PRIVACY 2.0 STRAW
MODEL
Value chain
Workflow and initial structural considerations
Primary activities
23 October, 2019
Content
Primary activities and value chain
3
Workflow and first structural thoughts
5
Appendix: Primary activities
15
Strategy and Insights
Communication and Education
Advice and Advocacy
Enforcement and Compliance
Dispute Resolution
Crosscutting initiatives
2
Primary activities of the OPC
Theme: Organising the primary activities around the mandates of the of ice and the according tasks that need to be
performed.
Strategy and Intelligence
Enforced
Advising the Commissioner on the best way to achieve the Office’s mission as well as
associated risks. Understanding trends and technological developments that wil be
relevant in the future. Using an evidence base to prioritise work and make decisions.
Directed
Monitor success of strategies and initiatives.
Compliance and Enforcement
Assisted
Investigating individual complaints where dispute resolution is inappropriate.
Identifying and assessing systemic issues, using the right tools to get the best privacy
outcomes for New Zealanders, including: enforcing the Codes, assessing value of
Voluntary
prosecution, fol owing up on compliance work, referring cases to the Director and
issuing compliance notices and access directions.
Communication and Education
Advantages
Challenges
Informing people about their privacy rights. Promoting privacy understanding and
competence, using media, opinion writing, stakeholder engagement. Producing
material and resources to inform, guide and educate. Reduce the need for enforcement
Intuitive translations of
Potentially overlooks
and dispute resolution through education.
functions into teams
outcomes for NZ citizens and
businesses
Advice and Advocacy
Research and analysis supports advice on privacy issues that is context aware,
evidence based and clear and informed. Advice reflects diverse perspectives and
Easy to understand activities
recognises risks and competing interests. Effective interventions include the
development of Privacy Codes, advise to government on the evolution of the Privacy
behind functions (for staff)
Act and changes to other legislation. Advocate for privacy positive outcomes,
including privacy by design.
Objectives can be translated
clearly into functional
Dispute Resolution
outcomes
Working with parties to achieve a fair outcome using dispute resolution techniques.
3
Primary Activities
Value Chain We are fair and responsive.
We are influential.
Strategy and
Communication
Advice and
Compliance and Dispute
Intelligence
and Education
Advocacy
Enforcement
resolution
“Our mission is clear.
“We inform the public
“Our advice is
“Our interventions are
“Our process is
We make informed
about their privacy
engaging, persuasive
effective and
efficient, effective and
decisions on
rights. Our
and pragmatic”
investigations
enabling”
strategies and risk
communications
rigorous”
assessments”
promote privacy,
empower individuals
and educate agencies
and individuals alike”
xx%
xx%
xx%
xx%
xx%
e
al lenc
ion cel
sat
IT/ Systems
x%
gani al exionat
People, Skil s and Resources
ing or
x%
er oper
pow ay
em spl
Processes and Practices
ctivities
x%
t A an e e and ditur
Relationships
e hav
x%
Suppor W cul
WORKFLOW AND FIRST
STRUCTURAL THOUGHTS
Workflow and triaging
Appreciating our organisational culture
First thoughts on structure
Exemplary customer journeys in new model
Workflow
identify
assess
process
monitor
Communication and Education
Collecting
complaint!
enquiry!
information
Responding to individual enquiries
and insights
and decide if further action is taken.
Producing material to inform, guide
and educate.
Compliance
monitoring
Dispute Resolution
insights
Triage
from
Strategy and
Using best endeavours to resolve or
individual
Business
Analytics!
intelligence
settle disputes between parties.
queries
Collating
gathering
Monitoring
feedback,
Presenting
insights and
insights
Compliance and Enforcement
compliance
with advice,
data
and inform
strategic
recommend
relating to
decisions
-ations and
functional
Assessing trends, investigating issues, supporting and
directions.
outputs.
enforcing compliance with the Act.
Triage
need
systems/
advice!
agency
privacy
issues
Advice and Advocacy
breach!
Providing advice to agencies during
the development of
policies/procedures/products.
identify
assess
process
monitor
Triaging incoming work
Objective: Assessing incoming enquiries and insights, orchestrating the flow of work, establishing
transparency, having the finger on the pulse of relevant topics for citizens and agencies.
Triage
Triage
individual
systems/
How could this work?
queries
agency issues
Philosophy
Early resolution.
Informed and targeted advice that helps lift system capability and
provide assurance.
