Privacy and security

Public and private sector agencies that process personal and other sensitive information need to comply with privacy and other relevant law, comply with applicable security requirements, be proactive in avoiding breaches, and be ready to respond quickly if the proverbial hits the fan. You might be unsure of whether you can process certain personal information or you might need an MOU for sharing information with another agency. You might be concerned about a privacy breach and the associated harm to individuals and your agency's reputation. You might need robust privacy and security clauses for a contract you're putting in place, a new privacy statement, or a privacy guide for your team. Or, if you're a public sector agency, you might need to understand the miscellany of information-related laws that apply to your agency. In situations like these, having the help of an experienced and pragmatic privacy lawyer can help you protect people's privacy, comply with the law, safeguard your agency's reputation, and even sleep at night. 

How I can help

Protect and enable: Privacy law is not about preventing agencies and organisations from doing anything with people's personal information. It's about proportionality, protection, and enablement:

  • proportionality in how much information you collect, why you collect it, and what you'll do with it
  • protection of people's privacy, including how you handle and store their information, the security controls you put in place to protect it, how long you'll keep it, and what you need to do when things go wrong, and
  • enabling agencies to do things with people's information if you've told them in advance, if they consent, or if the law otherwise permits, authorises, or requires it.

No one wants a lawyer or privacy advisor who doesn't understand this and just says no, or who incorrectly says yes or no without understanding all applicable law. Instead, we need to understand the law, know how to assess and mitigate risk, and enable agencies and organisations to do what they need to do while also having appropriate controls in place. That's the approach I take, and it's how I can help your agency or organisation.

Legal and related expertise: Your project or issue may involve the need for:

  • a stocktake of your agency or organisation's level of privacy maturity
  • threshold or full privacy impact assessment for something you propose to do with personal information
  • ad hoc advice on privacy issues that crop up from time to time
  • development of privacy guides, policies, or processes
  • drafting of privacy statements, information sharing MOUs or agreements, data sharing arrangements, or privacy and security clauses for contracts
  • compilation of all information-related legislative provisions that apply to your agency
  • responding to requests for access to or correction of personal information or to privacy-related complaints 
  • privacy training for staff, or
  • if you're in the public service, understanding and taking steps to comply with the Government's Protective Security Requirements (including certification and accreditation requirements under the New Zealand Information Security Manual and contractual provisions to facilitate those processes).

I am experienced in all such matters, and have built multiple knowledge bases and tools, like StopLookGo Privacy and the Contract Foundry, that enable me to hit the ground running.  

Experience

My experience in this area includes:

  • reviewing organisational privacy policies and agency compliance with the Privacy Act's information privacy principles
  • surveying staff and assessing agency maturity under the Privacy Maturity Assessment Framework, with recommendations to improve IPP compliance and privacy maturity
  • reviewing, contributing to, and drafting privacy impact assessments
  • advising on approved information sharing agreements under the Privacy Act and their associated processes and privacy impact assessments
  • developing open data principles that recognise the importance of personal privacy and the potential risks of aggregating seemingly anonymised datasets
  • advising on relevant aspects of statistics legislation
  • preparing guidance for staff on the use and disclosure of student-related personal information
  • advising on the privacy implications of machine-to-machine processing of personal information 
  • advising on and drafting of privacy-centric contractual provisions
  • providing detailed advice on policy initiatives involving the collection and sharing of personal information for beneficial outcomes
  • drafting and amending of privacy statements for multiple government and corporate websites
  • negotiating contracts for an online consultation service to ensure Privacy Act compliance
  • collecting, collating, and summarising statutory provisions enabling the collection, use, and sharing of personal information
  • providing wide-ranging advice for a framework that assesses the privacy, human rights and ethics implications of proposed services and processes
  • reviewing and redrafting agreements and privacy statements for GDPR compliance
  • providing substantial advice and drafting inputs for a government policy on data protection and use
  • reviewing and updating a Crown entity's privacy statement and some of its internal privacy policies and processes
  • preparing privacy guides for both public sector agencies and regulatory organisations
  • assessing the privacy implications of generative AI.

I have also conceived, designed, and developed all the privacy tools and services on StopLookGo Privacy and the Contract Foundry.

Get in touch

If you'd like to get in touch to ask a quick question or talk through a potential matter, then please do. I'd be happy to help and we can jump on Zoom or Teams if that makes things easier.

Get in touch