The Office of the Privacy Commissioner (OPC) has recently released a new set of guidance tools to assist organisations in managing their privacy responsibilities, called Poupou Matatapu. The goal of Poupou Matatapu is to ‘do privacy well’ by setting expectations of what good privacy practice looks like. There are 10 pou (pillars) which cover a range of matatapu (privacy) concepts. Poupou Matatapu can be accessed here.
Who should be aware of this?
Any organisation which collects, holds, processes, uses or discloses personal information may find the guidance helpful in establishing, updating and/or managing their privacy practices. The toolkit will also be useful as a reference or baseline comparison to help organisations assess whether their existing privacy practices align with the OPC’s expectations of what constitutes ‘good privacy practice’.
What does Poupou Matatapu cover?
Poupou Matatapu provides a foundation for an organisation’s management of personal information. The 10 pillars are:
1. Governance: Establishing leadership and accountability for privacy;
2. Know your Personal Information: Understanding the types of information you hold;
3. Security and Internal Access Controls: Implementing appropriate safeguards;
4. Transparency: Information you provide to your stakeholders;
5. Building Capability and Awareness: Ongoing education and training of staff;
6. Breach Management: What to do when a privacy breach occurs;
7. Responding to requests and complaints well: Dealing with stakeholders directly;
8. Assessing Risk: Undertaking risk assessments on the information you hold;
9. Measure and Monitor: Regularly testing compliance; and
10. Privacy Management Plan: Having an organisation-wide system in place.
The pillars are structured in a way that flows from start to finish when putting in place a framework to manage personal information. The tenth pillar, Privacy Management Plan, links the rest of the concepts into a structured system that an organisation can implement, including providing useful templates.
How should an organisation use Poupou Matatapu?
The pillars provide comprehensive and detailed information, walking through each step of the process that an organisation should take in its management of personal information. Poupou Matatapu can be used to help assess whether an organisation has the appropriate protocols in place to ensure compliance with its obligations under the Privacy Act 2020, including the Information Privacy Principles (IPPs).
While each of the pillars should be read and assessed against an organisation’s existing privacy practices, we note certain expectations outlined by the OPC in the following pillars provide specific insights and guidance that are likely to be of interest to many privacy and legal practitioners:
- Know your Personal Information: Understanding what information your organisation needs to function, and what information it currently holds is crucial for managing your privacy obligations. The OPC expects that organisations should have an inventory of data, as well as a central log of any information sharing agreements. Staff should also be aware of what personal information is and there should be clear policies for internal data handling and retention/disposal.
- Security and Internal Access Controls: An appropriate and secure set of safeguards to protect personal information will help to reduce the risk of privacy breaches. The OPC expects that security controls are specific to the type and sensitivity of information held across the organisation, rather than adopting a blanket ‘one size fits all’ approach. Organisations should also follow industry guidelines and security standards that are relevant to its operations, and regularly review these are fit for purpose. Plans should also be in place to manage or replace legacy systems and redundant data.
- Transparency: One of the key obligations under the Privacy Act is IPP 3, which requires agencies to inform individuals about the information an organisation collects and the purposes for which the information is used. To comply with IPP 3, organisations should have a clear privacy policy that is accessible and able to be understood by the intended audience. This policy should be reviewed regularly and kept up to date. If questioned, the OPC expects an organisation should be able to provide evidence about its privacy practices.
- Building Capability and Awareness: Managing privacy is an organisation wide responsibility. The OPC expects that employees should be given privacy training depending on their needs and role. Appropriately skilled people should be giving the training and employees should be given training prior to gaining system access. As part of ongoing monitoring, any potential issues, trends or learnings that are identified should be used to improve staff capability.
Ensuring that your organisation protects and manages personal information safely and responsibly is crucial to help prevent privacy breaches and effectively manage your overall privacy compliance framework. While the guidance set out in Poupou Matatapu will have varying levels of relevancy depending on an organisation’s privacy maturity and capability, risk appetite, and the type and volume of personal information processed, we consider this toolkit will be a useful resource for all organisations looking to validate the adequacy of (and improve) their existing privacy practices. It also provides useful insights into what the OPC expects to see from a privacy compliance perspective.
If you’d like more information about how Poupou Matatapu may help your organisation, or would like assistance in undertaking a privacy compliance assessment exercise, please get in touch with one of our subject matter experts.