Source: New Zealand Privacy Commissioner – Blog
Sometimes it’s critical to get information to people who want to help. But how do we balance great uses of personal information with strong protections for people’s privacy?
In August 2025 emergency services got access to device location information (DLI), a new way to find and help people when they cannot call 111 (for example if they’re injured or lost). That’s a great outcome, and it’s one enabled by the Privacy Act.
What has happened until now is that when you call 111 your network provider can often send information about your location to emergency services (ambulance services, Fire and Emergency, and New Zealand Police). This is called “emergency caller location information”, and it’s specific to 111 calls.
This sharing of information is enabled by the Telecommunications Information Privacy Code. Schedule 4 of that Code sets out the rules that enable emergency services to get this location information quickly, as well as privacy safeguards that keep it safe. The Privacy Commissioner added Schedule 4 to the code in 2017, following public consultation on the options, risks, and benefits of this sharing. The Code also enables the new device location information service.
When would device location information be used?
Sometimes there are emergencies where people need urgent help but cannot call 111, such as search and rescue situations. Or sometimes a 111 call drops out, or a call gets transferred to 111 operators without location information.
Use of DLI can help in these situations, but it also involves an intrusion on privacy, particularly when the person is not calling 111 themselves. That means it’s important there are strong safeguards around when the information is collected and how it is used.
The rules in Schedule 4 set out strict safeguards for the use of DLI by emergency responders. These safeguards include:
- Sharing is limited to specific agencies: Police, Fire and Emergency, ambulance services, and organisations involved in search and rescue operations.
- The threshold to use DLI is high. An emergency service provider can only request DLI if they believe it will enable them to prevent or lessen a serious threat to the life or health of the individual concerned or another individual, and that means a threat that is likely enough, severe enough, and urgent enough.
- Before they use DLI, an emergency service provider needs to check it relates to the right person.
- A person whose DLI is collected must be notified unless this would create a safety risk. This notification will be by a text message to the individual. This may be sent to the person at the time or later on.
- All disclosures of DLI to emergency services must be logged, and the disclosure log must be reported to the Privacy Commissioner every three months.
DLI is not about collecting new information on people’s location, or about tracking individual devices. It’s about getting information that network providers already hold to emergency services quickly, with good safeguards, where this helps to prevent or lessen a serious threat to someone’s life or health.
A great example of good privacy practice
At OPC, we often talk about good privacy practices being “how to, not don’t do”. We think that the story of device location information is a great example, and we’ll be keeping an eye on it to make sure that the goal of upholding New Zealanders’ privacy is met as it rolls out in practice.
How it works
by James Ting-Edwards, Senior Policy Advisor Ι Kaitohutohu Tuakana Kaupapahere
