Transparency Statement

Overarching statement

This transparency statement explains how the Department of Internal Affairs (DIA) gathers information for regulatory compliance and law enforcement purposes.  DIA gathers information for these purposes in order to keep people in New Zealand safe by:

  • detecting, investigating and prosecuting criminal offending (e.g. publication of objectionable material, breaches of the law such as crimes of dishonesty involving or relating to gambling); and)
  • preventing, investigating and responding to regulatory non-compliance (e.g. breaches of the Gambling Act 2003, the Unsolicited Electronic Messages Act 2007 and the Anti-Money Laundering and Countering Financing of Terrorism Act 2011).

We take care to exercise our information gathering powers lawfully and appropriately, and meet our obligations under the Privacy Act 2020, Search and Surveillance Act 2012, New Zealand Bill of Rights Act 1990, Evidence Act 2006, DIA Code of Conduct, State Sector Code of Conduct, and other relevant legislation and DIA policies and procedures at all times.

Governance and assurance framework

All information gathering by DIA is governed by an information gathering framework, including an information gathering policy.  Information gathering must be authorised according to our internal authorisation processes.  These processes may vary within various teams in DIA according to their regulatory function and the severity of the potential harm caused by the non-compliance or offending.  Each of our internal authorisation processes, and the related activities, are regularly reviewed to ensure compliance with the law, our internal policies, and our risk management requirements.

When making decisions about information gathering, we take into account a range of considerations, including the impact on individuals and their privacy; the harm that DIA is responsible for preventing or addressing; the public interest in DIA fulfilling its regulatory, law enforcement and security responsibilities and to assist other state sector agencies to fulfil their responsibilities; and the obligations on DIA as a state sector agency.

This statement applies to information gathered by us, our contractors, or any other third parties engaged by us. We require any third party that is carrying out information gathering on our behalf to comply with the obligations of DIA employees. 

What information is covered by this statement, and why do we collect it?

This section explains how we collect, use and share information when we are carrying out our functions such as considering and investigating compliance breaches, complaints, initiating our own investigations or inquiries, and determining compliance strategies.

We are also required to protect that information and only disclose what we consider is necessary to give effect to our legislated responsibilities, to support other government agencies’ law enforcement, regulatory compliance and protective security activities, or otherwise in accordance with the law.

How do we collect information?

Our legislation empowers us to request or require the information we need to give effect to that legislation, including to monitor and ensure compliance, as well as carry out investigations where we believe people or organisations may be in breach.

We collect information from a wide variety of sources in both physical and digital environments.  These sources include: individuals (via in-person interview, telephone call, observation) (voluntary and compulsory); information from online sources (including websites, social media, and public registers); information from physical sources and locations (e.g. paper records, site visits, inspections); other agencies or entities (e.g. NZ government agencies, private sector companies, banks, overseas governments and agencies); information gathered from technical and scientific devices.

In considering how to collect information we take into account a range of factors, including:

  • the official source of the information;
  • the credibility and reliability of the source of the information, where it is not an official source;
  • the impact of the collection on affected individuals;
  • the severity of the harm we are seeking to prevent or address; and
  • the intended and possible outcome(s) of the information collection (for example, a prosecution or imposition of a fine or other statutory penalty).

Information collected directly

Much of the information we collect is provided directly by people or entities, or an authorised representative, as a requirement to fulfil statutory obligations and according to our powers as a regulator.

However, where we require information that is relevant to us considering and investigating compliance breaches, complaints, and initiating our own investigations or inquiries, we may gather information from people or entities using our statutory powers.

As part of the use of our statutory powers and to gather and preserve information and evidence, we may:

  • require information to be provided by sworn statement or statutory declaration;
  • require an original copy of a document to be provided to us;
  • record an interview conducted in-person or via telephone;
  • take photographs during site visits or inspections;
  • clone or copy computers and electronic devices; or
  • use specialist equipment (for example to examine computer hard drives for child sexual exploitation material)

We may request the assistance of another agency in relation to the exercising of our statutory powers, for example the New Zealand Police.

