Firms holding private information about any of their customers need good answers to eight questions to be sure they're protecting their customers' data well enough.

This is according to a new set of draft guidelines from the government-funded but independent Data Futures Partnership.

Entitled "A Path to Social Licence", the partnership's initiative proposes eight key questions as a way to guide "trusted data use", recommending particular care with private data use involving "low-trust" communities, and impacts on Maori, Pasifika and low income populations.

In the use of personal financial information used for lending and employment decisions, the guidelines propose that any algorithms used in those formula-based decision tools should be disclosed to the applicant, who should have a right to "contest the decision, including the data that was used in the algorithm".


With the use of so-called "big data" sets for population-wide research used in areas ranging from marketing to statistical analysis and policy-making, the Data Futures Partnership recommends against hard and fast rules, favouring instead a series of "the eight key questions New Zealanders want answered" on data privacy.

"The answers that organisations provide to these questions will determine how comfortable people feel about the use to which their data is proposed to be put" because "organisations must work with personal information in ways that are trusted" or risk being unable to operate effectively.

"Organisations using data for a novel purpose or in ways that affect communities with a low level of trust will need to do more to achieve community acceptance," the guidelines say, with "being transparent on how data is being used" being crucial to community acceptance of the organisation holding, let alone using, the data.

The guidelines split the eight questions into three broad categories: value, protection and choice.

The value questions are: what will my data be used for? what are the benefits and who will benefit? who will be using my data?

On protection: is my data secure? will my data be anonymous? can I see and correct data about me?

And on choice: will I be asked for consent? Could my data be sold?

Commitment to informing people on databases if the use of their data is to change and allowing opt-outs are among recommended requirements.