This year is shaping up to be a big year for privacy compliance and data protection. Over the last few months, we've seen a draft Biometrics code, a Privacy Amendment Bill, and draft Customer and Product Data Bill in Parliament. Following on from this, last Friday the Office of the Privacy Commissioner (OPC) issued draft guidance to help agencies "do privacy well". The guidance is titled Poupou Matatapu (Poupou meaning posts or pillars and Matatapu meaning privacy). Poupou Matatapu sets out the Privacy Commissioner's views about what "good" privacy practice looks like. Any agencies dealing with personal information (regardless of whether they already have a privacy compliance framework in place) will likely be interested in what this guidance covers as the guidance applies generally, sets out specific details about what the Privacy Commissioner expects to see (eg in relation to security measures) and provides some useful examples.
What does Poupou Matatapu cover?
Poupou Matatapu includes nine pillars or foundations for good privacy compliances, each of which are supported by their own detailed guidance document:
- Governance
- Know your data
- Security and internal access controls
- Transparency
- Building capability and awareness
- Breach management
- Assessing risk
- Measure and monitor
- Privacy management plan.
The pillars are intended to be read in the order above, and the final privacy management plan pillar is designed to be used as a plan for implementing the Poupou Matatapu framework. The detailed guidance documents can be found at Office of the Privacy Commissioner | Poupou Matatapu.
What is the Privacy Commissioner consulting on?
The Privacy Commissioner has provided specific questions for consultation in relation to the pillars or pou, including the extent to which the pou are fit for purpose, how they may be improved, what is missing, and what could be added. We encourage agencies that have views on the Poupou Matatapu to provide feedback to the Privacy Commissioner. Consultation is open until 22 June 2024.
Please contact one of our team if you would like to discuss the draft guidance.