data Recipient/User
Data Recipient/User
Data Recipient/User
Activity contact person for each
Name: s 9(2)(g)
Name:
Name: s 9(2)(g)(ii)
Name:
Name:
agency
Email: TBC
(ii) OIA
Email:
Email: TBC
OIA
Email:
Email:
Privacy/legal representative for
Name:
s 9(2)(g)(ii)
Name:
Name: s 9(2)(g)(ii)
Name:
Name:
each agency
Email: TBC
OIA
Email:
Email: TBC
OIA
Email:
Email:
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
2 of
31
2. Overview of the activity
This section explains the analytics activity, for the purpose of assisting the involved border agencies to make data sharing and/or output dissemination
What’s this for? assessments.
ACT 1982
Who should
JBAC wil complete this section on behalf of the involved border agencies.
complete this?
1. What is the name of this activity?
Shore Parties
2. Briefly describe the activity, including
'Shore parties' is a coveral reference to persons entering New Zealand for the purpose of facilitating the import and
the problem/s it is seeking to address
domestic movement of il icit goods, primarily drugs and tobacco. Large imports of il icit drugs have recently been increasing
in frequency, and are predominantly linked to trans-national crime syndicates. These syndicates – comprising various shore
INFORMATION
parties – have evolved into sophisticated groups that utilise advanced modus operandi to exploit the border.
The Shore Parties activity aims to better identify existing or potential shore parties, using datasets from NZCS and MBIE. The
high-level objectives of the Shore Parties activity are to:
•
provide insights into the risk posed by transnational organised crime groups via shore parties;
•
inform and improve targeting efforts;
•
enable more effective use of resource as passenger and goods movements increase; and
•
enable more effective identification of risk.
s 6(c) OIA
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
3 of
31
s 6(c) OIA
1982
3. How does this activity support each
NZCS Wil support NZCS' border enforcement actvities, under the Customs and Excise Act, by informing and improving
ACT
Data Recipient/User’s lawful purposes
risk targeting efforts, better identifying risk, and enabling more effective use of enforcement resources.
and deliver public benefit? [2]
MBIE Wil support MBIE's border and on-shore enforcement activities, under the Immigtation Act, by informing and
improving risk targeting efforts, better identifying risk, and enabling more effective use of enforcement resources.
4. What datasets are required for this
Dataset
Data Provider
Time period
Relevance to activity
activity? See Appendix 1 for more detail
s 6(c) OIA
INFORMATION
OFFICIAL
THE
UNDER
RELEASED
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
4 of
31
s 6(c) OIA
5. Where wil the analytics dataset be
s 6(c) OIA
ACT 1982
stored and processed? [3]
6. How long wil the analytics dataset be
retained?
7. What are the intended outputs of this
Analytics models and forecasts (non-identifiable)
Identifiable intel igence outputs
activity?
If this has been selected, section 4 must be completed
8. Briefly describe the outputs
s 6(c) OIA
INFORMATION
9. Relevant attached documents
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
5 of
31
3. Data sharing assessment
This section assesses the lawfulness of data sharing required to build the analytics dataset for the activity. Each activity wil require the collection and
What’s this for? disclosure of personal information by two or more border agencies, and usually all involved agencies wil use the analytics dataset for the activity.
ACT 1982
Where appropriate, explain your answers in the right-hand column.
Each Data Provider and Data Recipient/User identified at section 1 must complete this assessment for each dataset being shared to ensure that they
Who should
are satisfied they have a lawful basis to share personal information for this activity. Where an activity requires the col ection of a third party or publicly
complete this?
available dataset, no Data Provider assessment wil be required but each Data Recipient/User must complete a Data Recipient/User assessment for that
dataset. An activity may only proceed where all Data Providers and Data Recipients are satisfied that the data sharing is lawful and necessary.
A. Dataset: Customs datasets
Data Provider
NZCS
INFORMATION
Dataset
s 6(c) OIA
1. Are you satisfied that you have a
Principle 11(e)(i) – maintenance of the law
[6]
These datasets wil be used to develop analytics
Proceed
lawful basis to disclose this dataset to
models and identifiable outputs for the purposes
the Data Recipients? IPP 11 [4]
of assisting NZCS and MBIE with their law
enforcement activities, including the detection,
investigation and prosecution of offences under
the Customs and Excise Act and Immigration Act.
2. Are you satisfied that the personal
Yes, the dataset is necessary
JBAC has established during the data exploration
Proceed
information in this dataset – including
phase that each data field in each dataset is
data fields or time periods – is
necessary for the purposes of developing the
reasonably necessary for this activity? IPP
analytics models and identifiable outputs.
1 [8]
s 6(c) OIA
3. Are there any statutory restrictions on
Yes
Action required
the use or retention of some or al of the
information in the dataset?
