Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Benchmarking against international privacy peers Blair Stewart
20 August 2017

census 2

It can be useful to compare an organisation’s processes or performance against another one’s competitors in the same industry class. It is especially useful to compare with the ‘best in class’ and set targets to meet or exceed the industry norms. This is sometimes called ‘best practice benchmarking’ and is an important tool to support continuous improvement.

That can be difficult for an organisation such as our office where it is, by design, a ‘one of a kind’ in its specialist jurisdiction. While particular functional areas of the organisation may be compared with organisations with similar functions (such as other complaints handling bodies), there is always the suspicion that one is comparing apples with kiwifruit.

However, there are now equivalents of New Zealand’s Privacy Commissioner in many jurisdictions: recent research has counted over 120 privacy laws around the world*. Is it possible to benchmark against the processes and performance of those bodies?

The bad news is that due to a paucity of internationally comparable statistics and a lack of published standards, it is difficult at the moment to do much best practice benchmarking between privacy and data protection authorities.

But the good news is that efforts are being taken to develop internationally comparable statistics and standards for privacy authorities. Our office is actively supporting several efforts.

One earlier effort: Case reporting standards

One of the major activities undertaken by our office is to handle privacy complaints. While complaints can be taken to a statutory tribunal, the vast majority of cases do not need to progress to an adversarial hearing in a formal court setting, and are instead resolved through processes managed within our office.

One effect of this is that there are no formal court judgments for the vast majority of cases and therefore limited case law to assist lawyers, organisations and the public to interpret the Privacy Act. To address this issue, the Privacy Commissioner has released illustrative ‘case notes’ on a selection of real cases each year. This innovative approach was based upon pioneering efforts of the New Zealand Office of the Ombudsmen.

The New Zealand experience with case notes was so successful that we recommended the approach to other data protection authorities in the region. But having taken advice from an international expert in legal information systems, we pursued two best practice innovations. These involved developing an international citation system and effective approaches for cross-border dissemination.

Ultimately, these two approaches were published as case reporting citation and dissemination standards adopted by the Asia Pacific Privacy Authorities (APPA) Forum in 2005**. The adoption of these best practice standards enabled our office to adopt and report upon an auditable quality indicator which was that:

Case notes are published in accordance with APPA Forum standards.

Our office continues to adhere to these best practice approaches.***

Developing public awareness benchmarks

Filling the gaps of internationally comparable statistics and creating benchmarks and standards is a long term task but a start has been made.

At its meeting in Seoul in June 2014, the APPA Forum adopted at New Zealand’s suggestion a further Statement of Common Administrative Practice. This standard concerned Recommended Common Core Questions for Community Attitude Surveys. The standard is designed to enable meaningful cross jurisdictional comparisons of public attitudes and enable the development of regional benchmarks that could be useful in planning and performance monitoring.

The APPA standard started with the modest objective of encouraging privacy authorities across the Asia Pacific to include two standard measures of public awareness in their opinion polling. These are questions asking:

  • Are you aware of the [name of privacy law]?
  • Have you heard of the [name of privacy enforcement authority]?

Three years on, APPA was in a position to adopt its first benchmark figures for average levels of awareness of privacy laws and authorities. These benchmarks are calculated from surveys conducted in several jurisdictions (including New Zealand) since 2014.

The new benchmarks will be published on the APPA website, and will be updated periodically.

Regional Benchmarks for Awareness of Privacy Law and Privacy Authorities




Are you aware of the [name of privacy law]?



Have you heard of the [name of privacy enforcement authority]?



The APPA Regional Benchmarks for Community Awareness of Privacy Law and Privacy Authorities have been compiled from the results of surveys undertaken by APPA member authorities using similar questions that generate comparable results.

APPA has chosen to establish these benchmarks as it believes that measurement of these matters may be useful for APPA members in planning and in measuring performance. Informed citizens and consumers who are aware of the existence of privacy law or the authority responsible for enforcement are in a position to exercise their privacy rights.

