When applying for a Privacy Trust Mark, what information does an agency need to provide, and what will the Office of the Privacy Commissioner do with it?
An applicant for a Privacy Trust Mark should provide the information required in the application form and any further information requested by our office to process and assess the application.
Information provided to our office by agencies applying for a Privacy Trust Mark will be kept on file (whether or not the application is successful).
We will use this information to produce a brief explanation of the product or service the Privacy Trust Mark covers and why it was awarded. Information will also be used to provide context to any future applications.
In assessing any application, the Privacy Commissioner may also consider information in the public domain and information he is aware of through his other functions, including policy work, complaint investigations, data breaches, and enquiries trends.
Where an agency is successful in being awarded the Privacy Trust Mark for a product or service, our office will publish this, along with a short summary of the reasons for its success.
Our office is subject to the Official Information Act 1982 and, when responding to requests for information from the public, must comply with the secrecy obligation in section 116 of the Privacy Act 1993. Section 116 of the Privacy Act means that the Privacy Commissioner and his staff must keep confidential all matters coming to their attention in the exercise of their functions and duties, unless the Privacy Commissioner considers any matter should be disclosed to give effect to the Privacy Act.
If there are any changes made to a Privacy Trust Mark-awarded product or service, our office has an expectation that the organisation would notify us of the change.
What if an application is not successful?
The decision of the Privacy Commissioner on any application is final.
If the Commissioner does not award a Privacy Trust Mark to a product or service, no further application may be made in respect of that product or service for six months.
Some feedback may be provided by the Privacy Commissioner (at his discretion) when an application is not successful.
How long does the right to use the Privacy Trust Mark last?
A successful agency will be authorised to display the Privacy Trust Mark in association with the approved product or service for two years or until the trust mark is revoked.
Our office has an expectation that any material changes to products which have been awarded the Privacy Trust Mark are notified to us directly.
More information about renewal can be found in the Privacy Trust Mark terms and conditions.
Can a product or service have its right to use the Trust Mark revoked before it expires?
Yes. The Privacy Trust Mark is an indication the Privacy Commissioner is satisfied that a product is outstanding in the way it manages personal information – if it becomes apparent that a product is no longer meeting this standard then the Privacy Trust Mark may be revoked by the Privacy Commissioner at any time.
Agencies are responsible for continual auditing and checking of any products that have been awarded the Privacy Trust Mark, and should raise any concerns with our office.
Our office may receive complaints about a product or agency via our enquiries and complaints functions. Information we receive from the public may lead us to seek additional information from the agency directly.
If you have any questions about the Privacy Trust Mark programme, please email email@example.com.