It can be useful to compare an organisation’s processes or performance against another one’s competitors in the same industry class. It is especially useful to compare with the ‘best in class’ and set targets to meet or exceed the industry norms. This is sometimes called ‘best practice benchmarking’ and is an important tool to support continuous improvement.

That can be difficult for an organisation such as our office where it is, by design, a ‘one of a kind’ in its specialist jurisdiction. While particular functional areas of the organisation may be compared with organisations with similar functions (such as other complaints handling bodies), there is always the suspicion that one is comparing apples with kiwifruit.

However, there are now equivalents of New Zealand’s Privacy Commissioner in many jurisdictions: recent research has counted over 120 privacy laws around the world*. Is it possible to benchmark against the processes and performance of those bodies?

The bad news is that due to a paucity of internationally comparable statistics and a lack of published standards, it is difficult at the moment to do much best practice benchmarking between privacy and data protection authorities.

But the good news is that efforts are being taken to develop internationally comparable statistics and standards for privacy authorities. Our office is actively supporting several efforts.

One earlier effort: Case reporting standards

One of the major activities undertaken by our office is to handle privacy complaints. While complaints can be taken to a statutory tribunal, the vast majority of cases do not need to progress to an adversarial hearing in a formal court setting, and are instead resolved through processes managed within our office.

One effect of this is that there are no formal court judgments for the vast majority of cases and therefore limited case law to assist lawyers, organisations and the public to interpret the Privacy Act. To address this issue, the Privacy Commissioner has released illustrative ‘case notes’ on a selection of real cases each year. This innovative approach was based upon pioneering efforts of the New Zealand Office of the Ombudsmen.

The New Zealand experience with case notes was so successful that we recommended the approach to other data protection authorities in the region. But having taken advice from an international expert in legal information systems, we pursued two best practice innovations. These involved developing an international citation system and effective approaches for cross-border dissemination.

Ultimately, these two approaches were published as case reporting citation and dissemination standards adopted by the Asia Pacific Privacy Authorities (APPA) Forum in 2005**. The adoption of these best practice standards enabled our office to adopt and report upon an auditable quality indicator which was that:

Case notes are published in accordance with APPA Forum standards.

Our office continues to adhere to these best practice approaches.***

Developing public awareness benchmarks

Filling the gaps of internationally comparable statistics and creating benchmarks and standards is a long term task but a start has been made.

At its meeting in Seoul in June 2014, the APPA Forum adopted at New Zealand’s suggestion a further Statement of Common Administrative Practice. This standard concerned Recommended Common Core Questions for Community Attitude Surveys. The standard is designed to enable meaningful cross jurisdictional comparisons of public attitudes and enable the development of regional benchmarks that could be useful in planning and performance monitoring.

The APPA standard started with the modest objective of encouraging privacy authorities across the Asia Pacific to include two standard measures of public awareness in their opinion polling. These are questions asking:

• Are you aware of the [name of privacy law]?

• Have you heard of the [name of privacy enforcement authority]?

Three years on, APPA was in a position to adopt its first benchmark figures for average levels of awareness of privacy laws and authorities. These benchmarks are calculated from surveys conducted in several jurisdictions (including New Zealand) since 2014.

The new benchmarks will be published on the APPA website, and will be updated periodically.

The APPA Regional Benchmarks for Community Awareness of Privacy Law and Privacy Authorities have been compiled from the results of surveys undertaken by APPA member authorities using similar questions that generate comparable results.

APPA has chosen to establish these benchmarks as it believes that measurement of these matters may be useful for APPA members in planning and in measuring performance. Informed citizens and consumers who are aware of the existence of privacy law or the authority responsible for enforcement are in a position to exercise their privacy rights.

It is common for public bodies, including privacy authorities, to set targets for their performance. These can be maintained as internal targets or they can be set as external performance indicators and reported publicly or as an accountability measure to oversight bodies. Targets are usually set to be realistically achievable but also to ‘stretch’ the public body and encourage it to aim to do better. Public bodies may also find it useful to measure their performance against their peers. Targets that are set by reference to international standards may have particular credibility in the eyes of stakeholders.

The APPA benchmarks may be useful to APPA members in several ways, including:

• in setting an internal target for the first time, the APPA ‘range’ benchmark may help APPA authorities to devise a target that appears to be realistic to achieve;

• APPA authorities can use the benchmark to stretch themselves in internal targets e.g. in relation to public communications work an ambitious target might be set to achieve awareness levels ‘at least 10 percent higher than the APPA benchmark’; or

• in setting an external performance indicator an authority could rate themselves against levels achieved across the region e.g. ‘To maintain awareness levels equalling or exceeding the regional average measured in the APPA benchmark’.

ICDPPC Census

In its current role as Secretariat of the International Conference of Data Protection and Privacy Commissioners (ICDPPC), our office in conjunction with the OECD Secretariat recently undertook the largest ever survey of data protection authorities in the world – the ICDPPC Census. Some 87 privacy authorities completed the survey which involved more than the 4000 individual answers to questions.

The results of the Census will be publicly released at the 39th ICDPPC in Hong Kong in September. A presentation on the Census will be one feature of a planned APPA-ICDPPC-OECD Roundtable to be held alongside the main conference that will be exploring an ‘international privacy metrics agenda’. The roundtable will also report on substantial efforts by the OECD to develop internationally comparable measures in areas of privacy.

Our office, in its role as ICDPPC Secretariat, has been encouraging third party use of the Census results and a particular hope is that regional groups of privacy authorities will find it useful to compare their regional profiles against the global benchmarks.

Future developments

For anyone interested in statistics regarding privacy authorities, these are interesting times. We will see the release of the ICDPPC Census results and the Hong Kong roundtable. Relevant OECD statistics are also expected this year. There is also active work in ICDPPC and APPA working groups that should bear fruit in 2018.

International, Asia Pacific Privacy Authorities (APPA), Global Privacy Assembly (GPA), data