13 July 2017
The Office of the Privacy Commissioner of New Zealand (‘OPCNZ’) launched, on 5 July 2017, a survey on the creation of a privacy trust mark system to be administered by the OPCNZ (‘the Survey’). The OPCNZ highlighted that the Survey is part of its vision to help consumers gain trust and confidence that their personal information will be safeguarded and make it easier for them to choose privacy-friendly goods and services. In this respect, the proposed Privacy Tick trust mark is intended to endorse products and services which are ‘designed with privacy in mind.’
Christie Hall, Privacy Law Leader at EY, told DataGuidance, “The proposal has merit [and] represents an ongoing effort by the OPCNZ to engage business in good privacy management and to be more ‘user friendly’ in enabling consumers to quickly and easily assess an organisation’s privacy maturity. Organisations would also benefit from consumers being able to make more informed choices. [H]aving a privacy enhancing reputation will allow them to connect with a greater number of consumers, and, consequently, they will see the competitive advantage in working towards achieving excellent privacy policies and standards.”
The concept of a privacy trust mark is already known in many jurisdictions, allowing organisations to certify and be endorsed through a range of mechanisms. At the international level, systems like the Asia-Pacific Economic Cooperation Privacy Framework rely directly on trust mark certification processes, with certification awarded by regional ‘accountability agents.’
[T]here will be some limitations or challenges in trying to apply a single mark to the broad spectrum of data processing activities that organisations undertake
Allan Yeoman, Partner at Buddle Findlay, commented, “[The Survey] could partly be in response to what the OPCNZ has described as New Zealand privacy law’s lack of ‘teeth’ – the Privacy Tick might be an alternative way for organisations to be incentivised to take privacy seriously. If it becomes widely recognised and adopted, then it might become a necessity for companies operating in competitive sectors who want to be seen to have sound privacy practices.”
The Survey itself includes questions covering the criteria to be applied in awarding the trust mark, such as whether the company has an existing product or service that would make a good candidate for the mark, whether the system would encourage organisations to be more focused on best privacy practices, and whether an organisation would be willing to pay for the trust mark. As the system is still at the formative stage, its details need to be further developed and a number of questions as to what shape it may take arise.
Yeoman added, “We can see that there would be a range of options; for example, whether it is a badge of the OPCNZ’s endorsement following a detailed audit or examination of an organisation’s privacy practices, whether it can be used following self-certification, or somewhere in between. The other variable will be whether the Privacy Tick is appropriate only for straightforward data processing activities, or whether it is possible for it to convey something about more complex data uses (such as aggregation). That will obviously be a key factor in driving adoption by private sector organisations, but there will be some limitations or challenges in trying to apply a single mark to the broad spectrum of data processing activities that organisations undertake.”
The Survey is available on the OPCNZ’s website and will remain open for submissions until 1 August 2017.
Hernán R. Dutschmann | Privacy Analyst