Kiwi private sector lags public in privacy protection

The Office of the Privacy Commissioner (OPC) believes the private sector in New Zealand appears to be less focussed on privacy accountability than the public sector, with several organisations seeming to have minimal privacy or data protection policies in place.

Privacy commissioner John Edwards said public sector agencies surveyed generally had much more sophisticated policies and practices in place and that most government agencies had dedicated privacy teams, which was not necessarily the reality for private agencies.

The findings come from the New Zealand component of a sweep of 667 organisations around the world, co-ordinated jointly by the Office of the Privacy Commissioner and the UK Information Commissioner’s Office.

The 2018 Global Privacy Enforcement Network (GPEN) Sweep was undertaken by 18 data protection and privacy authorities  and was designed to determine how well organisations have implemented the concept of privacy accountability in their own internal privacy programmes and policies, and how they have taken responsibility for complying with their jurisdiction’s data protection laws.

OPC contacted 16 New Zealand public and private sector organisations and received 12 responses.

Edwards said he had been encouraged by the awareness of his office’s education and outreach tools, particularly its toolkit for managing data breaches.

“This is especially heartening because the Privacy Bill currently before Parliament has provisions for mandatory data breach notifications,” he said.

Globally, whilst there were examples of good practice, the sweep found some organisations had no processes in place to deal with privacy complaints and queries raised by data subjects and were not equipped to handle data security incidents appropriately.

The report also found:

• almost 75 per cent of respondent organisations across all sectors and jurisdictions had an individual or team responsible for ensuring their organisation complied with relevant data protection rules and regulations;
• organisations were generally quite good at giving initial data protection training to staff, but often failed to provide refresher training;
• many organisations failed to adequately monitor internal performance, with around 25 per cent saying they had no programmes in place to conduct self-assessments and/or internal audits;
• nearly 15 per cent of organisations said they had no processes in place to respond appropriately in the event of a data security incident.

The Global Privacy Enforcement Network was established in 2010 following a recommendation by the OECD.

Its aim is “to foster cross-border co-operation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders.”