Incoming work
Categorised at a single point in the Of ice (eg. self-prescribed
Categorised at a single point in the Of ice (eg. self-prescribed
enquiries go to Communications, complaints go to dispute
enquiries go to ‘Communication and Education’, requests for
resolution) and possibly get redirected, if necessary.
policy and systems advice go to ‘Advice and Advocacy’, all other
requests are triaged in the ‘Compliance and Enforcement’ team)
Triaged within the function to decide for appropriate actions.
and possibly get redirected, if necessary.
Triaged within the function to decide for appropriate actions.
Activities
Assess level of response needed.
Assess level of response needed.
Outputs
Initiate appropriate action eg email response, complaint
Initiate appropriate action eg email response, provide advice or
notification or Stop and log.
Stop and log.
The way we do things around here
Our organisational culture is our treasure. We aim to take conscious steps to encourage mindsets
and behaviours that wil help us deliver on our objectives.
We can have al the plans and
Our culture needs to align
what we
strategies in the world, but we need to
need to do and
how we want to
work together effectively to carry them
Culture
achieve it.
out.
This determines the behaviours
Visible behaviours
and norms that matter.
Both, internal and external feedback
and norms
has underlined: The people working for
What is
the OPC are passionate about privacy
The way that
communicated
leaders behave
What people are
and we are proud of our organisational
- what
…which need to be created and
and interact with
recognised for
messages are
culture.
staff (both
– what is
supported by a range of ‘soft’
shared and what
formal and
celebrated, and
channels are
To make privacy 2.0 a success, we
factors
informal leaders)
what is ignored
used
want to take a conscious approach that:
•
facilitates cross-functional
What is
teamwork to achieve shared
measured,
which shapes
The
skil s and
objectives,
what is expected
knowledge of
of people and
people within
•
increases clarity and alignment,
signals what is
the group
important
•
reduces complexity,
How the
work
The physical
• supports
continuity and
…and ‘hard’ factors.
and people are
Processes and
environment –
organised,
practices – how
where people
•
helps employees identify with our
including the
people work and
sit, and spaces
influence of
interact to get
Office and what we stand for.
for working
hierarchy
work done
together
The way we do things around here
We need to continue to deliver on our mandate in a robust and reliable way while exploring new
ways to achieve the best ‘system outcomes’.
Operational excellence and efficiency
Agile and outcomes-focused work
The Of ice has a reputation for
The Of ice has a role in achieving good
quick and high-quality responses
privacy outcomes in a dynamic
to individuals as wel as
environment.
agencies.
Technology and consumer concerns are
Clear guidance material and
constantly evovling.
training enables great service
Agencies want to understand how they
levels.
can improve their privacy maturity within
Clear sign-out processes ensure
their unique circumstances, instead of
the quality of work, especial y
responding to individual concerns.
when it’s ‘high-stakes’.
The Office is increasingly asked to
The Office needs to continue
give quick, tailored and informed
to provide quality advice in a
expert advise and guide the thinking
timely manner.
in the privacy space for New Zealand.
Organisational
ambidexterity
The way we do things around here
We have identified a number of shifts that wil support the outcomes-focused culture we want to
encourage more.
Less of
More of
Doing the same work faster
Finding targeted solutions with the biggest impact
•
Focusing on working to absolute ef iciency.
•
Turn down work when appropriate
•
Over servicing clients/stakeholders
•
Take a strategic approach to engaging with others
•
Investing time in compliance and enforcement work,
where this will yield measurable (system) impact
Relying on proven (cookie-cutter) solutions
Tailoring responses to the unique environment
•
Overly restrictive policies/procedures that
•
Encourage staff to think ‘out of the box’ in clearly
encourage box ticking or formulaic responses
marked areas of their work
•
Micromanaged projects and lack of strategic
•
Employ a ‘tight-loose-tight’ approach to achieve key
direction
results in unique environments
Having expert kingdoms
Employing networked ways of working
•
Prioritising team deliverables over broader
•
Enable more transparency and share knowledge
organisational needs
•
Establish cross-functional teams
•
Define shared objectives
Making decisions on an ad hoc basis
Keeping the ‘direction of travel’ front of mind
•
Making decisions with immediate outcomes
•
Advocate for Privacy Rights and (better) Privacy
in mind
legislation
•
Being driven by ‘BAU”
•
Liase international y on global chal enges and find
collective responses
•
Assess long-term/system benefits of policy decisions
Timeline
We suggest to follow a staged model.
