DPUP — design a consent form
Introduction
This is an example of a good practice consent form based on advice in the Data Protection and Use Policy (DPUP) and its associated toolkit.
Data Protection and Use Policy (DPUP)
The form starts at the heading “1. The ‘Good Support Services’ initiative” and can be adapted for use. It contains explanations of each section’s role to help agencies understand the section’s purpose and adapt the form.
Notes on ‘consent’
The term ‘consent’ is an important one, but in some contexts it can lead to some misunderstandings. These are the key points to be aware of.
- A consent form establishes expectations about the situation that a person is agreeing to. It says: “To provide this service to you, I’ll need to collect this information for these reasons.” The person is consenting to the terms of the service, which include some conditions about what information may be necessary to collect. They’re not consenting to the information collection / use in a way that’s separate from the terms of the service.
- If you’d like to understand this in more detail, read the Privacy Commissioner’s blog ‘Click to consent not good enough anymore’. It explains more about consent, including that New Zealand’s Privacy Act 2020 does not depend on consent as the primary authority for collecting, using or disclosing people’s personal information.
- Because consent for receiving a service is freely given based on a fair understanding of the situation, it can lead to a perception that people can ‘undo’ the consent relating to their information by saying, “I no longer consent to you having or using my information”. However, that may not be possible. Many services require the organisation that delivers them to keep records about what the organisation did and who they did it for.
- The consent given wraps around both the service and the information in a way that cannot be separated in the future. A person cannot ‘undo’ the consent for the service when the service has already received it and a condition of receiving the service may have included certain uses of their information.
- However, Privacy Act 2020 information privacy principle 9 (IPP9) — Rentention of personal information — says an organisation should not keep people’s personal information any longer than they need it.
Click to consent not good enough anymore — Office of the Privacy Commissioner
IPP9: Retention of personal information — Office of the Privacy Commissioner
Delete this ‘Introduction’ section when adapting the form for agency use.
1. The ‘Good Support Services’ initiative
The Good Support Services initiative will support you to get stable work, housing and social connections in your community.
Explanation
The Privacy Act 2020’s IPP1 — Purpose of collection of personal information — says, among other things, that an organisation can collect personal information connected with a function or activity of that organisation. Clearly setting out the context this form is being used in (which service it’s about and what that service does) helps us to:
- think more clearly about what follows
- helps people whose information may be collected to see and understand the connection between that information and what the service itself is about.
IPP1: Purpose for collection of personal information — Office of the Privacy Commissioner
2. Your personal information and your rights
This form helps you understand what personal information we might collect from you, why we need it, and what your rights are with your information.If you’d like to know more, or have any questions, you can:
- talk to our staff who will be happy to help send:
- send an email to this address: myinformation@localcommunity.org.nz
- send a letter to this address [ … ].
Explanation
This section shows that the form’s primary role is to acknowledge, fulfil and inform people of their rights.
3. What information will be collected and why
To deliver this service to you, we need to collect:
- your name, address and contact details so that we can contact you
- information about your work history and housing situation, so that we can provide you with the right support to help you in those areas
- information about any benefits or other financial support you are receiving, so that we know how best to support you
- the name of any other organisations who may be helping you with work or housing, so that we can work with them to help you.
Generally, we can’t deliver this service to you without this information, but if you’re concerned about providing any of it, talk to us and we’ll try to work it out.
We also collect the following information to give to our funding organisations:
- your …. (list personal information required by the funder, delete this section if none) so that …. (the funder should say why they need this information, and how they’ll use it).
When you leave our service, we will only keep information about you:if we legally have to
- to use for research purposes in ways that do not and cannot identify you
- to help address future needs that you may have in relation to other services we offer.
If you would like to know more, we can provide more information about what we keep and why at any time.
Explanation
Telling people what information you need or would like, and why, should be the core purpose of the form. There are some key elements to note:
- Each area of information is explained by saying, “we need this, so that we can do that”. Structuring the sentences like this makes it easier to write, explain and understand the core purpose that informs many other judgements about privacy. It addresses IPP1 of the Privacy Act 2020, which is always the most important place to start when you’re thinking about privacy.
- The form acknowledges and highlights information that is collected by one agency or organisation for another — in this case information collected for the funding organisation. Separating out these parts, the information you collected for your purposes versus what you collect on behalf of someone else, is important. First, it means that the organisation you’re collecting people’s information for is responsible for ensuring their alignment to IPP1 (among others) and the collection is justified. Second, it highlights that the explanation about why they need it is their responsibility, not yours. If you cannot explain why you’re collecting information (we need … so that …), you should not collect it.
- This part of the form shows that choice can sometimes be offered and if it can be, it should be. It all depends on the context:
- what your organisation does
- what the service is about
- how it works
- what you need the information for
- how you might use it
- what kinds of people you may work with.
4. Your rights
Under the Privacy Act 2020 you have a right to access and request correction of the personal information we have about you. You can do this by emailing myinformation@localcommunity.org.nz, by asking one of our staff, or by filling in the Office of the Privacy Commissioner’s AboutMe tool.
AboutMe — Office of the Privacy Commissioner
You can also ask us to correct your information so that it’s accurate. It’s our responsibility to make sure that the information is accurate and relevant for how we need to use it.
