“New Zealanders need to have trust and confidence in the way their information is being managed and used by government agencies” (ict.govt.nz). We agree. That, in turn, requires agencies to ensure they comply with the Privacy Act 1993 and to be aware of and, where relevant, comply with the requirements or expectations of the:
- Government Chief Privacy Officer’s Privacy Maturity Assessment Framework
- privacy breach guidelines in the Privacy Commissioner’s Data Safety Toolkit
- privacy-related components of the Government’s Protective Security Requirements
- relevant aspects of the Government’s Web Usability Standard and related guidance in the New Zealand Government Web Toolkit.
At the same time, privacy law and practice is not all about restriction. Sometimes agencies fear breaching privacy when, in fact, what they’d like to do can already be done under the Privacy Act’s Information Privacy Principles or other legislation, can be enabled through mechanisms available to them or can be solved through a privacy-centric design approach.
Then there’s the sometimes challenging task of applying generic privacy principles to novel issues that continue to arise from digital technologies and both the public and private sectors’ desire to leverage the insights that can flow from ‘big data’ aggregations.
We regularly advise agencies on wide-ranging and often complex privacy and big data issues. Our work has included:
- reviewing organisational privacy policies and agency compliance with the IPPs
- surveying agency staff and assessing agency maturity under the Privacy Maturity Assessment Framework and making recommendations to improve IPP compliance and the level of privacy-related maturity
- reviewing and contributing to privacy impact assessments
- advising on approved information sharing agreements under Part 9A of the Privacy Act and their associated processes and privacy impact assessments
- developing open data principles that recognise the importance of personal privacy and the potential risks of aggregating seemingly anonymised datasets
- advising on relevant aspects of the Statistics Act 1975
- preparing guidance for staff on the use and disclosure of student-related personal information
- advising on the privacy implications of machine-to-machine processing of personal information that is encrypted at both ends prior to processing in a manner than ensures no human being will ever see any personal identifiers and where the processing was for beneficial research purposes
- advice on and drafting of privacy-centric contractual provisions
- drafting and amending of privacy policies for multiple government websites
- negotiation of contracts for an online consultation service to ensure Privacy Act compliance.