Dec
Jan
Feb
March
April
May
June
July
C
E
O
O
Account for
hr
ast
Define target
pe
feedback from
i
pe
st
er
model based
Al Staff day
m
r
on budget
r
as b
at
a
i
ti
Refine
Processes and practices:
ng
Processes and practices:
ng
r
Processes and practices:
implementation
eak
Identify processes
cesses an
an d
d p
pr ract
acti ices t
ces th hat
at ar
are e
tot ob b
e e ad
adju ju
st st
eded
, i ,
d id
en en
tif t
y ify
w ow
r o
k r
wk
e we can
can sto st
p op
Identify processes and practices that need adjustment for
plan
doing/ do l
l ess,
ess, d
d esi
esi g
g n
n n
n ew
ew pprroocesses
cesses for primary activities.
Mode
stage 2, eg. where new roles are inovolved.
Mode
Capability and skills:
Capability and skills:
Identify professional development opportunities, plan training and upskil ing, identify
l
potential contractors for specialist advice.
S
Describe potential new roles, encourage existing staff to
l S
t
apply, potential y recruit more staff, design further training
a
t
Organisation of work and teams:
ge
Organisation of work and teams:
age
Identify the stage 1 target structure, roles and accountabilities, governance.
Plan transitioning steps.
1
Identify the stage 2 target structure, roles and
2
accountabilities. Plan transitioning steps.
Systems and tools:
Systems and tools:
Identify the current systems and tools that can be utilised to support processes and
Identify new systems to be used and initiate tender process
business intelligence, make targeted investments within budget (where applicable) .
(where applicable)
Culture: Identify initiatives and interventions to help promote shared mindsets and behaviours that wil help us deliver on our objectives.
Communications, engagement and joint change management
Monitor, test and refine
Monitor, test and refine
First thoughts on structural implications
In stage 1 we start giving effect to functional teams.
In the next months, we aim to review the way we prioritise work, and identify activities we can stop doing or do less of to
find capacity for more strategic work. We’l recruit a business analyst role we have in our current budget.
Strategy and
Privacy Commissioner
intelligence
Senior Leadership Team
gathering
Led by SLT member,
dedicated business
Communication
Advice and
Compliance and
Dispute
Corporate
analyst role
and Education
Advocacy Team
Enforcement Team
Resolutions Team
Services
Team
Early intervention to triage incoming work
Distribute all incoming work transparently and triage within each function
Shared pool of advisors*
(Can be assigned to agile teams)
Shared pool of investigators*
(Can be assigned to agile teams)
Know key messages and direction of travel
*The degree to which staff wil work primarily in permanent teams or primarily in agile/ cross-functional teams is stil to be
12
determined.
First thoughts on structural implications
Scenario: The office gets
maximal funding to invest in HR and IT
Once we know what our budget wil be, we wil assess which key roles we can add to the functions that wil get us the
most ‘bang for buck’ in improving system performance. We wil also investigate how IT investments could support our
effectiveness and efficiency.
Strategy and
intelligence
Privacy Commissioner
gathering
Led by SLT member,
dedicated business
Senior Leadership Team
analyst role
Communication
Advice and
Enforcement and
Dispute
Corporate
and Education
Advocacy
Compliance Team
Resolutions
Services
Team
Specialist Advice
Consists of
Consists of
Team
permanent team and
permanent team and
and coordination
agile/ temporary team
agile/ temporary team
•
Dedicated Māori
Early intervention to triage incoming work
advisor (e.g. 0.2 FTE)
Distribute all incoming work transparently and triage within each function
•
Technical advisor
(e.g. contracting
agreement with
Shared pool of advisors*
Canadian Intel
(Can be assigned to agile teams)
Centre)
•
Chief of Staff role
Shared pool of investigators*
(Can be assigned to agile teams)
Know key messages and direction of travel
More capacity for
More capacity for
Additional
(strategic) relationship
Dedicated compliance
(strategic) advice, eg.
investigator(s)
System Administrator
management
oversight resource
on maturity
(Dispute Resolution)
*The degree to which staff wil work primarily in permanent teams or primarily in agile/ cross-functional teams is stil to be
13
determined.
Customer Journey - Citizen
I have a bit more time on my hands now
that I’m retired. The other day I was asking
My employer just informed me that
myself:
they have had a privacy breach and my
Who makes sure that MSD keeps al the
criminal record is out there.
information on my life safe?
