Transparency Statement
Information gathering for regulatory compliance, law enforcement and protective security purposes.
On this page
Overarching statement
This transparency statement explains how the Ministry of Business, Innovation and Employment (MBIE) gathers information for regulatory compliance, law enforcement and protective security purposes. MBIE gathers information for these purposes in order to keep people in New Zealand safe and prevent harm by:
- detecting, investigating and prosecuting criminal offending (e.g. fraud, migrant exploitation, breaches of the law such as the Immigration Act 2009, and Crimes Act 1961)
- preventing, investigating and responding to regulatory non-compliance (e.g. breaches relating to vulnerable tenants, employer’s breaches of the Employment Relations Act 2000); and
- taking appropriate steps to respond to, and mitigate threats to the physical security of staff, or the security of information or places (e.g. a physical security breach, web-hacking).
We take care at all times to exercise our information gathering powers lawfully and appropriately taking into account the relevant statutory regime/s, and to meet our obligations under the Privacy Act 2020, Search and Surveillance Act 2012, New Zealand Bill of Rights Act 1990, Victims’ Rights Act 2002, MBIE Code of Conduct, the Te Kawa Mataaho Public Service Commission Code: Standards of Integrity and Conduct, and relevant MBIE policies and procedures. Information gathered offshore also needs to comply with relevant local laws.
Information gathering must be authorised according to our internal authorisation processes. These processes may vary within various teams in MBIE according to their regulatory function and the severity of the potential harm caused by the non-compliance, offending or threat. Each of our internal authorisation processes, and the related activities, are regularly reviewed.
When making decisions about information gathering, we take into account a range of considerations, including the impact on individuals and their privacy; the harm that MBIE is responsible for preventing or addressing; the public interest in MBIE fulfilling its regulatory, law enforcement and security responsibilities and to assist other public sector agencies to fulfil their responsibilities; and the obligations on MBIE as a public sector agency.
This statement applies to information gathered by us, our employees, contractors, or any other third parties engaged by us, including any of these engaged locally and/or working offshore. We require any third party that is carrying out information gathering on our behalf to comply with the obligations of MBIE employees.
What information is covered by this statement, and why do we collect it?
This section explains how we collect, use, and share information when we are carrying out our functions such as considering and investigating compliance breaches, concerns, initiating our own investigations or inquiries, and determining compliance strategies.
We are also required to protect that information and only disclose information in accordance with the law. This includes information that we consider is necessary to disclose in order give effect to our legislated responsibilities, to support other government agencies’ law enforcement, regulatory compliance, and protective security activities.
How do we collect information?
Our legislation empowers us to request or demand the information we need to give effect to that legislation, including to monitor and ensure compliance, as well as carry out investigations where we believe people or organisations may be in breach.
We collect information from a wide variety of sources in both physical and digital environments. These sources may include: individuals (via in-person interview, telephone call, observation) (voluntary and compulsory); information from online open sources (including websites, social media, apps, and public registers); information from physical sources and locations (e.g. paper records, site visits, inspections); other agencies or entities (e.g. New Zealand government agencies, private sector companies, banks, overseas governments and agencies); information gathered from technical and scientific devices (including biometric information collection, technical measurement devices).
In considering how to collect information we take into account a range of factors, including:
- the official source of the information;
- the credibility and reliability of the source of the information, where it is not an official source;
- the impact of the collection on affected individuals;
- the severity of the harm we are seeking to prevent or address; and
- the intended and possible outcome(s) of the information collection (for example, a prosecution or imposition of a fine or other statutory penalty).
Information collected directly
Most of the information we collect is provided directly by people or entities, or an authorised representative, as a requirement to fulfil statutory obligations and according to our powers as a regulator.
However, where we require information that is relevant to us considering and investigating compliance breaches, concerns, and initiating our own investigations or inquiries, we may gather information from people or entities using our statutory powers.
As part of the use of our statutory powers and to gather and preserve information and evidence, we may:
- require information to be provided by sworn statement or statutory declaration;
- require an original copy of a document to be provided to us;
- require an individual to provide biometric information (for example, a person’s fingerprints to confirm or verify a person’s identity for immigration purposes);
- record an interview conducted in-person or via telephone;
- take photographs during site visits or inspections; or
- use specialist equipment (for example to monitor interference with the radio spectrum).
We may request the assistance of another agency in relation to the exercising of our statutory powers, for example the New Zealand Police.
Information collected from another person or agency
This may include us receiving or requesting information from other people or agencies. Any such information will be gathered in accordance with our statutory powers or other lawful authority and in compliance with the relevant legislation and any information sharing agreements.
We may also collect publicly available information – for example from social media, news reporting, and press releases – where this would assist us in carrying out any MBIE functions, including to verify information that is collected by other means.
We will take all practicable steps to verify information received from third parties.
Information collection to prevent significant harm
MBIE has a responsibility to keep people in New Zealand safe and to prevent harm, such as in the employment, immigration, and consumer protection contexts. In situations where MBIE is seeking to prevent, or address, significant harm we may consider it appropriate to undertake information gathering activity that has an increased impact on an individual or organisation.
