The Office of the Privacy Commissioner (OPC) has released its Poupou Matatapu online toolkit. The toolkit is intended to provide agencies with an overview of the OPC's expectations as to what good privacy practice looks like and how agencies can work towards achieving that. Poupou Matatapu is comprehensive and we consider that it is likely to be an important touchstone for businesses and other agencies when they are designing or reviewing their own privacy practices, or engaging with the OPC.
What does Poupou Matatapu cover?
Since our last update, to reflect feedback during consultation, the OPC has added a further pou (or pillar) of guidance, which helps agencies to respond to requests and complaints well. Altogether, Poupou Matatapu now includes ten pou:
- Governance
- Know your personal information
- Security and internal access controls
- Transparency
- Building capability and awareness
- Breach management
- Responding to requests and complaints well
- Assessing risk
- Measure and monitor
- Privacy management plan (which is an overarching pou to help agencies address each of the pou above).
Each pou sets out who it is for and targeted at, the key objectives for that pou, case studies and organisation examples to help agencies understand how the guidance is intended to work in practice.
What does Poupou Matatapu mean for agencies?
While privacy can often be a nuanced issue, we expect that this toolkit will provide a helpful framework and benchmark for organisations, particularly organisations that don’t have dedicated privacy resources or are developing their privacy compliance programme. In particular, the clear expectations regarding assessing risk, responding to complaints, training for staff, record keeping and general privacy management planning help fill a void in understanding what good privacy practices look like. Where an agency engages with the OPC and there is a clear deviation from Poupou Matatapu, we expect that the OPC will want to understand why that is the case. By framing and/or comparing privacy policies and practices against Poupou Matatapu, agencies can ensure that they are engaging in good privacy compliance and that this can be demonstrated to the OPC.
If you would like any advice or assistance on how Poupou Matatapu might be relevant to your privacy policies and practices, please contact a member of our team.
This article was co-authored by Pearlyn Tan (law clerk), Allan Yeoman (partner), Amy Ryburn (partner), Keri Johansson (special counsel) and Alex Chapman (senior associate).
