The compliance notice
The Privacy Commissioner has issued and published a compliance notice to Oranga Tamariki for what the Commissioner has found to be breaches of IPP5 and IPP11.
If anyone ever doubted the utility and power of the compliance notice mechanism, doubt no more. This compliance notice is detailed and requires Oranga Tamariki to take numerous listed steps to remedy the breaches.
Under section 125(2)(a) of the Privacy Act, a compliance notice may:
- identify particular steps that the Commissioner considers need to be taken by the agency to remedy the breach;
- include conditions that the Commissioner considers are appropriate; and
- state the date or dates by which the agency must remedy the breach and report to the Commissioner on the steps taken to do so.
This compliance notice does all these things. Oranga Tamariki needs to take numerous steps, by specified dates. The steps are listed under the broad headings of:
- upskill staff skills and capability;
- strengthen information settings;
- strengthen oversight of service providers; and
- strengthen accountability and reporting of privacy incidents.
What’s striking
What I find striking, and what made me say ‘Wow!’ out loud when I read the compliance notice, is the level of prescription it contains. For example:
- the training to staff needs to “provide direction on the interaction of the Privacy Act with the Family Violence Act and the Oranga Tamariki Act and its associated regulations” and to be “provided to new staff as part of induction and prior to gaining system access to personal information”;
- Oranga Tamariki is being told to “develop and implement a business case for strengthening the technical system settings with CYRAS”;
- Oranga Tamariki is being told to “review and strengthen contractual requirements for non-Oranga Tamariki staff” and to “ensure third party social services providers have appropriate privacy policies and practices in place”; and
- Oranga Tamariki is being told to “develop and deliver a privacy performance reporting framework”.
The steps are strong, specific, and some will be costly.
Did the framers of the compliance notice provisions contemplate this level of prescription in relation to the steps to be taken, and can all the ordered steps reasonably be regarded as steps to remedy the breaches that have actually been identified? For example, is ordering Oranga Tamariki to “develop and implement a business case” for strengthening CYRAS’ system settings an appropriate level of detail (as opposed to requiring steps to be taken to meet a required outcome)? Is ordering the required staff training to “provide direction on the interaction of the Privacy Act with the Family Violence Act and the Oranga Tamariki Act” a “step to remedy the breach(es) of the Privacy Act” that have actually been identified (noting that section 124(5) defines “remedy the breach” as “to comply with the relevant statutory provision or provisions)”?
I don’t have sufficient information to hand to opine on such questions, in terms of the background materials on the compliance notice provisions or the actual breaches in question here, and I probably wouldn’t do so publicly anyway. I imagine OPC will have considered such questions carefully. What’s clear, though, is that the Commissioner is exercising the compliance notice powers to their fullest, and has taken the rare step of publishing this notice for the world to see.
As I say, ‘Wow!’. Public and private sector agencies that handle large volumes of personal information may wish to take note.