We may collect information by means in which an MBIE staff member is not immediately identifiable. This may be necessary where other means of information collection would prejudice an ongoing investigation, or otherwise prevent MBIE from fulfilling its responsibilities. This includes surveillance activities in accordance with the Search and Surveillance Act 2012.
Collection in these circumstances is subject to enhanced levels of oversight and increased internal controls to ensure it is conducted appropriately.
Collection by third parties
Where information gathering requires specialist capability that we don’t have within our organisation, we may engage a third party to collect information for us. Such information gathering (including about individuals) is subject to standard legal limits relating to privacy, access to private property, and the privacy/security of communications by individuals, among other things.
We take care to exercise at all times our information gathering powers lawfully and appropriately and meet our obligations under the Privacy Act 2020, MBIE’s Code of Conduct, relevant internal policies and procedures, the Public Service Code: Standards of Integrity and Conduct, and Te Kawa Mataaho Public Service Commission Model Standards on Information Gathering and Public Trust.
External security consultants
We may engage external security consultants to gather information to support our regulatory compliance activities. Any engagement of these consultants will be approved by a General Manager, or Deputy Secretary where appropriate, and subject to robust contractual arrangements and regular oversight, with reporting to a governance group that is not directly involved in the decision-making or the result of the investigation.
Any external security consultant engaged by MBIE to gather information to support our regulatory compliance activities will be licensed under the Private Security Personnel and Private Investigators Act 2010 and required to comply with all relevant legislation and Codes of Conduct, and MBIE policies and procedures.
Any such information gathering must be approved according to our internal authorisation process. That process, and any related activities, are required to be regularly reviewed to ensure compliance with the law, our internal policies, and our risk management requirements.
What do we do with it? Do we share it?
How we use it
In order to carry out our law enforcement, regulatory compliance and protective security functions, we may use the information we hold as evidence, and for analysis, risk assessment, audit and/or monitoring purposes.
Where we identify the need to use the information further, for example, to consider or investigate compliance breaches, or concerns, or initiate our own investigations or inquiries, we will only do so if required or permitted by law.
We may use information we gather to inform our wider compliance and regulatory strategies. In doing so we will comply with our obligations in the Privacy Act 2020 and any other relevant legislation.
When we work with others and share information
We may share information where necessary in order to properly carry out our legislated functions or to assist another public sector agency in fulfilling its regulatory compliance, law enforcement, or protective security responsibilities.
There are also joint operational situations where public servants operating under different legislative authorities may gather and share information while working together to achieve outcomes. For example, regulators coordinating enforcement action (either across or within agencies) or agencies working together to manage a security threat. Any joint operation requires governance, and determination of the lead agency and reporting requirements in advance of the operation.
This information will be shared in accordance with our statutory powers, with appropriate caveats and/or controls, and in compliance with the relevant legislation and any information sharing agreements with the other agency. This may include when we are considering and investigating compliance breaches, concerns, and initiating our own investigations or inquiries. We will take all practicable steps to verify information provided to third parties.
We may, for example, share information with:
- another regulator, oversight agency, or concerns body;
- the other party to a concern, for the purpose of investigating and resolving the concern;
- anyone we believe could provide information that is relevant to whether to investigate a concern, or to an investigation or inquiry, including witnesses to concern matters;
- the Police or another government agency, if required or authorised by law (for example to assist with the investigation of a criminal offence), or to report significant misconduct or breach of duty or where there is a serious threat to health or safety.
If information appears to us to have been gathered unlawfully, we may refer this to the Police.
For further information regarding information or data sharing:
How will we protect it?
Information is stored, accessed and retained in accordance with our Privacy Policy, Information and Records Management Policy, ICT Acceptable Use Policy, and the MBIE Code of Conduct. It also needs to be in compliance with the Public Service Commission code of conduct, and applicable laws including the Privacy Act 2020, and the Public Records Act 2005.
Oversight
Oversight responsibility for MBIE’s application of the Te Kawa Mataaho Public Service Commission Model Standards for Information Gathering and Public Trust is undertaken at multiple levels.
The requirements for MBIE branches to comply with the Model Standards for Information Gathering and Public Trust are set out in the MBIE Information Gathering Policy. Under the Policy the General Manager of each functional area which undertakes information gathering subject to the Model Standards is responsible for putting documented processes in place that ensure information gathering is compliant with the law, the policy and associated procedure, and agency risk management requirements.
Each General Manager is required to develop a Compliance, Monitoring and Assurance Plan for their functional area to ensure robust consideration of information gathering requirements. They are also required to make regular reports to the MBIE Information Gathering Policy Owner.
The MBIE Assurance Risk and Accountability Committee (ARA), a subcommittee of the MBIE Senior Leadership Team, has overarching oversight of MBIE’s information gathering activity within the scope of the policy. The Policy Owner assesses and provides advice to ARA on the performance and overall governance and assurance regime for information gathering activities within the scope of the policy. They make that advice on the basis of reports from General Managers and independent assurance reports.
The MBIE Enterprise Compliance function can also provide advice to the ARA Committee on whether the Policy Owner is adequately performing their duties.
Feedback and concerns
If you have any enquiries about our information gathering activities, or believe we have not acted in accordance with this statement, complete our concerns and feedback form.