If you ask for your information, we may not be able to respond straight away. We need to check we are giving you the right information for your question, and there are processes we must follow to make sure we do this safely.
Explanation
This section of the form gives a clear explanation of people’s rights and how they can act on them. It’s important that people feel this is always a safe thing for them to do. It’s about the Manaakitanga Principle as well as a legal obligation to make sure they know what their rights are. The main legal aspects are part of the Privacy Act 2020’s IPP3: the duty to tell them what you’re going to collect from them and why (section 3 of this form), and to explain their rights (this part of the form).
IPP3: Collection of information from subject — Office of the Privacy Commissioner
5. Information that’s useful for us but that you do not have to provide
We often use information to try and understand if we’re offering the best services in the right way to the people who need them or use them. The information we use to help us do this is used in ways that cannot and do not identify people, although this may include confidential reviews of some case files to check that our processes are working well.
To help us understand our work better, we’d like to collect:
- your ethnicity and recent work history
- any qualifications or training that you have
- any health situations you have that relate to finding work or suitable housing
- your work and housing situation on a 6-monthly basis for the next 3 years.
It’s your choice whether you provide this information. It will only be used in ways that cannot identify you. You can still use our services if you choose not to provide this information.
If you want to look at how we might use your information, you can look at examples of the reports we publish: [example-community-provider.org.nz/research-reports]. If you do not have internet access or would prefer a printed example, we can help you.
Explanation
This section of the form enforces the Mana Whakahaere Principle and the importance of providing ‘choice’ outlined in DPUP’s guidance (the Purpose Matters Guideline, and the Transparency and Choice Guideline). If choice is possible, it should be offered. Often the information asked for is valuable for understanding how the service works, who might be accessing it or how it could be improved but is not strictly necessary for operational delivery of the service. Most people will see that as a valuable thing to agree to, if they can see that it contributes to better services for themselves, their whānau or people in similar situations to them.
6. What laws allow us to collect or use your information
Personal information is information that does, or could, identify you (like your name and address).
Non-personal information does not and cannot identify you (like the region you live in).
We’re collecting this information in line with the Privacy Act. This law is about what personal information organisations can collect from people and what they must do when they collect or use people’s personal information. It also describes your rights (listed in section 4 of this form) including helping you understand what’s on this form.
This law says we can only collect information from you when it’s:
- directly related to what we do as an organisation
- necessary for us to provide this service to you and to manage its delivery.
Explanation
This is a simple example of fulfilling the legal requirement to tell people which law allows or requires the collection of this information. Often this might simply be the Privacy Act 2020, but there are also other laws you could be relying on. You must tell people what these laws are.
7. How we keep your information safe, and who will and will not see it
- We will keep your information secure. It’s stored in a password-protected database.
- People are not allowed to access your information except in relation to the services they are providing to you. For example, your case worker can see all your information, but others are not allowed to see it unless they have a specific reason to do so that has been approved by management.
- We work with other local organisations in the areas of employment and housing and will sometimes share some of your information with them. They will only receive information they need to help with the work we are doing with you. Please check page […] to understand who we might share your information with and why.
Tell us if you’d like us to ask you before sharing your information with these organisations.
- We will not share your information with anyone without talking to you first.
- When we no longer need your information or because you have left the service, we’ll delete your information if we can.
- In some cases, we may need to keep your information securely, even when you leave the service. This may be because of other laws or we may need it to help you in the future.
- If you’d like to understand more about what information we keep, for how long and why, we can talk to you about it or provide you with more details.
Explanation
You’re required to keep people’s information safe. This can mean a wide range of things from physical security through to ICT systems, so the form provides a balanced approach. It also reminds us that it’s important people within your organisation can access information on a reasonable ‘need to know’ basis.
Evidence also tells us that many people have concerns relating to their assumptions about what might happen to and who may see their information. This is not often stated in consent forms and processes. This part of the form reminds us to say what will or will not happen to people’s information, who will or will not see it and how it will or will not be use. This addresses people’s concerns and allows them to reach a richer understanding of what safety means to them.
8. Let us know that you’ve understood
We’re responsible for making sure you understand what will happen with your information before we collect it. If you’d like to understand more, you can ask us at any time to explain:
- what information we need
- what we use it for
- what we will not use it for.
We’d like to check that you’re happy to proceed or whether you still have any questions.
We’d like to make a record of this conversation, which is why we get your signature and the date.
Explanation
The difference between providing information and reaching understanding is key. The Privacy Act, and the case law surrounding it, makes it clear the goal is understanding, not telling. The title of this section, ‘Let us know …’ was chosen for that reason, to encourage organisations to check with people that they’ve understood as much as they need to or wish to at that point in time. It’s not a test (they may not wish to understand everything right now), but they should have the option, now and in the future.
I understand what’s happening with my information.
Name:
Signature:
Date:
9. You’ll be given a copy of this form
If you want, our staff will give you a copy of this form and we will also keep it on your file and can print it out for you at any time.
If you’d like to talk to us again at any time about the information on the form, we’d be happy to do that. Your information, your right to access it and know what happens with it will be treated with respect.
Explanation
This section emphasises the Kaitiakitanga Principle — people are in control of their information (Mana Whakahaere Principle) and how it is used (Manaakitanga Principle) — and is why DPUP uses the phrase ‘respectful, trusted, transparent’.
Last updated