Information gathering for regulatory compliance, law enforcement and protective security purposes.
This transparency statement explains how the Ministry of Business, Innovation and Employment (MBIE) gathers information for regulatory compliance, law enforcement and protective security purposes. MBIE gathers information for these purposes in order to keep people in New Zealand safe and prevent harm by:
- detecting, investigating and prosecuting criminal offending (e.g. fraud, migrant exploitation, breaches of the law such as the Immigration Act 2009, and Crimes Act 1961)
- preventing, investigating and responding to regulatory non-compliance (e.g. breaches relating to vulnerable tenants, employer’s breaches of the Employment Relations Act 2000); and
- taking appropriate steps to respond to and mitigate threats to the physical security of staff, or the security of information or places (e.g. a physical security breach, web-hacking).
We take care to exercise our information gathering powers lawfully and appropriately, and meet our obligations under the Privacy Act 2020, Search and Surveillance Act 2012, Bill of Rights Act 1990, MBIE Code of Conduct, State Sector Code of Conduct, and relevant MBIE policies and procedures at all times.
Information gathering must be authorised according to our internal authorisation processes. These processes may vary within various teams in MBIE according to their regulatory function and the severity of the potential harm caused by the non-compliance, offending or threat. Each of our internal authorisation processes, and the related activities, are regularly reviewed.
When making decisions about information gathering, we take into account a range of considerations, including the impact on individuals and their privacy; the harm that MBIE is responsible for preventing or addressing; the public interest in MBIE fulfilling its regulatory, law enforcement and security responsibilities and to assist other state sector agencies to fulfil their responsibilities; and the obligations on MBIE as a state sector agency.
This statement applies to information gathered by us, our contractors, or any other third parties engaged by us. We require any third party that is carrying out information gathering on our behalf to comply with the obligations of MBIE employees.
What information is covered by this statement, and why do we collect it?
This section explains how we collect, use and share information when we are carrying out our functions such as considering and investigating compliance breaches, concerns, initiating our own investigations or inquiries, and determining compliance strategies.
We are also required to protect that information and only disclose information in accordance with the law, including information that we consider is necessary to disclose in order give effect to our legislated responsibilities, to support other government agencies’ law enforcement, regulatory compliance and protective security activities.
Our legislation empowers us to request or demand the information we need to give effect to that legislation, including to monitor and ensure compliance, as well as carry out investigations where we believe people or organisations may be in breach.
We collect information from a wide variety of sources in both physical and digital environments. These sources include: individuals (via in-person interview, telephone call, observation) (voluntary and compulsory); information from online sources (including websites, social media, and public registers); information from physical sources and locations (e.g. paper records, site visits, inspections); other agencies or entities (e.g. NZ government agencies, private sector companies, banks, overseas governments and agencies); information gathered from technical and scientific devices (including biometric information collection, technical measurement devices).
In considering how to collect information we take into account a range of factors, including:
- the official source of the information;
- the credibility and reliability of the source of the information, where it is not an official source;
- the impact of the collection on affected individuals;
- the severity of the harm we are seeking to prevent or address; and
- the intended and possible outcome(s) of the information collection (for example, a prosecution or imposition of a fine or other statutory penalty).
Information collected directly
Much of the information we collect is provided directly by people or entities, or an authorised representative, as a requirement to fulfil statutory obligations and according to our powers as a regulator.
However, where we require information that is relevant to us considering and investigating compliance breaches, concerns, and initiating our own investigations or inquiries, we may gather information from people or entities using our statutory powers.
As part of the use of our statutory powers and to gather and preserve information and evidence, we may:
- require information to be provided by sworn statement or statutory declaration;
- require an original copy of a document to be provided to us;
- require an individual to provide biometric information (for example, a person’s fingerprints to confirm or verify a person’s identity for immigration purposes);
- record an interview conducted in-person or via telephone;
- take photographs during site visits or inspections; or
- use specialist equipment (for example to monitor interference with the radio spectrum).
