New Zealand’s 1993 privacy law required all agencies, both public and private sector, to appoint a privacy officer from “within that agency.” The new Privacy Act 2020 allows agencies to appoint individuals from “outside the agency” (see subpart 201).
The small change raises some issues and opportunities for agencies and privacy professionals. It is noteworthy too that the agencies to which the act applies explicitly include “overseas agencies” for the first time (see subparts 4 and 9).
The law change resulted from a 1998 recommendation of the privacy commissioner. The then-privacy commissioner wrote at the time:
"In most cases the appropriate person to have the responsibilities of privacy officer will be an individual within the particular agency. However, there may be instances where an individual outside the agency would satisfactorily fulfil the role.
I offer as an example a franchised video library. It might be a small business with, say, a manager and six or seven staff and yet be the repository of large holdings of personal information. However, across a city there might be seven or eight franchised businesses run on identical lines. It might be possible to have an individual who is not within the agency - since the franchised businesses are separate agencies - do an excellent job as privacy officer through familiarity with the information aspects of the business. Such as officer may, at less cost than doing so in separate agencies, obtain experience with compliance issues and complaints handling. He or she may also have a degree of independence from the day to day decisions that gave rise to a complaint, thereby offering a degree of detachment which can facilitate resolution of a customer or employee complaint."
Although video libraries may have disappeared in the ensuing years, the case for external privacy officers has not. The commissioner added, "It would be possible for some businesses to offer their services as a privacy officer. While lawyers or accountants might feel able to offer such a service to corporate clients the model I had in mind is something akin to the companies that provide ‘body corporate’ services to blocks of apartments. It may also be that an experienced privacy officer might on retirement wish to spend a few hours a week, or days a month, offering contract services as a privacy officer to former employer or to agencies in the sector that he or she formerly worked in. I have seen this work well with experience and detachment combined to achieve excellent resolution of complaints and encouragement of compliance.
I should add that I see the opportunity for outside privacy officers as being quite limited. However, in certain limited circumstances I can see a case for a niche ‘privacy officer firm’ or an individual taking on the task for a number of separate agencies."
The Law Commission endorsed the idea in its 2011 review, noting that it could make more sense for smaller agencies to pay an outside consultant to perform the privacy officer role than appointing someone from within the agency.
The EU General Data Protection Regulation also allows for data protection officers to be appointed from outside an agency and provide services to multiple agencies (see Article 37). The European Data Protection Board has given guidance in relation to an appointment from outside an agency that may also be useful in contracting out the privacy officer role in NZ:
"The DPO may fulfil the tasks on the basis of a service contract. This means that the DPO can be external, and in this case, his/her function can be exercised based on a service contract concluded with an individual or an organisation. When the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the DPO tasks as a team, under the responsibility of a designated lead contact and ‘person in charge’ of the client. In this case, it is essential that each member of the external organisation exercising the functions of a DPO fulfils all applicable requirements of the GDPR.
For the sake of legal clarity and good organisation and to prevent conflicts of interests for the team members, the Guidelines recommend to have, in the service contract, a clear allocation of tasks within the external DPO team and to assign a single individual as a lead contact and person 'in charge' of the client."
In relation to the joint appointment of a data protection officer by more than one organization, the EDPB has emphasized that the DPO needs to be easily accessible and have the capacity to service the multiple agencies: "A group of undertakings may designate a single DPO provided that he or she is ‘easily accessible from each establishment’. The notion of accessibility refers to the tasks of the DPO as a contact point with respect to data subjects, the supervisory authority and also internally within the organisation. In order to ensure that the DPO is accessible, whether internal or external, it is important to make sure that their contact details are available. The DPO, with the help of a team if necessary, must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to ensure that data subjects will be able to contact the DPO.
A single DPO may be designated for several public authorities or bodies, taking account of their organisational structure and size. The same considerations with regard to resources and communication apply. Given that the DPO is in charge of a variety of tasks, the controller or the processor must ensure that a single DPO, with the help of a team if necessary, can perform these efficiently despite being designated for several public authorities and bodies."
Contracting out the privacy officer role will not necessarily lead to monetary savings, although it might. However, contracting out would probably allow for a greater degree of expertise in the role especially for small- and medium-sized enterprises that may struggle to have access to high-quality privacy compliance skills within their workforce.
For the person providing the outsourced privacy officer services, there will be many considerations including compatibility with any other roles they perform and the possibility of conflicts of interest, especially if providing services to more than one agency. However, these issues are manageable, and the law change provides new career opportunities for privacy professionals who believe this is their calling.
Takeaways
- Privacy Act 2020 allows agencies to use outsiders to meet their privacy officer obligation and creates opportunities for service providers to deliver privacy officer services to particular or multiple agencies.
- Overseas agencies carrying on business in New Zealand will need to have a privacy officer within or outside the agency.
- A privacy officer operating outside an agency will need to be easily accessible, have the capacity to service the agency or agencies, and manage potential conflicts of interest.
Photo by Sulthan Auliya on Unsplash