The Privacy Commission has launched the Privacy Trust Mark awards to recognise excellence in privacy-friendly products or services. The first two recipients are TradeMe and Real Me service from the Department of Internal Affairs, it was announced at the Privacy Forum in Wellington yesterday.
“Trade Me is the only the New Zealand agency who participates in transparency reporting, above and beyond what is required of it by law. I am particularly impressed with the way Trade Me draws wider privacy issues in its transparency reports as a way of keeping the public informed on topical issues,” Privacy Commissioner John Edwards says.
RealMe was awarded the Privacy Trust Mark because of its data minimisation and user control practices. “Users can control when and where their identity information is shared and can review all of their transactions and revoke their consent at their discretion. RealMe also only collects and stores information that is required to administer the core service,” Edwards says.
Privacy trust marks programmes are used in overseas markets, notably in the US where the TRUSTe ‘privacy seal’ is awarded to organisations that have demonstrated compliance with certification standards and a commitment to privacy protection. Japan’s PrivacyMark scheme certifies an organisation’s overall compliance and ability to handle personal information. The administering agency, the Japan Information Processing Developing Centre, has certified over 20,000 organisations from a wide variety of public and private sectors, from manufacturing to real estate.
The European Commission has noted that privacy seals and marks “promote certified entities, build consumer trust and confidence and bring market advantages” from an industry perspective. The EU’s General Data Protection Regulation (GDPR) also encourages the “establishment of certification mechanisms, data protection seals and marks” to enhance transparency and legal compliance.
The GDPR will be enacted from 25 May, and will change how companies that trade with the EU countries access, store and use the personal data of European citizens. New Zealand has what is referred to as ‘adequacy status’. In 2012 the European Commission formally decided that New Zealand's Privacy Act offers an adequate standard of data protection for the purposes of European law.
A panel discussion with representatives from Lowndes Jordan, Air New Zealand, Otago University and EY at the Privacy Forum discussed the impact of the GDPR, and how companies in New Zealand will need to prepare. The GDPR has the potential to affect companies from the start-ups through to large corporations - even just operating a website, could make an organisation liable as “sending a cookie” is considered data processing in Europe. There was general consensus that New Zealand should do what it can to protect its ‘adequacy’ status in the EU.
The introduction of the GDPR comes a day after submissions to the new Privacy Bill close on 24 May. The current Privacy Act is 25 years old, and the new Bill will replace the existing legislation.