We may request the assistance of another agency in relation to the exercising of our statutory powers, for example the New Zealand Police.
Information collected from another person or agency
This may include us receiving or requesting information from other people or agencies. Any such information will be gathered in accordance with our statutory powers or other lawful authority and in compliance with the relevant legislation and any information sharing agreements, as described in the section How do we collect information?.
We may also collect publicly available information – for example from social media, news reporting, and press releases – where this would assist us in carrying out any MBIE functions, including to verify information that is collected by other means.
We will take all practicable steps to verify information received from third parties.
Information collection to prevent significant harm
MBIE has a responsibility to keep people in New Zealand safe and to prevent harm, such as in the employment, immigration, and consumer protection contexts. In situations where MBIE is seeking to prevent, or address, significant harm we may consider it appropriate to undertake information gathering activity that has an increased impact on an individual.
We may collect information by means in which an MBIE staff member is not immediately identifiable. This may be necessary where other means of information collection would prejudice an ongoing investigation, or otherwise prevent MBIE from fulfilling its responsibilities. This includes surveillance activities in accordance with the Search and Surveillance Act 2012.
Collection in these circumstances is subject to enhanced levels of oversight and increased internal controls to ensure it is conducted appropriately.
Collection by third parties
Where information gathering requires specialist capability that we don’t have within our organisation, we may engage a third party to collect information for us. Such information gathering (including about individuals) is subject to standard legal limits relating to privacy, access to private property, and the privacy/security of communications by individuals, among other things.
We take care to exercise our information gathering powers lawfully and appropriately and meet our obligations under the Privacy Act 2020, State Sector Code of Conduct, and Information Gathering Model Standards at all times.
External security consultants
We may engage external security consultants to gather information to support our regulatory compliance activities. Any engagement of these consultants will be approved by a general manager or deputy chief executive and subject to robust contractual arrangements and regular oversight, with reporting to a governance group that is not directly involved in the decision-making or the result of the investigation.
Any external security consultant engaged by MBIE to gather information to support our regulatory compliance activities will be a licensed private investigator and required to comply with MBIE policies and procedures.
Any such information gathering must be approved according to our internal authorisation process. That process, and any related activities, are required to be regularly reviewed to ensure compliance with the law, our internal policies, and our risk management requirements.
What do we do with it? Do we share it?
How we use it
In order to carry out our law enforcement, regulatory compliance and protective security functions, we may use the information we hold as evidence, and for analysis, risk assessment, audit and/or monitoring purposes.
Where we identify the need to use the information further, for example, to consider or investigate compliance breaches, or concerns, or initiate our own investigations or inquiries, we will only do so if required or permitted by law.
We may use information we gather to inform our wider compliance and regulatory strategies. In doing so we will comply with our obligations in the Privacy Act 2020.
When we share it
We may share information where necessary in order to properly carry out our legislated functions or to assist another state sector agency in fulfilling its regulatory compliance, law enforcement, or protective security responsibilities.
This information will be shared in accordance with our statutory powers, with appropriate caveats and/or controls, and in compliance with the relevant legislation and any information sharing agreements with the other agency. This may include when we are considering and investigating compliance breaches, concerns, and initiating our own investigations or inquiries. We will take all practicable steps to verify information provided to third parties
We may, for example, share information with:
- another regulator, oversight agency, or concerns body
- the other party to a concern, for the purpose of investigating and resolving the concern
- anyone we believe could provide information that is relevant to whether to investigate a concern, or to an investigation or inquiry, including witnesses to concern matters
- the Police or another government agency, if required or authorised by law (for example to assist with the investigation of a criminal offence), or to report significant misconduct or breach of duty or where there is a serious threat to health or safety.
If our staff are threatened or abused, or information appears to us to have been gathered unlawfully, we may refer this to the Police.
How will we protect it?
Feedback and concerns
If you have any enquiries about our information gathering activities, or believe we have not acted in accordance with this statement, please complete our concerns and feedback form.