Kia ora koutou,
In less than two weeks, New Zealand Privacy Commissioner Michael Webster will present during the IAPP ANZ Summit 2023 in Sydney, sharing the Office of the Privacy Commissioner's current focus on and future priorities around enforcement of the New Zealand Privacy Act. How timely then that the office released its Annual Report for the year ending 30 June. The report is excellent background reading for the commissioner's keynote address, but in case you do not have time to get into it, here are a few highlights:
- The OPC achieved a significant amount in the reporting year, with activities ranging from specific investigations and compliance actions, such as the joint investigation into Latitude Financial, through building internal capabilities and resources, like the appointment of a new Pou Ārahi (Māori principal advisor) to ensure Te Ao Māori becomes a vital part of the work the office does, to front-footing the big issues facing privacy professionals around the world, including biometrics, AI, data portability and children's privacy.
- The office saw a material increase in complaints and privacy breach notifications. From 2022 to 2023, the OPC received 870 complaints, compared to 486 the previous year, and 838 privacy breach notifications, an increase from 657 in the prior year. While the report offered no views on the causes of these increases, it is arguable they represent increasing maturity among both agencies and consumers about their privacy rights and obligations.
- While the joint investigation into Latitude Financial was ongoing, the OPC noted the case highlighted a significant risk related to data-retention policies and the practices of public and private agencies. The report advised agencies not to collect or retain personal information unless it is necessary for lawful purposes connected with their function or activities, noting "you can't have hacked what you've already deleted." The case highlights a surprising level of noncompliance with one of privacy's most fundamental concepts — data minimization — in view of the fact that the ANZ region has had privacy laws in place for over 30 years.
- Research conducted during the reporting period revealed Māori communities are at particular risk of harm from privacy breaches. By working alongside Māori, and increasing understanding and capabilities in relation to Te Ao Māori, the office hopes to increase education across the Māori community and help mitigate future harms. The appointment of a new Pou Ārahi will undoubtedly contribute to the OPC's success in this endeavour.
- The 2023 budget provided the OPC with additional funding of NZD780,000 per annum. The office sees this as a signal that the then-government recognized the importance of privacy rights. The office will use this increased funding to strengthen its compliance and enforcement function, and shift the policy and advocacy function towards more proactive work. This is timely, given the evolving technological challenges it contends with.
I hope to see many of you in Sydney 28-29 Nov., where we will hear more from the commissioner on some of the points above, and on his plans for the year to come. If you're coming, safe travels. If you're not, keep an eye out for articles and commentary on the ANZ Summit, and I hope to see you again another time.