Our Transparency Statement explains how we gather information for regulatory compliance, law enforcement and security risk assessments.
This transparency statement explains how the Environmental Protection Authority (EPA) gathers information for regulatory compliance, law enforcement and security risk assessments. The EPA gathers information for these purposes in order to keep people and the environment in New Zealand safe by:
- detecting, investigating and prosecuting criminal offending (e.g. knowingly providing misleading information to the EPA, such as an emissions return under the Climate Change Response Act 2002)
- preventing, investigating and responding to regulatory non-compliance (e.g. breaching a condition on a marine consent under the Exclusive Economic Zone and Continental Shelf (Environmental Effects) Act 2012)
- taking appropriate steps to respond to and mitigate threats to the physical security of staff, or the security of information or places (e.g. of staff and public at hearings).
We take care to exercise our information gathering powers lawfully and appropriately, and meet our obligations under the Privacy Act 1993, Search and Surveillance Act 2012, Bill of Rights Act 1990, EPA Code of Conduct, State Sector Code of Conduct, and relevant EPA policies and procedures at all times.
Governance and assurance framework
All EPA information gathering is governed by an information-gathering governance and assurance framework, including an information-gathering policy. Information gathering must be authorised according to our internal authorisation processes.
This process is informed by the specific statutory considerations and regulatory function applicable to the various teams in the EPA, the severity of the potential harm caused by the non-compliance, offending or threat. Each of our internal authorisation processes, and the related activities, are regularly reviewed.
When making decisions about information gathering, we take into account a range of considerations, including:
- the impact on individuals and their privacy
- the harm that the EPA is responsible for preventing or addressing
- the public interest in the EPA fulfilling its regulatory, law enforcement and security responsibilities and to assist other state sector agencies to fulfil their responsibilities
- the obligations on the EPA as a state sector agency.
This statement applies to information gathered by us, our contractors, or any other third parties engaged by us. We require any third party that is carrying out information gathering on our behalf to comply with the obligations of EPA employees.
What information is covered by this statement, and why do we collect it?
This section explains how we collect, use and share information when we are carrying out our functions such as considering and investigating compliance breaches, complaints, initiating our own investigations or inquiries, and determining compliance strategies.
We are also required to protect that information and only disclose information in accordance with the law, including information that we consider is necessary to disclose in order to give effect to our legislated responsibilities, to support other government agencies’ law enforcement, regulatory compliance and security activities.
How do we collect information?
Our legislation empowers us to request or demand the information we need to give effect to that legislation, including to monitor and ensure compliance, as well as carry out investigations where we believe people or organisations may be in breach.
We collect information from a wide variety of sources in both physical and digital environments. These sources include:
- individuals (via in-person interview, telephone call, observation) (voluntary and compulsory)
- information from publically available online sources (including websites, social media, and public registers)
- information from physical sources and locations (e.g. paper records, site visits, inspections)
- other agencies or entities (e.g. NZ government agencies, private sector companies, overseas governments and agencies)
- information gathered from technical and scientific devices (including technical measurement devices).
In considering how to collect information we take into account a range of factors, including:
- the official source of the information
- the credibility and reliability of the source of the information, where it is not an official source
- the impact of the collection on affected individuals
- the severity of the harm we are seeking to prevent or address; and
- the intended and possible outcome(s) of the information collection (for example, a prosecution or imposition of a fine or other statutory penalty).
Information collected directly
Much of the information we collect is provided directly by people or entities, or an authorised representative, as a requirement to fulfil statutory obligations and according to our powers as a regulator.
However, where we require information that is relevant to us considering and investigating compliance breaches, complaints, and initiating our own investigations or inquiries, we may gather information from people or entities using our statutory powers.
As part of the use of our statutory powers and to gather and preserve information and evidence, we may:
- require information to be provided by sworn statement or statutory declaration
- require an original copy of a document to be provided to us
- record an interview conducted in-person or via telephone
- take photographs, or samples during site visits or inspections; or
- request the assistance of another agency in relation to the exercising of our statutory powers, for example Worksafe.
