Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
We want to help New Zealand businesses and organisations do privacy well. Poupou Matatapu sets our expectations about what good privacy practice looks like and then helps you get there. Thank you to the people that worked with us to make this happen.
Doing privacy well is essential for compliance and risk management, but it also helps your organisation to improve its data quality, innovation, customer and stakeholder trust, and decision-making processes. A strong privacy culture is increasingly a competitive advantage.
Our guidance aims to help you work towards reaching the outcomes we’ve described. We know that our country’s organisations and businesses are diverse and that organisations will need to choose solutions that are fit for purpose to help them achieve those outcomes. The guidance provides examples on how you can achieve the outcomes as well as showing scenarios to help people better understand how privacy works in practice.
We’d also encourage you to use the content from our guidance to make your own checklists, templates, or ‘one-pager’ resources.
Ngā mihi to the people who helped us develop Poupou Matatapu.
You’ll see we’ve used words and definitions to describe privacy concepts and processes, like ‘Privacy Management Plan’. These are examples – we’re not worried about whether your organisation is using the same terminology, it’s more important that you have a process or document that achieves the same purpose.
You can expect us to use and refer to the guidance in Poupou Matatapu when we’re working with your organisation. Whether you’ve worked towards these outcomes (or taken a similar approach) might also be something we consider when we decide whether to take compliance action. Good documentation will be key.
This is in line with our Compliance and Regulatory Action Framework.
Along the way we’ve included some fictional organisations to help illustrate the key themes of the pou in practice. We encourage you to read our Organisation Examples for a description of each organisation’s structure and operating environment.
The meaning behind te reo Māori name Poupou Matatapu is the poupou (posts or pillars) of matatapu (privacy). Essentially, the foundations of doing privacy well.
The pou are structured in the order we think you should read them, to illustrate a system for doing privacy well. The tenth pou, Privacy Management Plan, underpins all the other pou and is designed to be used as a plan for implementing the Poupou Matatapu framework.
Poupou Matatapu began as part of our work to support organisations to improve their privacy capability. We asked organisations what they struggled with when complying with the Privacy Act and what kind of policies and processes would help manage their privacy obligations and risk. We also asked how we could help them to build a privacy-protective culture throughout their organisation.
OPC often sees that organisations’ privacy programmes are reactive, responding to a specific event or inquiry or not having the time or resources to proactively implement a strategy. Organisations often improve practice by responding to the event but may then lose momentum. Building an effective privacy management system requires continuous improvement to lift capability, maintain good practice once this is achieved, and establish a privacy culture that reflects the values of your organisation.
We worked with a diverse group of people to create Poupou Matatapu and we'd like to thank them.