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
6 of
31
s 6(c) OIA
4. Have reasonable steps been taken to
Yes, reasonable steps have been taken
Proceed
ACT 1982
ensure the dataset is accurate and up-to-
date before it is disclosed? IPP 8
5. Privacy/Legal team comments
6. Can the disclosure of this dataset
Yes, but:
We need to address statutory restrictions
proceed?
INFORMATION
Data Recipient/User
NZCS
Dataset
s 6(c) OIA
1. Are you satisfied that you have a
It’s our dataset, we’re not col ecting it
N/A
Proceed
lawful basis to col ect this dataset from
the Data Provider? IPP 2 [4]
2. Are you satisfied that the personal
Yes, the dataset is necessary
JBAC has established during the data exploration
Proceed
information in this dataset – including
phase that each data field in each dataset is
data fields or time periods – is
necessary for the purposes of developing the
reasonably necessary for this activity? IPP
analytics models and identifiable outputs.
1 [8]
3. Could the people this data relates to
It’s our dataset, we’re not col ecting it
N/A
Proceed
view this col ection as unfair or
unreasonably intrusive? IPP 4 [12]
4. Are you satisfied that you have a
Our enabling legislation
As we already hold these datasets, we are satisifed Proceed
lawful basis to use this dataset for the
that using them for the purposes of developing
analytics models and identifiable outputs as data
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
7 of
31
purpose of this analytics activity? IPP 10
as outlined above is aligned with our lawful border
[4]
purposes under section 301 of the C&E Act. This
s 6(c) OIA
ACT 1982
Principle 10(c)(i) – maintenance of the law
[14]
In addition, we are satisfied that the use of these
Proceed
datasets is permitted by the maintenance of the
law exception to IPP 10, for the reasons outlined
above.
5. Privacy/Legal team comments
6. Can the col ection and use of this
Yes - Approved by: Name
dataset proceed?
INFORMATION
Data Recipient/User
MBIE
Dataset
s 6(c) OIA
1. Are you satisfied that you have a
Principle 2(2)(d)(i) – maintenance of the law
These datasets wil be used to develop analytics
Proceed
lawful basis to col ect this dataset from
[10]
models and identifiable outputs for the purposes
the Data Provider? IPP 2 [4]
of assisting NZCS and MBIE with their law
enforcement activities, including the detection,
investigation and prosecution of offences under
the Customs and Excise Act and Immigration Act.
2. Are you satisfied that the personal
Yes, the dataset is necessary
JBAC has established during the data exploration
Proceed
information in this dataset – including
phase that each data field in each dataset is
data fields or time periods – is
necessary for the purposes of developing the
reasonably necessary for this activity? IPP
analytics models and identifiable outputs.
1 [8]
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
8 of
31
3. Could the people this data relates to
No
We are satisfied that the col ection of these
Proceed
view this col ection as unfair or
datasets is proportional, particularly in view of the
unreasonably intrusive? IPP 4 [12]
process already applied to explore and refine the
data.
ACT 1982
4. Are you satisfied that you have a
Principle 10(c)(i) – maintenance of the law
[14]
We are satisfied that the use of these datasets is
Proceed
lawful basis to use this dataset for the
permitted by the maintenance of the law
purpose of this analytics activity? IPP 10
exception to IPP 10, for the reasons outlined
[4]
above.
Other
Note, section 33 of the Immigration Act permits us Proceed
to use classified information to make decisions
under the Act (including in relation to visas) if it
relates to matters of security or criminal conduct.
However, if this activity ultimately results in the
INFORMATION
development of classified identifiable outputs, we
must ensure that our use of these outputs
complies with sections 34-40 of the Immigration
Act.
5. Privacy/Legal team comments
6. Can the col ection and use of this
Yes - Approved by: Name
dataset proceed?
B. Dataset: INZ datasets
Data Provider
MBIE
Dataset
s 6(c) OIA
1. Are you satisfied that you have a
Principle 11(e)(i) – maintenance of the law
[6]
This dataset wil be used to develop analytics
Proceed
lawful basis to disclose this dataset to
models and identifiable outputs for the purposes
the Data Recipients? IPP 11 [4]
of assisting NZCS and MBIE with their law
enforcement activities, including the detection,
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
9 of
31
investigation and prosecution of offences under
the Customs and Excise Act and Immigration Act.
2. Are you satisfied that the personal
Yes, the dataset is necessary
JBAC has established during the data exploration
Proceed
information in this dataset – including
phase that each data fields 6(c) OIA
ACT 1982
data fields or time periods – is
in
reasonably necessary for this activity? IPP
this dataset is necessary for the purposes of
1 [8]
developing the analytics models and identifiable
outputs.
3. Are there any statutory restrictions on
No
N/A
Proceed
the use or retention of some or al of the
information in the dataset?
4. Have reasonable steps been taken to
Yes, reasonable steps have been taken
In view of the fact that the dataset wil be
Proceed
ensure the dataset is accurate and up-to-
refreshed on a regular basi
INFORMATION s to ensure it is up to
date before it is disclosed? IPP 8
date, and wil be subject to a cleansing and
matching process, we are satisfied that no further
steps are required before sharing it.
5. Privacy/Legal team comments
6. Can the disclosure of this dataset
Yes - Approved by: Name
proceed?
Data Recipient/User
MBIE
Dataset
s 6(c) OIA
1. Are you satisfied that you have a
It’s our dataset, we’re not col ecting it
N/A
Proceed
lawful basis to col ect this dataset from
the Data Provider? IPP 2 [4]
2. Are you satisfied that the personal
Yes, the dataset is necessary
JBAC has established during the data exploration
Proceed
information in this dataset – including
phase that each data fields 6(c) OIA
data fields or time periods – is
in
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
10 of
31
reasonably necessary for this activity? IPP
this dataset is necessary for the purposes of
1 [8]
developing the analytics models and identifiable
outputs.
3. Could the people this data relates to
It’s our dataset, we’re not collecting it
N/A
Proceed
ACT 1982
view this col ection as unfair or
unreasonably intrusive? IPP 4 [12]
4. Are you satisfied that you have a
Principle 10(c)(i) – maintenance of the law
[14]
We are satisfied that the use of this dataset is
Proceed
lawful basis to use this dataset for the
permitted by the maintenance of the law
purpose of this analytics activity? IPP 10
exception to IPP 10, for the reasons outlined
[4]
above.
Other
We are also satisfied that, as this is MBIE data, our
Proceed
use of the dataset for the purposes of generating
analytical outputs that shou
INFORMATION ld assist with our law
enforcement activities aligns with the purposes for
which we col ected this data.
5. Privacy/Legal team comments
6. Can the col ection and use of this
Yes - Approved by: Name
dataset proceed?
Data Recipient/User
NZCS
Dataset
s 6(c) OIA
1. Are you satisfied that you have a
Principle 2(2)(d)(i) – maintenance of the law
This dataset wil be used to develop analytics
Proceed
lawful basis to col ect this dataset from
[10]
models and identifiable outputs for the purposes
the Data Provider? IPP 2 [4]
of assisting NZCS and MBIE with their law
enforcement activities, including the detection,
investigation and prosecution of offences under
the Customs and Excise Act and Immigration Act.
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
11 of
31
2. Are you satisfied that the personal
Yes, the dataset is necessary
JBAC has established during the data exploration
Proceed
information in this dataset – including
phase that each data fields 6(c) OIA
data fields or time periods – is
in
reasonably necessary for this activity? IPP
this dataset is necessary for the purposes of
1 [8]
developing the analytics models and identifiabl
ACT 1982 e
outputs.
3. Could the people this data relates to
No
Proceed
view this col ection as unfair or
unreasonably intrusive? IPP 4 [12]
4. Are you satisfied that you have a
Our enabling legislation
Section 301(2) of the C&E Act permits NZCS to use
Proceed
lawful basis to use this dataset for the
any information provided to it for a lawful purpose
purpose of this analytics activity? IPP 10
related to its legislative functions functions
[4]
(section 301(1)(a)(i ) of the C&E Act) for any lawful
INFORMATION
purpose related to its legislative functions. This
would include using this data to develop analytic
models and identifiable outputs that wil support
our lawful border purposes.
Principle 10(c)(i) – maintenance of the law
[14]
In addition, we are satisfied that the use of this
Proceed
dataset is permitted by the maintenance of the law
exception to IPP 10, for the reasons outlined
above.
5. Privacy/Legal team comments
6. Can the col ection and use of this
Yes - Approved by: Name
dataset proceed?
C. Dataset: Companies Office datasets
Data Provider
MBIE
Dataset
s 6(c) OIA
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
12 of
31
1. Are you satisfied that you have a
Principle 11(e)(i) – maintenance of the law
[6]
These datasets wil be used to develop analytics
Proceed
lawful basis to disclose this dataset to
models and identifiable outputs for the purposes
the Data Recipients? IPP 11 [4]
of assisting NZCS and MBIE with their law
enforcement activities, including the detection,
investigation and prosecution of offences und
ACT 1982er
the Customs and Excise Act and Immigration Act.
2. Are you satisfied that the personal
Yes, the dataset is necessary
JBAC has established during the data exploration
Proceed
information in this dataset – including
phase that each data field in each dataset is
data fields or time periods – is
necessary for the purposes of developing the
reasonably necessary for this activity? IPP
analytics models and identifiable outputs.
1 [8]
3. Are there any statutory restrictions on
Yes
s 6(c) OIA
Action required
the use or retention of some or al of the
INFORMATION
information in the dataset?
4. Have reasonable steps been taken to
Yes, reasonable steps have been taken
Proceed
ensure the dataset is accurate and up-to-
date before it is disclosed? IPP 8
5. Privacy/Legal team comments
6. Can the disclosure of this dataset
Yes, but:
We need to address statutory restrictions
proceed?