Information collected from another person or agency
This may include us receiving or requesting information from other people or agencies. Any such information will be gathered in accordance with our statutory powers or other lawful authority and in compliance with the relevant legislation and any information sharing agreements.
We may also collect publicly available information – for example from social media, news reporting, and press releases – where this would assist us in carrying out any EPA functions, including to verify information that is collected by other means.
We will take all practicable steps to verify information received from third parties.
Information collection to prevent significant harm
The EPA has a responsibility to keep people (including our staff) and the environment in New Zealand safe, such as in the regulation of hazardous substances. In situations where the EPA is seeking to prevent, or address, significant harm we may consider it appropriate to undertake information gathering activity that has an increased impact on an individual’s privacy interests within the context of the overall public interest in our regulatory context.
We may collect information by means in which an EPA staff member is not immediately identifiable (such as a “mystery shopper” inquiry). This may be necessary where other means of information collection would prejudice an ongoing investigation, or otherwise prevent the EPA from fulfilling its responsibilities.
Collection in these circumstances is subject to enhanced levels of oversight and increased internal controls to ensure it is conducted appropriately.
Collection by third parties
Where information gathering requires specialist capability that we don’t have within our organisation, we may engage a third party to collect information for us. Such information gathering (including about individuals) is subject to standard legal limits relating to privacy, access to private property, and the privacy/security of communications by individuals, among other things.
We take care to exercise our information gathering powers lawfully and appropriately and meet our obligations under the Privacy Act 1993, State Sector Code of Conduct, and Information Gathering Model Standards at all times.
External security consultants
We may engage external security consultants to gather information to support our regulatory compliance activities. Any engagement of these consultants will be approved by a general manager and subject to robust contractual arrangements and regular oversight, with reporting to a governance group that is not directly involved in the decision-making or the result of the investigation.
Any external security consultant engaged by the EPA to gather information for regulatory compliance purposes will be a licensed private investigator and required to comply with EPA policies and procedures.
Any such information gathering must be approved according to our internal authorisation process. That process, and any related activities, are required to be regularly reviewed to ensure compliance with the law, our internal policies, and our risk management requirements.
What do we do with it? Do we share it?
How we use it
In order to carry out our law enforcement, regulatory compliance and security functions, we may use the information we hold for analysis, risk assessment, audit and / or monitoring purposes.
Where we identify the need to use the information further, for example, to consider or investigate compliance breaches, or complaints, or initiate our own investigations or inquiries, we will only do so if required or permitted by law.
We may use information gathered for these purposes to inform our wider compliance and regulatory strategies. In doing so we will comply with our obligations in the Privacy Act 1993.
When we share it
We may share information where necessary in order to properly carry out our legislated functions or to assist another state sector agency in fulfilling its regulatory compliance, law enforcement, or security responsibilities.
This information will be shared in accordance with our statutory powers, with appropriate caveats and/or controls, and in compliance with the relevant legislation and any information sharing agreements with the other agency. This may include when we are considering and investigating compliance breaches, complaints, and initiating our own investigations or inquiries. We will take all practicable steps to verify information provided to third parties.
We may, for example, share information with:
- another regulator, oversight agency, or complaints body
- the other party to a complaint, for the purpose of investigating and resolving the complaint
- anyone we believe could provide information that is relevant to whether to investigate a complaint, or to an investigation or inquiry, including witnesses to complaint matters
- the Police or another government agency, if required or authorised by law (for example to assist with the investigation of a criminal offence), or to report significant misconduct or breach of duty or where there is a serious threat to health or safety.
If our staff are threatened or abused, or information appears to us to have been gathered unlawfully, we may refer this to the Police.
How will we protect it?
Information is stored, accessed and retained in accordance with our legal obligations, including the Privacy Act and the Public Records Act.
Feedback and complaints
If you have any enquiries about our information gathering activities, or believe we have not acted in accordance with this statement, please use the complaints form below: