Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

About OPC

Print | Email this page

Naming agencies in public reports

The Office of the Privacy Commissioner (OPC), an independent Crown entity, is New Zealand’s privacy and data protection regulator under the Privacy Act 2020.

This policy was updated in December 2024.
Read a copy of this policy, which includes numbered paragraphs for referencing. (opens to PDF, 376KB).

Scope

  • This policy records OPC’s willingness to publicly name agencies in appropriate cases. In applying this policy, OPC is mindful of the need to influence agency behaviour to comply with the Privacy Act and codes of practice issued under the Act.
  • There is need for OPC as an enforcement authority to have a choice of responses to cases of non-compliance and to be able to escalate the regulatory consequences as needed as reflected in OPC’s Compliance and Regulatory Action Framework (CARAF). The decision to name an agency can be an effective regulatory response to take in certain circumstances.
  • The policy is consistent with Māori perspectives on finding the right way to restore balance between agencies and affected individuals where non-compliance has occurred. As reflected by the proverb waiho mā te whakamā e patu (let loss of face be the penalty), Māori regulate behaviour through impairment to the mana of the offending party.
  • Where agency non-compliance impacts an individual’s mana (reputation or status), it can require utu (redress) to return to a state of ea (balance) between the parties. Under the Privacy Act, naming the agency may be an appropriate way to make amends and restore harmony.
  • The policy enables OPC to be a responsive and effective regulator, especially in cases having systemic significance (i.e. affecting more than just one individual in a particular case).
  • The policy applies across the activities of the Office. While it will principally be applied in relation to investigations that reveal agency non-compliance, OPC might publicly name agencies for a number of reasons, for instance in relation to matters uncovered in monitoring of information sharing agreements or following notification of a privacy breach. [2]
  • The policy will be applied by OPC when considering naming agencies. However, in cases where the Commissioner is considering naming any person who is not an agency this policy may be referred to.
  • The policy is not intended to apply in situations where disclosure may be required under other legislation (e.g., under the Official Information Act 1982).

How does naming agencies further the purposes of the Privacy Act?

The benefits of naming an agency will vary depending upon the circumstances but may serve one of the following purposes:

  • warn the public and other agencies of the practices of the named agency
  • encourage compliant behaviour by the agency concerned in future cases as a result of public scrutiny
  • encourage compliant behaviour by other agencies informed by the example of the named agency
  • encourage agencies promptly and genuinely to engage with the resolution of privacy issues to avoid, or further avoid, adverse publicity
  • associate a reputational cost with non-compliant behaviour thus making compliant behaviour more attractive
  • encourage affected individuals to come forward with complaints where they have been affected by the agency’s practices (or similar practices by other agencies)
  • increase the likelihood of news media reporting of privacy cases with consequent public debate, education and general scrutiny of agency behaviour
  • encourage compliant behaviour to avoid risk or injury to the mana of thebagency.

Return to top

Will agencies always be named?

No. Agencies will only be named where, on balance, the Commissioner considers that the agency ought to be named for the purpose of giving effect to the Privacy Act.

What considerations make the naming of an agency more likely?

Although each case needs to be considered on its merits, the following reasons may suggest that an agency ought to be named:

  • where the agency’s conduct is likely to have affected persons other than a complainant who has already come forward, and the effect cannot be remedied by the agency in relation to those other persons
  • the agency has been involved in a single very serious breach (where there has either been significant harm caused by the breach, or where a number of people have been affected by the breach), or the agency has been involved in multiple breaches, which it has failed to address
  • the agency has demonstrated an unwillingness to comply with the law (as distinct from a bona fide disagreement over the meaning of the law)
  • there has been an exercise of public functions or statutory powers and naming is likely to enhance accountability
  • in all the circumstances the public interest would benefit from identification of the agency, due to its deterrent effect, educative purpose or otherwise
  • in circumstances where a decision not to name the agency in any report from the Commissioner is likely to unfairly impact on other agencies within that specific sector or industry
  • where non-compliance has injured the mana of the affected individual(s) and naming the agency is an appropriate way to restore balance.

Four other circumstances should also be mentioned.

  • First, most cases warranting naming will involve agencies that have breached a requirement of the Act or a code issued under the Act. However, in some cases where the Commissioner reaches the opinion that an agency had not breached the law, the agency may prefer to be publicly named to offer a public vindication. OPC may consider naming in such cases.
  • Second, there may be cases where agencies seek to make non-disclosure of their identity a term of the settlement of a complaint. While the Commissioner will take into account the circumstances of a case (which might include the prospect of settlement, the terms of settlement and the views and behaviours of the parties), the decision on whether to name is within the discretion of the Commissioner based on issues of the wider public interest.
  • Third, as already noted, this policy is intended to deal with the naming of agencies. However, there may be cases where naming a particular agency will, or is likely to, identify another agency or an individual. This factor may make it less likely that the Commissioner will name an agency although naming remains a possibility where the public interest and other considerations justify that course. Where naming an agency will identify a third party, OPC may seek the views of the affected party before making a decision on naming
  • Fourth, in some cases OPC will be made aware of a potential breach of the Act as a result of the agency reporting a notifiable privacy breach under Part 6(1) of the Act or self-reporting any other privacy breach. Where this has occurred, and the agency is taking reasonable steps to address the potential breach, the Commissioner may be less likely to name the agency. 
    • However, the fact that a privacy breach has been reported will not prevent the Commissioner from naming where it is in the public interest to do so, for example where the agency is either unwilling or unable to take appropriate steps to address the breach or mitigate harm to the public. Naming will also be considered where the matter has been made public and the Commissioner has been asked to confirm the fact of self-notification. A decision to name in these circumstances will be in line with section 122 of the Privacy Act.