Information collected from another person or agency

This may include us receiving or requesting information from other people or agencies.  Any such information will be gathered in accordance with our statutory powers or other lawful authority and in compliance with the relevant legislation and any information sharing agreements, as described in the section How do we collect information.

We may also collect publicly available information – for example from social media, news reporting, and press releases – where this would assist us in carrying out any DIA functions, including to verify information that is collected by other means.  

We will take all practicable steps to verify information received from third parties.

Information collection to prevent significant harm

DIA has a responsibility to keep people in New Zealand safe, such as in the financial, identity, and consumer protection contexts.  In situations where DIA is seeking to prevent, or address, significant harm we may consider it appropriate to undertake information gathering activity that has an increased impact on an individual. 

We may collect information by means in which an DIA staff member is not immediately identifiable.  This may be necessary where other means of information collection would prejudice an ongoing investigation, or otherwise prevent DIA from fulfilling its responsibilities.  This includes surveillance activities in accordance with the Search and Surveillance Act 2012.

Collection in these circumstances is subject to enhanced levels of oversight and increased internal controls to ensure it is conducted appropriately. 

Collection by third parties

Where information gathering requires specialist capability that we don’t have within our organisation, we may engage a third party to collect information for us.  Such information gathering (including about individuals) is subject to standard legal limits relating to privacy, access to private property, and the privacy/security of communications by individuals, among other things.

We take care to exercise our information gathering powers lawfully and appropriately and meet our obligations under the Privacy Act 2020, State Sector Code of Conduct, and Information Gathering Policy at all times. 

External security consultants

We may engage external security consultants to gather information to support our regulatory compliance activities.  Any engagement of these consultants will be in consultation with the Chief Security Officer and Legal Services approved by a general manager or deputy chief executive and subject to robust contractual arrangements and regular oversight, with reporting to a governance group that is not directly involved in the decision-making or the result of the investigation.

Any external security consultant engaged by DIA to gather information for regulatory compliance purposes will have the necessary licenses; will be compliant with the Private Security Personnel and Private Investigators (Code of Conduct – Surveillance of Individuals) Regulations 2011; will be required to ensure that conflicts of interest are declared and managed appropriately, and are required to comply with DIA policies and procedures. 

Any such information gathering must be approved according to our internal authorisation process. That process, and any related activities, are required to be regularly reviewed to ensure compliance with the law, our internal policies, and our risk management requirements.

What do we do with it? Do we share it?

How we use it

In order to carry out our law enforcement and regulatory compliance, we may use the information we hold for analysis, risk assessment, audit or monitoring purposes.

Where we identify the need to use the information further, for example, to consider or investigate compliance breaches, or complaints, or initiate our own investigations or inquiries, we will only do so if required or permitted by law.

We may use information gathered for these purposes to inform our wider compliance and regulatory strategies.  Personal information will only be used where necessary for those purposes.

When we share it

We may share information where necessary in order to properly carry out our legislated functions or to assist another state sector agency in fulfilling its regulatory compliance, law enforcement, or protective security responsibilities.

This information will be shared in accordance with our statutory powers, with appropriate caveats and/or controls, and in compliance with the relevant legislation and any information sharing agreements with the other agency. This may include when we are considering and investigating compliance breaches, complaints, and initiating our own investigations or inquiries. We will take all practicable steps to verify information provided to third parties.

We may, for example, share information with:

  • another regulator, oversight agency, or complaints body
  • the other party to a complaint, for the purpose of investigating and resolving the complaint
  • anyone we believe could provide information that is relevant to whether to investigate a complaint, or to an investigation or inquiry, including witnesses to complaint matters
  • the Police or another government agency, if required or authorised by law (for example to assist with the investigation of a criminal offence), or to report significant misconduct or breach of duty or where there is a serious threat to health or safety.

If our staff are threatened or abused, or information appears to us to have been gathered unlawfully, we may refer this to the Police.

How will we protect it?

Information is stored, accessed and retained in accordance with our Privacy Policy, Information Management Policy, and the DIA Code of Conduct which incorporates our ICT and security policies, and in compliance with the Privacy Act 2020 and the Public Records Act 2005. 

Feedback and complaints

If you have any enquiries about our information gathering activities, or believe we have not acted in accordance with this statement, please contact us.


See also: