A fresh take on privacy for 2022

This year, we expect to see many developments that will complement our reformed Privacy Act 2020, helping us to regain our position at the forefront of future-proofed privacy regulation, but also signalling the emergence of an Aotearoa New Zealand approach to privacy that reflects our unique bicultural foundation. Developments will include the introduction to Parliament of a bill implementing a new consumer data right (NZ’s version of the data portability right), increased pressure on the Privacy Commissioner and government agencies to take into account cultural perspectives (particularly Māori perspectives) on privacy when exercising their functions, and the appointment of a new Privacy Commissioner.

Pulling many of these developments together, the Government Chief Privacy Officer (GCPO) recently released a new Privacy Maturity Assessment Framework (PMAF) for agencies to use to conduct their privacy self-assessments. These self-assessments enable agencies to focus on how to grow their privacy capability and maturity by reflecting on how they think about and manage the personal information they are entrusted with. To achieve this, the PMAF focuses on:

  • establishing privacy as a core part of high-quality service delivery based on values of respect, trust and transparency;
  • including values, behaviours and practices that encourage a people-centred approach to privacy to complement established risk-informed practices;
  • integrating other good practice advice aimed at making it easier to understand what ‘doing the right thing’ looks like, such as the Data Protection and Use Policy (DPUP), and aligning with complementary domains such as information security and information management;
  • encouraging an approach that clearly links the personal information collected to the desired outcomes; and
  • partnering with Māori to understand and respond to their interests in the collection and use of personal information about Māori, and to provide for such information to be interpreted with reference to Māori priorities, values and world views.

While developed for the public sector, the GCPO anticipates that private sector agencies could also benefit from the framework, using both the PMAF and the underlying DPUP to better align privacy with a broader focus on service delivery, customer experience, and the wellbeing of people and communities. We agree, and we think the five DPUP principles which underpin the framework perfectly demonstrate a burgeoning unique Aotearoa New Zealand privacy approach that we can all learn from:

  1. He Tāngata – Focus on improving people’s lives – individuals, children and young people, whānau, iwi and communities.
  2. Manaakitanga – Respect and uphold the mana and dignity of the people, whānau, communities or groups who share their data and information.
  3. Mana Whakahaere – Empower people by giving them choice and enabling their access to, and use of, their data and information.
  4. Kaitiakitanga – Act as a steward in a way people understand and trust.
  5. Mahitahitanga – Work as equals to create and share valuable knowledge.

We’re watching all these developments carefully here at Simply Privacy, and we’re truly excited about the direction privacy law and practice is going here in Aotearoa New Zealand and globally.