Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Tūhono│Connect

Print | Email this page

Policy advice for government agencies

A woman with long dark hair looks at the camera. She is wearing a black shirt. She is sitting at a table with flowers and a laptop on it.The Cabinet Manual requires public sector agencies to consult with the Privacy Commissioner on any proposal with privacy implications (see paragraphs 5.19, 7.68, 8.6, 8.72-78 and 8.86-89).

Our policy team is responsible for reviewing and commenting on these policy and legislative proposals. To contact us, please email policy@privacy.org.nz.

Our capability and guidance team can provide advice on significant operational privacy issues. Please contact guidance@privacy.org.nz if you are asking OPC to:

  • respond to a statutory consultation (where existing legislation requires your agency to consult the Privacy Commissioner)
  • provide advice on operational aspects of information sharing
  • review a privacy impact assessment (PIA).

When to consult us

Involve us early in your policy and legislative proposals wherever possible. Definitely involve us before any big decisions are made so that we can have meaningful engagement on the proposal.

We understand that some policy proposals will have to be developed in a hurry, and you may not be able to give us much notice. But the later we hear about something, the higher the risk that your proposal will require last minute re-work – putting your timelines at risk and even resulting in additional costs or cancellation of the proposal.

Consulting us doesn’t necessarily mean intensive engagement. Just loop us into what’s happening, and what your proposed timeline is, so we can suggest where we will need to be involved and at what level. You’ll then be able to factor that into your planning.

What you need to do before coming to us

It’s important that agencies work through the privacy analysis of policy proposals before consulting us. That saves everyone time. Also, our role is to be your external sounding board, not to do the work for you. We are a small team, and we have to engage with many different agencies.

You can use your own in-house privacy specialists to help you or engage an external privacy specialist.

Make sure you give us all the information that we will need to be able to see the implications of your proposal. That includes:

  • the exact change you are proposing and why it is necessary
  • how the proposal interacts with other relevant legislation or with existing systems and processes in the agency
  • what privacy risks you have identified and how they will be mitigated.

How detailed is our advice?

Sometimes, we may have little to say. Not all proposals have significant privacy impacts. Or you may already have successfully identified and managed the privacy risks before coming to us.

However, we are likely to need to provide more detailed comments on proposals that can carry a high privacy risk. This includes proposals involving:

  • the use of novel technologies
  • the collection, use, or sharing of large amounts of personal information
  • proposals involving vulnerable people (including children, elderly people, or people in minority groups or low socioeconomic groups)
  • a significant degree of harm, if a privacy breach occurs
  • an issue that is likely to be precedent-setting.

What can I share with OPC?

OPC is used to treating information in confidence. You can safely share material such as Cabinet papers, draft legislation, and Budget-sensitive information with us so we can review this material and give feedback. If you need to make special arrangements to share classified information with OPC, please email the policy team to arrange this.

OPC is routinely provided with draft legislation for review. The Attorney General’s Protocol for the Release of Draft Government Legislation outside the Crown allows agencies to release draft legislation (on an in-confidence basis and subject to legal professional privilege) to Crown entities when those entities are required to be consulted about legislation (as OPC is).

How to use our advice

Everyone agrees that OPC advice should be taken seriously – that’s why there’s a requirement to consult with us. But it is your agency’s responsibility to decide whether to accept our advice.

If you decide not to accept it, make sure you accurately record what our advice was, and your reasons for not accepting it. This makes sure the relevant decision makers (senior leaders, Ministers, Cabinet, or Parliament) have all the information they need to make a call. The Privacy Commissioner can also decide whether any further action is needed.

We don’t endorse your work

Make sure your agency knows that OPC does not “sign off” or “approve” your privacy analysis. That is your agency’s job. We provide advice to help you, based on the information we are given.

Download a copy of Policy advice for government agencies (opens to PDF, 183KB)

Back to top