I wonder if my neighbours can find out
The Privacy Roadshow stopped in my school. It’s
about my past? Where can I get help?
Hēmi Ngeru
really scary to think, how much data of me is
NZ citizen
already out there.
It’s good to know someone is out there to check
up on those companies and on government.
Maybe I try out an information request to see
I hope the government takes care of
what data Vodafone has on me?
Monitor compliance
my data!
Expects
Experiences
My parents have posted al
Feed consolidated data back into
Inform about privacy
the business intel igence tool
To know who holds
Lack of transparency
these pictures of me in my
rights
his data and why.
of how different
diapers on Facebook. Now
at Kindy, everyone is
Investigate complaint
His privacy to be
platforms and apps
laughing at me.
about data breach
protected against
use and share his
any harm.
data
I wonder if I’l ever have a
right to be forgotten?
Thinks & feels
Identify effective interventions to improve
To live a normal life, I have to share my data with
privacy literacy for young people.
heaps of government agencies and companies like
AirNZ. I don’t understand al the terms and
Target communication to the Youth and
conditions I’m signing.
Schools
Resolve dispute between Vodafone and
Hēmi about information request
Advocate for the right to
be forgotten
Glossary
Strategy and Insights
Communication and Education
Advice and Advocacy
Compliance and Enforcement
Dispute Resolution
14
Customer Journey – Public sector
Everyone is talking about the
new Privacy Bil .
We are reviewing heaps of our policies
I wonder how I can train my
on the back of our latest breach. On
staff and make sure we’re
the last Privacy conference I’ve heard
The OPC is checking in if
ready for the future?
about ‘privacy by design’.
we’ve implemented their
recommendations.
I wonder how we can reflect that in
our policy?
I feel confident to discuss
Ministry of Vulnerable
tricky issues with the OPC,
Humans
who has proven to be a
‘trusted advisor’!
Public Sector Agency
OH NO, We had a
I’l take al the help I can get to make sure
privacy breach!
our policies and practices are sound.
Who do I contact and
Develop eLearning modules
and brochures.
Expects
Experiences
what do I need to do
Promote best practice
know?
An individual just
through conferences and
OPC and GCPO to
It’s real y hard to get
made a request for
media.
Jointly develop training
work together and
privacy experts to
their information.
programs for staff dealing
help me improve
join the team.
Provide advise, share
with very sensitive data.
my organisations
We’l need to invest
What do I have to
Monitor compliance and
templates and workshop
privacy maturity.
in informing and
do now?
implementation of
gopd solutions on policy
educating our team.
recommendations
proposals.
Thinks & feels
Feed outcomes,
We had a pretty bad privacy breach last year. We were
strategies and lessons
in the media for weeks and got a lot of heat from our
learned back into BI.
Minister. I don’t ever want to experience that again.
Inform and support
Inform about obligations
agency through
in regard to information
procedures and steps.
request and give
guidance on best
Issue public
Glossary
practice.
statements.
Make recommend-
Strategy and Insights
dations to improve
compliance.
Communication and Education
Advice and Advocacy
Compliance and Enforcement
Dispute Resolution
15
Customer Journey – Big business We want our customers to have confidence that
their data is safe with us. We want our
contractors to put policies in place to protect our
customer information.
We need to comply with the Privacy Acts
How can we partner with the OPC to improve
of various jurisdiction, including the GDPR.
industry practice?
Kiwi Business
How can I put systems in place that al ow
me to comply with all Acts while still
Legends Inc.
being manageable to staff?
Large corporation
We’ve grown a lot in the past years. Our
policies and practices need to reflect our
We only ever hear
from the OPC about
role in the NZ economy.
individual complaints.
Partner with industry bodes and large
Expects
Experiences
How do we know
corporations in advocating for good
The Privacy Commissioner
what our systemic
privacy outcomes
The OPC to assess
We operate in different
contacted us about a
issues are?
our privacy maturity
jurisdictions and only hear
complaint.
Advise on international best
and give advice how
about individual issues.
practice with regards to privacy
we can improve on a
How do we make sure this
systems and practices.
It’s hard to understand the
systems level.
does not happen again?
big ticket items we need to
address on an enterprise
Educate on international trends
level.
and best practice.