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
13 of
31
Data Recipient/User
MBIE
Dataset
s 6(c) OIA
1. Are you satisfied that you have a
Principle 2(2)(d)(i) – maintenance of the law
s 6(c) OIA
Proceed
lawful basis to col ect this dataset from
[10]
ACT 1982
the Data Provider? IPP 2 [4]
We are satisfied that the collection of these
datasets is permitted by the maintenance of the
law exception to IPP 2, for the reasons outlined
above.
2. Are you satisfied that the personal
Yes, the dataset is necessary
JBAC has established during the data exploration
Proceed
information in this dataset – including
phase that each data field in each dataset is
INFORMATION
data fields or time periods – is
necessary for the purposes of developing the
reasonably necessary for this activity? IPP
analytics models and identifiable outputs.
1 [8]
3. Could the people this data relates to
No
Proceed
view this col ection as unfair or
unreasonably intrusive? IPP 4 [12]
4. Are you satisfied that you have a
Principle 10(c)(i) – maintenance of the law
[14]
We are satisfied that the use of these datasets is
Proceed
lawful basis to use this dataset for the
permitted by the maintenance of the law
purpose of this analytics activity? IPP 10
exception to IPP 10, for the reasons outlined
[4]
above.
5. Privacy/Legal team comments
6. Can the col ection and use of this
Yes - Approved by: Name
dataset proceed?
Data Recipient/User
NZCS
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
14 of
31
Dataset
s 6(c) OIA
1. Are you satisfied that you have a
Principle 2(2)(d)(i) – maintenance of the law
These datasets wil be used to develop analytics
Proceed
lawful basis to col ect this dataset from
[10]
models and identifiable outputs for the purposes
the Data Provider? IPP 2 [4]
of assisting NZCS and MBIE with their law
ACT 1982
enforcement activities, including the detection,
investigation and prosecution of offences under
the Customs and Excise Act and Immigration Act.
2. Are you satisfied that the personal
Yes, the dataset is necessary
JBAC has established during the data exploration
Proceed
information in this dataset – including
phase that each data field in each dataset is
data fields or time periods – is
necessary for the purposes of developing the
reasonably necessary for this activity? IPP
analytics models and identifiable outputs.
1 [8]
INFORMATION
3. Could the people this data relates to
No
Proceed
view this col ection as unfair or
unreasonably intrusive? IPP 4 [12]
4. Are you satisfied that you have a
Our enabling legislation
Section 301(2) of the C&E Act permits NZCS to use
Proceed
lawful basis to use this dataset for the
any information provided to it for a lawful purpose
purpose of this analytics activity? IPP 10
related to its legislative functions functions
[4]
(section 301(1)(a)(i ) of the C&E Act) for any lawful
purpose related to its legislative functions. This
would include using this data to develop analytic
models and identifiable outputs that wil support
our lawful border purposes.
Principle 10(c)(i) – maintenance of the law
[14]
In addition, we are satisfied that the use of these
Proceed
datasets is permitted by the maintenance of the
law exception to IPP 10, for the reasons outlined
above.
5. Privacy/Legal team comments
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
15 of
31
6. Can the col ection and use of this
Yes - Approved by: Name
dataset proceed?
4. Output dissemination assessment
ACT 1982
This section must be completed where an activity wil product identifiable intelligence outputs, whether these were planned at the outset or have been
What’s this for? identified during an activity. This section assesses the lawfulness, fairness, proportionality and necessity of identifiable outputs.
JBAC wil complete the overview of the outputs, as the analytics SME. Each involved border agency that will receive the identifiable intelligence
Who should
outputs must complete this assessment for each output being shared to ensure that they are satisfied they have a lawful basis to use it. JBA may only
complete this?
share identifiable intel igence outputs where al involved agencies are satisfied that the output is lawful, fair, proportionate and necessary.
INFORMATION
A. Output: Shore Parties identifiable intelligence output
1. Briefly describe the output
JBAC wil use the final refined datasets assessed above, and the analytics model developed with them, to
create identifiable lists of people or entities that are possible shore parties. s 6(c) OIA
2. What personal information wil the output include?
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
16 of
31
s 6(c) OIA
ACT 1982
3. Which involved agencies wil receive the output?
NZCS
MPI
MBIE
DIA
DOC
INFORMATION
4. What security classifications or handling caveats wil
The identifiable outouts wil be security classified as IN CONFIDENCE.
be applied to this output? [16]
Handling caveats wil be attached to the identifiable outputs that state:
- Outputs may only be used for the purposes of the receiving agency's statuory law enforcement activities
- Outputs must be assessed and validated before use, and intel igence officers must not make enforcement
decisions based solely on these outputs
- Outputs must not be disclosed further without the authorisation of a recipient agency Intel igence Manager
5. What steps has JBAC taken to ensure the data used
s 6(c) OIA
to generate the output is accurate and up-to-date? [17]
6. Briefly describe the algorithm used to generate the
output, including the determinative data fields [18]
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
17 of
31
s 6(c) OIA
ACT 1982
INFORMATION
7. What steps have been taken to ensure the datasets
are free from unwanted bias? [19]
8. What steps have been taken to ensure the analytics
or outputs are not unlawfully discriminatory? [20]
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
18 of
31
s 6(c) OIA
Output recipient
NZCS
ACT 1982
1. Are you satisfied that you have a
Our enabling legislation
Section 301(2) of the C&E Act permits NZCS to use
Proceed
lawful basis to use the personal
any information provided to it for a lawful purpose
information contained in this output? IPP
related to its legislative functions functions
10 [4]
(section 301(1)(a)(ii) of the C&E Act) for any lawful
purpose related to its legislative functions. This
would include using these identifiable outputs to
inform our law enforcement activities at the
border.