In what circumstances might an agency be named? 

  • The most common context in which an agency might be named is where the Commissioner has reached the opinion that an agency’s actions (including a failure to act or a policy or practice) have breached the Act or code.
  • The decision to name might follow such a finding regardless of whether the Commissioner has formed the further opinion that the agency’s actions constituted an interference with privacy in the particular case.
  • The decision to name in such a case might typically be in a case note which provides an account of the facts, law and Commissioner’s opinion. Release of the case note or report, which may be in some detail, might be accompanied by a media release emphasising certain aspects. On occasion the Commissioner might contemplate releasing the text of a final opinion (suitably edited to prevent identification of the complainant).
  • Naming of agencies might also occur in the following circumstances:
    • in publication of case notes, short case studies and associated media releases
    • on a referral of a matter to the Director of Human Rights Proceedings (DHRP)
    • publication of a report of a Commissioner’s own motion inquiry or investigation
    • following Human Rights Review Tribunal judgments
    • upon reporting a notifiable privacy breach, or upon the self-notification to OPC by an agency of a privacy breach (with consent or if in the public interest, in line with section 122 of the Privacy Act)
    • publication of details of a compliance notice (if in the public interest, in line with section 129 of the Privacy Act)
    • annual reporting ()
    • in formal reports to Ministers and Parliamentary committees
    • in speeches and in media statements responding to matters of public interest
    • as part of submission processes on the issue, amendment or review of codes of practice
    • announcing a commissioner-initiated inquiry
    • publication of open letters calling upon those agencies named in media reports to explain their actions and subsequent publication of their replies
    • in relation to assurances against further breaches sought from, refused or given by, an agency found to have breached a principle
    • announcing an application for, or grant of, an exemption
    • in relation to special responsibilities or flexibilities sought or granted under the Act, for instance in relation to information sharing agreements.
  • The Commissioner may also name agencies in other circumstances. These are routine or foreseeable examples.

At what stage of proceedings might agencies be named?

  • The timing of naming an agency is a matter to be considered case by case. Typically, an agency will be named after the completion of an investigation. The decision to name might follow settlement, discontinuance or a decision on referral of a case to the DHRP. Agencies would not typically be named if the Commissioner had not rendered an opinion finding the agency in breach of a principle.
  • However, in some circumstances naming could be contemplated at an earlier stage. For example, sometimes in cases of public attention the fact that OPC is investigating a matter may be public knowledge, perhaps through the actions of one of the parties. In such a case an interim statement may be warranted. There may also be cases where the public may need to be warned so that they can take appropriate steps to protect themselves.
  • Where the Commissioner intends to make an adverse statement about an agency, the agency will be invited to comment on this prior to naming in accordance with section 210 of the Act and the principles of natural justice.

How does the Privacy Act bear upon such public statements

  • Although the Commissioner and staff are required to maintain secrecy, section 206(2) allows for disclosure of such matters as in the Commissioner’s opinion ought to be disclosed for the purpose of giving effect to the Act. (The Commissioner may delegate the power to make such disclosures to selected staff.) Before naming an agency, the Commissioner will be satisfied that the disclosure is for the purposes of giving effect to the Privacy Act
  • Other aspects of the Privacy Act may touch upon the disclosure and this policy affirms that all statutory requirements must be complied with. In particular, care will be taken to ensure that the requirements of sections 21, 89, 96, 122, 129, 206(3) and 210 are considered and complied with.
  • Under section 21(c) the Commissioner must in performing any statutory function or duty, and in exercising any statutory power take account of cultural perspectives on privacy.
  • Section 96 concerns cases where the Commissioner reports evidence of any significant breach of duty or misconduct to the appropriate authority. In such cases, the possibility or timing of a statement naming an agency may have to take account of the possible effect on disciplinary or criminal proceedings.
  • Under section 206(3) matters that could seriously prejudice certain public interests or have been obtained in an investigation from an authority subject to an obligation of secrecy, are to be protected. Similarly, under section 89 documents that are normally subject to privilege will not be released. (This note does not go further into such issues since the focus of this policy is simply naming agencies in published reports and not to the content of the report themselves or to release of documents).
  • Under section 210 procedures are laid down for cases where an adverse comment is to be made about any person.

Decision tree

[2] Public naming following notification of a privacy breach will be in line with section 122 of the Privacy Act.

    Back to top