Thinks & feels
We are a big organisation and have a responsibility to
both, our employees and our customers, to handle their
information with care. We have an image to protect!
Develop a maturity
assessment tool for the
Manage the complaint and
private sector.
resolve the dispute.
Provide recommendations
on privacy best practice
Glossary
Direct to education material
an eLearning tools to help
for initiatives.
with staff training.
Strategy and Insights
Communication and Education
Advice and Advocacy
Compliance and Enforcement
Dispute Resolution
16
Customer Journey – Small organisation
Someone hacked my website and now all of my
information on volunteers and kitten homes is out
in the open.
What do I have to do now?
Good kittens scratching
Local NGO
I would like to start a volunteer
databank that gets regular
I need an easy-to-understand guide on
updates from me.
privacy and someone to talk to when I’m
Who can tel me what to
unsure about the right way.
I’m setting up my own charity on
consider when setting this up?
topics I’m really passionate
Expects
Experiences
about.
Guidance on the website and a contact
Easy to understand
I have limited time
What are the regulations I have
person to cal provide initial advice.
and accessible
and resource to
to comply with?
guidance.
spend. eLearning
Know where to find
modules and
the right people
Podcasts are my
when I have a
main way of
Contact people for
privacy problem.
education.
information and support
Thinks & feels
are clear.
I don’t want to let anyone down, but I don’t have the
time to become an expert or the resources to invest in
Provide advice on PIA for
fancy privacy tools.
databank
Privacy is referenced in
business.govt.nz/ getting-started.
‘Starter Kit’ on privacy is easy to
Glossary
find on the website.
Strategy and Insights
Communication and Education
Advice and Advocacy
Compliance and Enforcement
Dispute Resolution
17
ADDITIONAL
READING
First thoughts about people and skil s
Primary activities
•
Mandate
•
Description
•
Delivery
•
Measures of success
Cross-cutting initiatives
People, skil s and capabilities
Identified needs
Capability needed
Potential training/
Contracting opportunities
Potential future role
upskil ing/ role shifting
Business analytics
Limited
Limited
Yes
(Currently no staff with right skil
(Possibly for discrete pieces of
Business Analyst to support future Strategy and
set)
work)
Intelligence gathering function
Strategic relationship
Yes
No
Yes
management
(Employ further communications
The role should support the comms team
staff to free up time for team to
engage in more strategic
engagement)
(Further)
dispute resolution
Yes
Yes
Yes
capability
(Existing investigators could be
Employ more investigators with focus on dispute
upskilled)
resolution
Advice on Māori matters
Limited
Yes
Yes
(eg. community engagement,
(Existing staff should also be
Māori Advisor to support the Of ice Employ Māori Advisor to support the Of ice in a
communications and weaving
upskil ed, but in addition the Of ice (eg. agreed contingent of days/
part-time capacity
tikanga Māori into practices and
might need specialist advice)
quarter)
policies)
Technical advice
No
Yes
Limited
(to understand the privacy
(The Canadian OPC has offered to The Of ice is too small for an effective tech intel
dimension of new technologies)
partner on tech assessments)
team.
Executive support
Yes
Limited
Yes
Supports prioritising incoming
(Existing staff could be upskil ed.
(Possibly for discrete pieces of
Personal secretary role to support the
work for the Commissioner,
This might require other positions
work)
Commissioner
keeping an overview of work
to be backfil ed)
under way and monitoring and
19
communicating back on progress
Strategy and Insights
“Our mission is clear and our decisions informed”
Mandate
Description
Delivery
The Office is expected to monitor
Advise the Commissioner on the direction to achieve the
• SLT member to lead function
trends, develop insights, conduct
Office’s mission as well as associated risks. Understanding
• Data analysis and information gathering (business analyst)
research and report back on it.
trends and technological developments that wil be relevant
• Interpretation and evidence based decision making (SLT)
(Section 13(1) ( j, k, m, n, q))
in the future. Using an evidence base to prioritise work and
• Prioritisation, strategy development, communication and
make decisions. Monitor success of strategies and
implementation (SLT)
initiatives.
Measure of success
IT/ System/ Tools
People/ Skills
Processes and practices
Relationships
The
mission is clear and
• The mission and purpose of the office are clearly formulated and static.
• The office makes a
strategic decisions are
The best strategy to deliver on the mission wil be plastic and able to take
public commitment to
made consistently.
shape in the way the best uses existing resources to deliver outcomes.
its strategy,
Strategic priorities are regularly reviewed.
encourages ownership
and accountability and
transparently reports
back on progress.