INFORMATION
Principle 10(c)(i) – maintenance of the law
[14]
In addition, we are satisfied that the use of these
Proceed
identifiable outputs is permitted by the
maintenance of the law exception to IPP 10, for
the reasons outlined above.
2. Are you satisfied that the output is
Yes, it is relevant
This identifiable output wil directly identify
Proceed
relevant to your lawful purposes? [21]
possible shore parties, which wil inform our
border enforcement activities and targeting
efforts. This output is highly relevant to our lawful
purposes.
3. Are you satisfied that this output is
Yes, it is proportional
This output is intended to assist NZCS to better
Proceed
proportionate to the problem it is
detect and prevent the importing of il icit drugs
intended to address? [22]
and tobacco by shore parties. These are serious
crimes that have a significant impact on our
communities. In view of the seriousness of these
crimes and the harm they cause, this output is
proportionate.
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
19 of
31
4. Are you satisfied that sufficient steps
Yes, we are satisfied
In our view the datasets themselves would appear
Proceed
are in place to protect against unwanted
to contain no biases, as they are entire factual
1982
bias or unlawful discrimination? [19] [20]
records of NZCS and MBIE interactions with the
entities and individuals. The datasets have not
been selected or refined based on ex
ACT isting biases.
The risk factors or predictors are broad and it is
clear that individuals wil not be identified as shore
parties (and therefore potentially subjected to
adverse action) solely on the basis of a prohibited
ground.
5. Are you satisfied that the outputs wil
No, we are not satisfied
Appropriate security classifications need to be
Action required
be appropriately classified or caveated?
assigned to the identifiable outputs. We think this
should be set at RESTRICTED.
INFORMATION
6. Do you have processes in place to
Yes, we do
TBC
Proceed
ensure that this output is validated
before being relied upon to take adverse
actions?
7. Do you have processes in place to
Yes, we do
TBC
Proceed
OFFICIAL
ensure that individuals can chal enge any
adverse actions taken on the basis of this
output?
THE
8. Privacy/Legal team comments
9. Can the output proceed as intended?
Yes, but:
The output needs to be correctly classified or caveated
UNDER
Output recipient
MBIE
1. Are you satisfied that you have a
No, we do not think there is a lawful basis
We are not satisfied that the identifiable output is
Action required
lawful basis to use the personal
sufficiently relevant to our law enforcement
information contained in this output? IPP
activities to warrant the release of identifiable
10 [4]
RELEASED
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
20 of
31
information generated by this analytics activitiy to
MBIE.
2. Are you satisfied that the output is
No, it is not relevant
As above
Action required
relevant to your lawful purposes? [21]
ACT 1982
8. Privacy/Legal team comments
9. Can the output proceed as intended?
No, because:
We have no lawful basis to use
The output is not relevant to our lawful purposes
5. Privacy risks, mitigations and actions
INFORMATION
This section captures any risks generated by the outcomes of sections 3 and 4. JBA or the border agencies can also add more risks and mitigations here.
What’s this for? Some risks that cannot be mitigated wil require an action (such as removing a Data Recipient where no lawful basis can be established to include them)
and others wil require mitigations (such as refining data requirements, establishing data destruction rules or data refresh processes).
Who should
JBAC wil complete this section on behalf of the border agencies but border agencies may also add content as required.
complete this?
Risk
Mitigation/Action
Responsible Date complete
R3 There are statutory restrictions that s 6(c) OIA
JBAC
must be met
R3 There are statutory restrictions that
JBAC
must be met
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
21 of
31
R8 A Data Recipient/User has no lawful MBIE is not satisfied that the identifiable outout is relevant to its law enforcement
JBAC
basis to use an identifiable intel igence
purposes.
1982
output
The identifiable output must not be shared with MBIE.
R9 An identifiable intel igence output is MBIE is not satisfied that the identifiable outout is relevant to its law enforcement
JBAC
ACT
not relevant to one of the Data
purposes.
Recipients/Users
The identifiable output must not be shared with MBIE.
R14 An identifiable intel igence output
The identifiable output needs to be appropriately classified. It is recommended, in the
JBAC
has not been correctly classified or
circumstances, that it be classified as RESTRICTED.
caveated
Add a handling caveat that stipulates the identifiable output should not be shared with
MBIE
INFORMATION
6. Activity Sign off
This section captures border agency approval for the activity and also records that this PIA has been reviewed by the border agency’s Privacy Officer or
What’s this for? team. An activity cannot proceed until this section has been completed in full by all involved border agencies.
