Notes from the Asia-Pacific region: Toolkit helps NZ organizations 'do privacy well'

Kia ora koutou,

During the last year, I have had the privilege, alongside a team of others, to work with the Office of the New Zealand Privacy Commissioner to develop Poupou Matatapu. The comprehensive toolkit is intended to help New Zealand organizations — and those overseas doing business in New Zealand — do privacy well. Poupou Matatapu sets the OPC's expectations about what good privacy practice looks like and gives organizations guidance to help meet those expectations.

This toolkit is a major part of the OPC's efforts to meet the key drivers described in its Compliance and Regulatory Action Framework — public trust, education and accountability. As part of the education driver, the OPC has committed to provide organizations with tools, resources, guidance and advice on how they can best protect individual privacy, and to help organizations understand their obligations. The OPC has clearly signaled that it will use and refer to Poupou Matatapu when it is working with organizations, and that an organization's efforts to follow and implement the guidance might be something it considers when deciding whether to take compliance action.

The meaning behind the te reo Māori name Poupou Matatapu is the "poupou" (posts or pillars) of "matatapu" (privacy). Essentially, the foundations of doing privacy well. These foundations address the key components of a strong privacy program, as follows:

Governance. This pou reflects the importance of strong leadership and oversight to do privacy well. It covers four core elements of effective privacy governance — leadership, oversight, accountability and senior sponsorship.

Knowing your personal information. Like the data mapping and recordkeeping requirements in other privacy laws, this pou reflects that one of the first steps in preparing any privacy program is to understand what personal information an organization processes, in order to identify its privacy risk profile. This is instructive in deciding how best to apply the rest of the pou.

Security and internal access controls. This pou sets some basic expectations in relation to information security across physical, technical and organizational controls, recognizing security is a critical component of a robust privacy program.

Transparency. This pou provides guidance on achieving effective and meaningful privacy transparency, a critical part of building trust in the way an organization handles personal information.

Building capability and awareness. This pou recognizes that good training is an important component of building privacy capability and driving a mature privacy culture. It offers guidance on effective training programs and privacy awareness exercises.

Breach management. This pou provides guidance on building a breach management system, which helps an organization respond to privacy breaches appropriately and provides an important source of intelligence to inform a privacy program.

Responding to requests and complaints. This pou reflects that the way an organization responds to privacy requests and complaints can build or undermine the trust and confidence of its data subjects. It provides guidance on responding to privacy requests and handling complaints.

Assessing risk. This pou recognizes the importance of analyzing and assessing projects or initiatives that impact the processing of personal information. It provides guidance tailored to the New Zealand context, including cultural and community considerations and obligations under Te Tiriti o Waitangi.

Measuring and monitoring. This pou is intended to ensure organizations can build a self-sustaining, embedded and ongoing privacy culture. It anticipates the use of key metrics to drive a strategic and risk-based approach to privacy management.

Privacy management plan. This pou underpins all the other pou. It is designed to be used as a plan for implementing the entire framework and requires the organization to identify specific, measurable goals to improve an organization's privacy capability and outline how these goals will be achieved.

Importantly, Poupou Matatapu takes a risk-based approach. It uses a series of organizational examples to reflect the diversity of organizations that must comply with privacy obligations, and tells stories about how these organizations have applied Poupou Matatapu in practice. These examples include a large corporate, a small charity, a tech start-up, an independent contractor and a government agency. This is important, because what "good" looks like will be determined by an organization's privacy risk profile, complexity and resourcing. The approach ensures the guidance can be right-sized for each organization.

The OPC has made clear that it will use Poupou Matatapu as a benchmark for its compliance and other activities, so New Zealand organizations and overseas organizations doing business in New Zealand will need to engage with the guidance and take steps to implement it. In my view, setting aside the OPC's expectations and signals, the guidance will provide immense value to privacy professionals charged with developing and implementing privacy programs, setting clear and objective standards for good privacy practice.