It is common for public bodies, including privacy authorities, to set targets for their performance. These can be maintained as internal targets or they can be set as external performance indicators and reported publicly or as an accountability measure to oversight bodies. Targets are usually set to be realistically achievable but also to ‘stretch’ the public body and encourage it to aim to do better. Public bodies may also find it useful to measure their performance against their peers. Targets that are set by reference to international standards may have particular credibility in the eyes of stakeholders.

The APPA benchmarks may be useful to APPA members in several ways, including:

  • in setting an internal target for the first time, the APPA ‘range’ benchmark may help APPA authorities to devise a target that appears to be realistic to achieve;
  • APPA authorities can use the benchmark to stretch themselves in internal targets e.g. in relation to public communications work an ambitious target might be set to achieve awareness levels ‘at least 10 percent higher than the APPA benchmark’; or
  • in setting an external performance indicator an authority could rate themselves against levels achieved across the region e.g. ‘To maintain awareness levels equalling or exceeding the regional average measured in the APPA benchmark’.


In its current role as Secretariat of the International Conference of Data Protection and Privacy Commissioners (ICDPPC), our office in conjunction with the OECD Secretariat recently undertook the largest ever survey of data protection authorities in the world – the ICDPPC Census. Some 87 privacy authorities completed the survey which involved more than the 4000 individual answers to questions.

The results of the Census will be publicly released at the 39th ICDPPC in Hong Kong in September. A presentation on the Census will be one feature of a planned APPA-ICDPPC-OECD Roundtable to be held alongside the main conference that will be exploring an ‘international privacy metrics agenda’. The roundtable will also report on substantial efforts by the OECD to develop internationally comparable measures in areas of privacy.

Our office, in its role as ICDPPC Secretariat, has been encouraging third party use of the Census results and a particular hope is that regional groups of privacy authorities will find it useful to compare their regional profiles against the global benchmarks.

Future developments

For anyone interested in statistics regarding privacy authorities, these are interesting times. We will see the release of the ICDPPC Census results and the Hong Kong roundtable. Relevant OECD statistics are also expected this year. There is also active work in ICDPPC and APPA working groups that should bear fruit in 2018.

* See Greenleaf, Graham, Global Tables of Data Privacy Laws and Bills (5th Ed 2017) (January 31, 2017). (2017) 145 Privacy Laws & Business International Report, 14-26. Available at SSRN.

** See APPA Forum Statements of Common Administrative Practice on Case Note Citation (November 2005) and Case Note Dissemination (November 2006), available on the APPA website.

*** At New Zealand’s initiative, the approach recommended in those regional standards have also been endorsed at international level in the Resolution on Case Reporting adopted in 2009 by the ICDPPC.

Image credit: Dunaliella cells via Census of Marine Live E&O



, , ,



  • The MSD so-called IHYA data system is polluted with prejudicial data.

    MSD, the Ministry of Dystopia [I mean Development] recently managed to cover up what could have been a whistle blower entry into the ongoing Citizen data collection [I mean social investment client data base].

    This massive data base on most of us, I think, has no proper oversight into what is put into it, and flashes round to other Government departments at will. So who and why all this ongoing information updates about you and me?

    It's data about people who might be naughty, you know claiming benefits or stuff that the Government does not like or might not like, or......

    Oh I see, yes ,we flash this data around between IRD, DIA, MSD, Police, INZ which if unhealthy puts you in a serious difficulty everywhere from passport down. This is what Bill English and Anne Tolley mean by Social Investment. A Citizens Black Book, like Baycorp but a lot worse.

    Now there was an entry glitch. Recently, March 31, there was an intrusion into the client data base. The entire thing or some may have been downloaded. I think someone interesting in New Zealand knows about this.

    Ongoing entry of citizen data of all types is not something that New Zealanders will be too happy about.

    Bill English and Anne Tolley were able to control the media appetite by saying there had been no loss of data. But surprise, they ordered an entire new citizen surveillance system.

    Posted by Paul Scott , 22/08/2017 8:34pm (8 months ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.