Since the 1980 OECD Guidelines on privacy there have been substantial additions and amendments to privacy laws in New Zealand and other jurisdictions across the world. The original guidelines were practical, a response to advances of technology and the ability to transfer data across borders and were key drivers for guidelines[1]. In the past our Privacy Act was viewed as non-prescriptive, providing for a balance between the rights of individuals and the ability for business to function.
But privacy laws are moving, even though in this country glacially, towards greater enforcement of privacy rights and obligations. Our current Privacy Act reflects this. More penalties and more obligations particularly on data breach reporting. Our New Zealand domestic laws contain a plethora of obligations to consult with the Privacy Commissioner on the creation of data sharing arrangements whether their genesis is embedded in law, defined in Approved Information Sharing Agreements (AISA) or simply agreed in agency-to-agency memorandum of understanding (MOU). It’s not surprising that citizens, whether they be seeking to protect their individual rights or ascertain their employer’s obligations, struggle to determine the extent of them.
But despite a greater emphasis on enforcement, the earlier intent in the OECD guidelines was to put individuals at the centre of business and service involvement with them. It remains a worthy pursuit. Let’s call that “customer service”! With a little rhetorical chicanery that might mean interacting with your customers/clients/service users in ways that –
- Are proactive and informs them about what personal information you want from them and what you will do with it
- Doesn’t acquire information from them that you don’t need, recognising that their personal information has value to them as well
- Treats their information with the reverence that it deserves particularly where the information might be sensitive or capable of being used in a way that may negatively affect them
- Puts them at the centre of your transactions by providing a service or value that includes acknowledgement that they have rights, and you have responsibilities in the relationship including managing their personal information safely
- Deploys technology in a way that enables them, where appropriate, to easily understand what information you hold about them
- Treats them and their information as important to both parties and sees them as important stakeholders in your business or service
Despite all the hyperbole that surrounds privacy laws, the legal opinions, the encouragement, and pressures on business to comply, both business and clients would greatly benefit from treating the relationship as one of “customer service” that includes practical engagement about the management of personal information alongside the service provided. And by the way, this type of adequate and timely customer service is also likely to largely keep your business compliant. Give it a go!
[1] https://www.oecd.org/sti/ieconomy/49710223.pdf – Thirty Years After – The OECD Privacy Guidelines (2011) see pages 21 and 22