Most Read Contributor in New Zealand, September 2016
Privacy – particularly the protection of
personal data – is a hot topic both here and
internationally, as organisations struggle to cope with the
quantity and transferability of electronic
This Brief Counsel provides some tips for businesses on
how to manage privacy obligations in relation to collecting,
storing and distributing personal information.
When collecting data, reasonable steps must be taken to ensure
that individuals are aware of, among other things, the purpose of
collection and the intended recipients of the information. That
notification could be given by a note on the organisation's
website, or by using a privacy collection consent form.
Only data that is required for the specified purpose should be
collected. Consents to collect (and disclose) data should be
phrased to reflect this purpose and thought should be given to the
breadth of the stated purpose.
The recent report on ACC1 identified several ways to
mitigate the privacy risk inherent in information processes. The
specific privacy risks for an organisation dealing in sensitive
information such as ACC will not be universal, but there are
practices of more general application that can be taken from the
ensure that research, actuarial and similar work streams are
never conducted on raw, identifiable information. If this is
unavoidable, de-identify the data by replacing names with random
reduce the organisation's reliance on email
ensure data loss protection software is in place
implement an "enter once" (as opposed to multiple
entry) policy for any data entry or reporting system, and
keep personal data only as long as necessary.
Privacy compliant processes should be supplemented by a
structured and comprehensive security assurance programme. Security
should be treated as a business rather than an IT issue. A security
programme would ideally include:
formal assurance mechanisms implemented within project-based
methods for identifying unusual system access, and
independent periodic compliance assessments.
The ACC Report highlighted the need to increase staff
accountability and awareness and establish clear lines of
responsibility within the organisation, specifically:
the business owner or a member of the executive board should
hold ultimate accountability for privacy
staff roles should be clearly defined and their
responsibilities regarding privacy specifically set out and
staff should be given practical, scenario-based training on
managing privacy. The training should be operational and use
work-related examples, and
there should be clear ownership of all data held by the
organisation, including that on shared hard drives.
Distribution and use of personal data
Complaints and incidents should be dealt with immediately.
Consistent systems and processes should be developed for recording,
monitoring and reporting all near misses, privacy breaches and
privacy complaints. The resulting privacy incident statistics
should be used to support a programme of continuous
Data subjects should be aware of their right to make a
An incident register? Privacy training for staff?
If not, you may be at risk and, more importantly, you may be
putting individuals' personal information at risk.
If you need assistance, please contact any of the Chapman Tripp
1 KPMG and Information Integrity Solutions
"Independent Review of ACC's Privacy and Security of
Information" (22 August 2012)
The information in this article is for informative purposes
only and should not be relied on as legal advice. Please contact
Chapman Tripp for advice tailored to your situation.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On 12 August 2016, the Cyberspace Administration of China (CAC), the General Administration of Quality Supervision, the Inspection and Quarantine of China (GAQSIQ), and the Standardisation Administration of China (SAC) jointly released Several Guidelines to Strengthen National Cybersecurity Standardisation (the "Guidelines").
On July 21, the Personal Data Protection Commission ("PDPC") imposed a $5,000 fine on Toh-Shi Printing Singapore for its failure to implement proper and adequate verification procedures...
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).