Update: We've received 11 submissions on our proposed 'naming policy'. Given the level of interest in the proposal, we've decided to postpone making the change to the new policy which was to take effect on 1 November. It will now not be adopted before December and we will be taking the extra time to fully consider the detailed and thoughtful points raised by submitters.
We think it is time to ‘name names’ where it is warranted. Our view is that in certain circumstances, the Privacy Act is better served by revealing the organisations that have breached the law.
Up to now, we’ve rarely publicly named organisations. It was done on an ad hoc basis and by adopting this new policy, the Privacy Commissioner can ensure that a more consistent approach is taken.
We feel that naming an agency in certain circumstances is a reasonable step and as a responsible regulator, we would like to give people the opportunity to give us their feedback. Before adopting this new policy, we are asking for suggestions on how it could be improved.
Naming may encourage compliant behaviour by a named agency, and also by other agencies concerned about the risk to their own reputation. Revealing the identity of an agency may warn the public and other agencies about the practices of the named agency that is breaching the law.
This new policy will enable the Privacy Commissioner to be a more effective regulator, especially in cases where an agency’s non-compliance affects the wider public.
The proposed policy examines the question of naming in detail, including the considerations that make naming more or less likely, how and when an agency might be named, and what the Privacy Act says about the Privacy Commissioner making public statements.
Our discussion document provides a background to the new policy along with a ‘question and answer’ section. Submissions closed on 30 September.