Who should
For activities that wil not result in identifiable intel igence outputs, border agency approval must be manager level or above. For activities that will
OFFICIAL
complete this?
result in identifiable intel igence outputs, border agency approval must be Chief Executive level or above.
THE
Border agency
NZCS
Activity approved by
Privacy review by
Name:
Name:
UNDER
Position:
Position:
Date:
Date:
Border agency
MBIE
RELEASED
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
22 of
31
Activity approved by
Privacy review by
1982
Name:
Name:
Position:
Position:
Date:
Date:
ACT
JBAC
PIA reviewed by
s 9(2)(g)(ii) OIA
Date:
INFORMATION
OFFICIAL
THE
UNDER
RELEASED
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
23 of
31
Appendix 1: Data fields
What’s this for?
This section identifies the data fields contained in each dataset that has been identified as necessary for the activity. This wil assist the
border agencies to assess the lawfulness of the data sharing required to enable the activity. ACT 1982
Who should complete this?
JBAC wil complete this section on behalf of the involved border agencies.
Dataset
Data source Time period
Description
Relevance to activity
s 6(c) OIA
INFORMATION
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
24 of
31
s 6(c) OIA
ACT 1982
INFORMATION
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
25 of
31
Appendix 2: Glossary
This
Means
Activity
an agreed and authorised (by the involved border agencies) use of data analytics to produce a set of output
ACT 1982 s that may include
analytics models, forecasts or identifiable intel igence outputs.
Adverse action
any action that may adversely affect the rights, benefits, privileges, obligations, or interests of any specific individual; including
any decision:
i.
to make an assessment of the amount of any tax, levy, or other charge, or of any contribution, that is payable by any
individual, or to alter any such assessment:
ii.
to investigate the possible commission of an offence:
iii.
to make a deportation order in relation to the individual, to serve the individual with a deportation liability notice, or to
deport the individual from New Zealand.
INFORMATION
Analytics forecasts
forecasts designed to look forward at possible future patterns of border risk using historical information. These products contain
no personal information.
Analytics models
models that identify a class of goods, craft and/or people who present an increased or decreased risk at the border. The output of
analytics models offers a score based on weighted predictors. These products contain no personal information but may be used
by border agencies to create personal information (as a result of running the model).
Border agency
DIA, DOC, MBIE, MPI or NZCS.
CRISP-DM
Cross Industry Standard Process for Data Science (CRISP-DM). CRISP-DM is an open standard process model that describes
common approaches used by data mining experts. It has six stages – business understanding, data understanding, data
preparation, model ing, evaluation, and deployment.
Data analytics
the discovery, interpretation, and communication of meaningful patterns in data.
Data exploration
the comparison of datasets and data fields through the use of analytical techniques, methods and model ing, in order to better
understand the relationship between datasets or data fields for the purposes of generating analytics outputs.
Data Provider
the border agency which has been requested to disclose a dataset to other border agencies for the purpose of a joint-agency
analytics activity.
Data Recipient/User
the border agency which wil col ect and use a dataset or identifiable output as part of a joint-agency analytics activity.
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
26 of
31
Data refinement
the possible result of the data exploration process, where datasets or data fields found not to be relevant to desired outputs are
purged from the analytics dataset.
Data sharing
the disclosure of personal information by one border agency to one or more other border agencies and the collection of personal
information by one border agency from one or more other border agencies.
ACT 1982
Dataset
a distinct category of data held by an involved border agency, by a third-party agency or that is publicly available. Each dataset
wil include data fields that may relate to identifiable individuals.
DIA
Department of Internal Affairs.
DOC
Department of Conservation.
Enabling legislation
the legislation which sets out a border agency’s statutory functions and powers and includes the Customs and Excise Act 2018,
Biosecurity Act 1993 and Immigration Act 2009.
Identifiable intelligence outputs
the result of an analytical process which produces identifiable information. The output may identify previously unknown
INFORMATION
relationships or indicate a known or unknown level of risk for an individual.
JBAC
Joint Border Analytics Centre; MPI, NZCS and MBIE/Immigration analytics experts delivering technical solutions and insights at the
request of border agencies. The team is operationally focused.
Lead Agency
the border agency that has initiated the activity, wil provide the platform within which the activity wil be completed, and must
be a Data Recipient/User for the activity.
Personal information
any information about an identifiable individual (natural person), including but not limited to personal identifiers (like name and
address) and any information linked to personal identifiers (like events or entities). By combining datasets and linking fields with
certain individuals (for example using the IR Number or name and address), analytics activities may create new personal
information about identifiable individuals.
MBIE
Ministry of Business, Innovation and Employment, which includes Immigration New Zealand.
MPI
Ministry for Primary Industries.
