Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
Personal information is taonga (a treasure). Every day, people provide business and government with information about themselves in order to access products and services that are of value to them. This exchange happens according to tiakitanga (trust that that personal information will be respected, protected and valued).
For most business and government, personal information is one of their most critical and valuable assets. What is the value of personal information to your organisation? The impact of breaching trust and failing to adequately safeguard personal information has a massive impact on brand and financial performance. It can take years to recover from a significant data breach.
Having a Privacy Officer is a legal obligation and responsibility under the Privacy Act. All organisations in New Zealand must have one. The Privacy Officer is the kaitiaki or guardian responsible for ensuring an organisation has the policies, processes and systems in place to appropriately manage and protect personal information.
But for a Privacy Officer to be effective, they need knowledge, influence and the resources to do the job right. Is your organisation investing enough resources to ensure they can meaningfully fulfil the role?
In most organisations, the Privacy Officer is not a full-time role. It is often an add-on to an existing role with minimal time specifically dedicated - often less than 5 percent to fulfilling the duties of a Privacy Officer. This simply does not work.
Here’s an example of a case where the privacy resourcing within a public sector organisation fell short of ideal. An employee in the organisation accidentally sent an email containing an internal management report containing sensitive information to a client. The organisation had a part time Privacy Officer who was very capable but did not have enough time to invest in improving privacy capability on top of their other duties. As a result, privacy policies and management processes were immature and not well understood by management and front-line staff.
The person who received the email and raised it with the organisation, was not satisfied with the response they received and took it to the media. This resulted in significant negative media attention for the organisation which led to significant stress for their customers and staff, as well as a massive drop in public trust and confidence that took years to recover from.
Under proposed changes to the Privacy Act, the law change will make it clear that organisations can outsource their Privacy Officer functions. It is now explicit in the proposed legislation that a Privacy Officer can be someone outside of the organisation.
Ryman Healthcare has already taken this approach. It has an existing Privacy Officer to ensure privacy is effectively managed but it recognised this wasn’t enough. Ryman Healthcare employed my company, INFO by Design, to provide a Virtual Privacy Officer (VPO) service to ensure it delivered more fully on its privacy obligations.
Roger Nuttall, Ryman Healthcare’s Group Financial Controller and Privacy Officer, says the VPO service has helped the organisation improve its privacy capability and maturity. “The INFO by Design team has been highly responsive and has helped to ensure that we manage and protect our residents’ information in the way that it deserves.”
A VPO service can help any organisation to rapidly improve their privacy maturity while having expert advice on call to help minimise the impact on customers if a privacy incident occurs. It provides access to a team of privacy experts as well as their proprietary templates and methodologies that can be tailored to suit any organisation, including:
There are already a range of New Zealand government agencies and businesses which use a VPO service to improve their privacy capability and performance. If this is something you think could help your organisation, search ‘Virtual Privacy Officer’ and find someone that can help you accelerate your privacy capability.
Paul Holmes is Managing Director of INFO by Design, a specialist privacy and information support consultancy which he founded in 2017.
Image credit: Data Protection Officer via Green CulturED.
Back