First steps for a data protection commissioner:

Some suggestions from

New Zealand

Katrine Evans

Assistant Commissioner (Legal and Policy)

Kuala Lumpur, 9 February 2012

New Zealand Privacy Act

• 1993• Covers nearly all agencies that

hold personal information (public sector, non-profits eg charities, individuals) as well as private sector

• Codes of Practice governing health information, credit reporting agencies and telecommunications agencies

Personal Information

Information about a human being,

who is:

• Living

• Identifiable

Purpose is Key• Our Act focuses on purpose (not

consent)• Purpose must be lawful; necessary to

collect and use information; only relevant information collected; method of collection fair and not unreasonably intrusive; open with individual concerned

• Subsequent uses and disclosures within those purposes are acceptable

• If changing purpose, may need consent (unless needed for court, law enforcement, protecting safety)

Commissioner Functions

• Complaint investigation and (indirectly) enforcement

• Guidance material, education, advice for public and business

• Policy advice and comment on legislation

• Monitor technology developments

• Monitor data matching programmes

• Develop codes of practice

• International participation

Some ideas for setting up a DPA

Message #1Help agencies to get it right

Aim = Act should be “self-policing”

That is, agencies know how to get

it right so problems don’t arise or

are quickly fixed.

Privacy officers – key role

DPA can:• Educate agencies about why

they need privacy officers• Educate privacy officers about

the Act• Support privacy officers by

providing advice and information• Set up privacy officer networks

so they can support each other

User-friendly information

• Identify target audiences (you can’t help everyone immediately!)

• Short, plain language documents (eg checklists) – make it easy to get things right

• Partnerships with business or industry associations – develop and distribute material

• Have a free helpline for businesses and media to get basic information

Message #2Partnerships with other

commissioners

• Joint enforcement action

• Often can adapt or republish information that other commissioners have written

• Regional co-operation (APPA) – even as observer

• Privacy Awareness Week

Message #3Quick and effective

complaint resolution• Personal contact with parties – it’s

quicker and better on the phone

• Resolve things informally if possible

• Avoid being too “legal” in communications unless engaging in formal enforcement

• Identify common problems (eg within an industry) and deal with problem not just with separate complaints – aim is to change systems for the better to prevent problems arising

Contact

www.privacy.org.nz (RSS feeds and subscription service to free newsletters, case notes etc available)

enquiries@privacy.org.nz

Katrine.Evans@privacy.org.nz (also through LinkedIn)

Watch out for our Facebook page andTwitter feeds – coming soon!