MOU
the Joint Border Analytics Memorandum of Understanding, signed by al involved border agencies and the JBAC Team.
NZCS
New Zealand Customs Service.
Unlawful discrimination
discrimination based on any grounds prohibited by the Human Rights Act 1993, including sex, martial status, religious belief,
colour, race, ethnic origin, disability, age, political opinion, and sexual orientation.
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
27 of
31
Appendix 3: Explanatory Notes
[1]
In the absence of specific legislation that permits border agencies to col ect or disclose personal information, the Privacy Act and IPPs apply. The IPPs are a flexible
set of principles intended to ensure that agencies can achieve their goals in a privacy protective way. In summary, they require an agency to:
ACT 1982
1.
Scope – Collect only the personal information it needs for a lawful purpose connected with its functions.
2.
Source – Collect personal information directly from the person concerned, unless an exception applies.
3.
Notice – Tel people certain things when col ecting personal information directly from them.
4.
Manner – Collect personal information in ways that are lawful and, in the circumstances, fair and not unreasonably intrusive.
5.
Security – Take reasonable steps to protect personal information from harm.
6.
Subject access – Give people access to the personal information it holds about them.
7.
Correction – Let people correct personal information if it is incorrect.
8.
Accuracy – Take reasonable steps to ensure personal information is accurate and up-to-date before using it.
INFORMATION
9.
Retention – Retain personal information for no longer than is required.
10.
Use – Use personal information only for the purposes for which it was col ected, unless an exception applies.
11.
Disclosure – Not disclose personal information, unless an exception applies.
12.
Unique identifiers – Take care when assigning or using unique identifiers.
Many IPPs – including principles 2 and 10 – contain exceptions that ensure legitimate information processing is possible. Thus, even where a border agency’s enabling
legislation is silent on the matter of sharing or using personal information for analytics activities, the Privacy Act is likely to permit it, provided that it is necessary and
proportional and relates to the involved agencies’ lawful functions.
The Privacy Commissioner and Government Chief Data Steward released a set of
principles for the safe and effective use of data and analytics (‘Analytics Principles’), intended
to promote transparency and a best-practice approach to the use of data and analytics for supporting operational decision-making.
1.
Deliver clear public benefit – it’s essential government agencies consider, and can demonstrate, positive public benefits from collecting and using public data.
2.
Ensure data is fit for purpose – using the right data in the right context can substantially improve decision-making and analytical models, and wil avoid generating
potentially harmful outcomes.
3.
Focus on people – keep in mind the people behind the data and how to protect them against misuse of information.
4.
Maintain transparency – transparency is essential for accountability. It supports col aboration, partnership, and shared responsibility.
5.
Understand the limitations – while data is a powerful tool, al analytical processes have inherent limitations in their ability to predict and describe outcomes.
6.
Retain human oversight – analytical processes are a tool to inform human decision-making and should never entirely replace human oversight.
[2]
It is essential that the involved border agencies consider, and can demonstrate, positive
public benefits from col ecting, analysing and using personal information. A
clear link to n involved agency’s lawful purposes (as set out in its enabling legislation) is also required to ensure that an activity is legitimate and necessary.
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
28 of
31
[3]
Analytics datasets relating to joint-agency analytics activities wil usually be
stored and processed within the Lead Agency’s system, in accordance with the JBA MOU
and joint-agency SOPs. Where JBAC proposes to store or process datasets on another platform, this must be stated in the PIA.
1982
[4]
The burden of establishing that an exception applies to permit a disclosure, collection or use of personal information rests with the border agency seeking to rely on
it. An involved border agency may seek further clarity from JBAC or the other involved border agencies where this is required in order to establish whether an exception
applies.
ACT
[5]
Principle 11(h)(i ) permits the disclosure of personal information if the information is to be used for statistical or research purposes and wil not be published in an
identifiable form. This exception is likely to permit the disclosure of relevant personal information for the purposes of generating analytics models and forecasts, but should
not be applied where the involved border agencies intend to generate identifiable intel igence outputs.
[6]
Principle 11(e)(i) permits the disclosure of personal information where this is necessary to avoid prejudice to the maintenance of the law, including the prevention,
detection, investigation, and prosecution of offences. This exception is likely to permit the disclosure of relevant personal information for the purposes of generating
targeted analytics forecasts (intended to detect or prevent offences) or identifiable intel igence outputs. Note, ‘necessity’ includes considerations of data minimisation and
proportionality.
[7]
Principle 11(f) permits the disclosure of personal information where this is necessary to prevent or lessen a serious threat to public health or safety or the life or
INFORMATION
health of an individual. This exception may permit the disclosure of relevant personal information for the purposes of generating or disseminating identifiable intel igence
outputs to respond to an imminent threat.
[8]
Data minimisation is an important element of the privacy framework. Agencies should disclose, col ect and use only the minimum amount of personal information
necessary to meet their lawful purposes. In the initial stages of an analytics activity, lawful purposes wil include exploring and assessing datasets available to establish how
useful each wil be. Effort should be made initially to ensure that exploration datasets shared are broadly relevant to the activity and, later, to remove any datasets or data
fields that are not found to be relevant to the activity.
OFFICIAL
[9]
Principle 2(2)(g)(i ) permits the col ection of personal information if the information is to be used for statistical or research purposes and wil not be published in an
identifiable form. This exception is likely to permit the collection of relevant personal information for the purposes of generating analytics models and forecasts, but should
not be applied where the involved border agencies intend to generate identifi
THE able inteligence outputs.
[10]
Principle 2(2)(d)(i) permits the collection of personal information where this is necessary to avoid prejudice to the maintenance of the law, including the prevention,
detection, investigation, and prosecution of offences. This exception is likely to permit the collection of relevant personal information for the purposes of generating
targeted analytics forecasts (intended to detect or prevent offences) or identifiable intel igence outputs. Note, ‘necessity’ includes considerations of data minimisation and
proportionality.
UNDER
[11]
Principle 2 wil be amended by the Privacy Bil to include a serious threat exception. Once amended, this exception wil permit the collection of personal information
where this is necessary to prevent or lessen a serious threat to public health or safety or the life or health of an individual. This exception may permit the collection of
relevant personal information for the purposes of generating or disseminating identifiable intel igence outputs to respond to an imminent threat.
RELEASED
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
29 of
31
[12]
Principle 4 requires an agency to collect personal information in a manner that is not unlawful or, in the circumstances, unfair or unreasonably intrusive. This
principle incorporates concepts of fairness and proportionality, and wil require Data Recipients/Users to consider whether the col ection of a dataset for the purposes of a
particular analytics activity could be viewed as unfair or intruding into the personal affairs of affected individuals to a greater extent than the ends would justify.
[13]
Principle 10(f)(i ) permits the use of personal information if the information is to be used for statistical or research purposes and wil not be published in an
identifiable form. This exception is likely to permit the use of relevant personal information for the purposes of generating analytics models and for
ACT 1982ecasts, but should not be
applied where the involved border agencies intend to generate identifiable intel igence outputs.
[14]
Principle 10(c)(i) permits the use of personal information where this is necessary to avoid prejudice to the maintenance of the law, including the prevention,
detection, investigation, and prosecution of offences. This exception is likely to permit the use of relevant personal information for the purposes of generating targeted
analytics forecasts (intended to detect or prevent offences) or identifiable intel igence outputs.
[15]
Principle 10(d) permits the use of personal information where this is necessary to prevent or lessen a serious threat to public health or safety or the life or health of
an individual. This exception may permit the use of relevant personal information for the purposes of generating or disseminating identifiable intelligence outputs to respond
to an imminent threat.
[16]
Handling caveats are an effective way to manage the use or disclosure of identifiable outputs, particularly where these outputs may be sensitive. Handling caveats
INFORMATION
might include a requirement that the output is used only for intel igence purposes, that the output is retained only for a set period of time, or that the output recipient must
obtain JBAC approval before sharing the output further.
[17]
Accuracy steps might include regularly refreshing the datasets used for generating the outputs, and ensuring that information is correctly matched (for example
where an identifiable individual is matched with a non-compliant entity or event).
[18]
Algorithmic transparency is an important element of fairness and due process. JBAC must be able to explain to involved border agencies how an algorithm has
identified a particular individual as high risk. This will assist the border agency to assess the lawfulness and proportionality of the analytics activity and to provide affected
individuals with a meaningful process for challenging decisions made as a result of analytics.
[19]
JBAC should assist border agencies to ensure that
unwanted biases are removed from datasets before they are analysed, recognising that some lawful bias may be
legitimate in certain circumstances, to ensure that an activity is properly targeting known risk groups or attributes.
[20]
Border agency law enforcement activities are subject to section 19 of the Bil of Rights Act, which provides the right to be free from discrimination based on a
prohibited ground (
unlawful discrimination is defined in the glossary). While some prohibited grounds – such as age, political opinion or ethnic origin – may in certain cases
be relevant to risk, analytics should not be designed to profile risk solely on the basis of a prohibited ground.
[21]
Each Data Recipient/User must ensure that it only receives identifiable intel igence outputs that are
relevant to its lawful purposes. For example, an intel igence
product that indicates identified individuals who pose a risk of a specific Customs and Excise Act offence may not be of any relevance to Immigration Intel igence Officers
looking to prevent specific Immigration Act offences.
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
30 of
31
[22]
As stated at note [12] above, involved border agencies must ensure that the intrusiveness of the data analytics and intel igence outputs is warranted, and
proportionate to the problem the activity is seeking to address. This could be assessed by reference to the severity of the border risk or level of offending being targeted by
the activity.
ACT 1982
INFORMATION
RELEASED UNDER THE OFFICIAL
Joint Border Analytics – Joint-Agency PIA – Shore Parties
Page
31 of
31