The office
identifies
• Build a repository and put
• Develop analysis
Put processes in place to collect, manage and interpret quantitative and
developing trends in a timely
technology and systems in
capability, by creating an
qualitative information, including:
manner.
place to allow for data
overview of skil s needed
• Develop a ‘business case’ for data use (strategy informs the data gathered to
collection and analysis
• Put training and/ or
avoid unstructured data lakes)
(including making sure we
recruitment initiatives in
• Identify data sources,
use existing systems
place
• Scan the environment and survey stakeholders (starting by identifying key
effectively and identifying
• Tweak position
sources, conduct an initial stocktake, implement isolations strategy)
system gaps).
descriptions to account
• Collect and compile data,
• Identify ways to use existing
for the role of a business
• Analyse and interpret data
systems better (eg. improve
analyst.
• Compile insights documents
data quality)
• Ensure business analytics are reflected in our BAU processes
• Identify and manage key risks arising from trends
Both, the leadership team and
• Identified trends and other insights are tested against the Offices key
staff engage in
evidence-
activities to understand effects and plan work in a holistic way.
based decision making.
• New work is sized, resource allocation is structured and deliberate and
Incoming work is prioritised
reflects the strategic priorities. The efforts are focussed on where the
logically and based on the
office gets the most ‘bang for our buck’.
strategic objectives. Model
• Well articulated intervention logic model for decisions.
good regulatory stewardship.
• Define, what good regulatory stewardship looks like and review regularly.
Strategy and Insights
“Our mission is clear and our decisions informed”
Mandate
Description
Delivery
The Office is expected to monitor
Advise the Commissioner on the direction to achieve the
• SLT member to lead function
trends, develop insights, conduct
Office’s mission as well as associated risks. Understanding
• Data analysis and information gathering (business analyst)
research and report back on it.
trends and technological developments that wil be relevant
• Interpretation and evidence based decision making (SLT)
(Section 13(1) ( j, k, m, n, q))
in the future. Using an evidence base to prioritise work and
• Prioritisation, strategy development, communication and
make decisions. Monitor success of strategies and
implementation (SLT)
initiatives.
Measure of success
IT/ System/ Tools
People/ Skills
Processes and practices
Relationships
Diverse
teams and functions are
• The organisational structure enables agility. Flexible
• Processes and procedures are
coordinated and joined up.
elements within the structure help the Office to deliver
structured in a tight-loose-tight
cross-functional initiatives and projects. KPIs support
manner allowing for flexible
objectives, not undermine them.
approaches to issues.
• Staff are trained and enabled to engage in agile ways of
working.
We are committed to
monitor
• Implement systems
• Measuring and monitoring success
outcomes. Strategic success is
and processes to
becomes an integral part of all
measured within the broader
improve reporting
team processes.
community, including internationally.
practices.
We proactively drive the agenda and
• A stakeholder management role is reflected in one or
• The Office leverages its
partner effectively.
more job positions.
partnerships and
• We have a clear purpose and know why we are doing
relationships effectively to
things. Staff can articulate clearly what the office does.
achieve good privacy
outcomes across the
economy.
Communication and Education
“Our communications promote privacy and empower individuals”
Mandate
Description
Delivery
The Office has a role in educating both
Inform people about their privacy rights. Promote privacy
• SLT member to lead T-shaped function
agencies and individuals about privacy
understanding and competence, using media, opinion
• Communication and education strategy and implementation to
good practice. The Office also has a role
writing, stakeholder engagement. Produce material and
be developed and overseen by dedicated team
in promoting privacy positive behaviours
resources to inform, guide and educate. Reduce the need for
• Key messages and opinions are known and shared to all staff
and technology. Section 13(1)(a, g, h, n)
enforcement and dispute resolution through education
Measure of success
IT/ System/ Tools
People/ Skills
Processes and
Relationships
practices
The
messaging is harmonised internally.
• The Office has access to a
• Ensuring our values and
central repository of
objectives are clearly
knowledge and resources,
defined.
giving both, the Office and the
general public, an easy to
access overview of past
decisions. (Good data allows
for a ‘single source of truth’. )
Communication activities are planned and
• The Office utilises tools to
• A communication
• Central messages and
prioritised to achieve maximum impact.
gather evidence/data to inform
strategy and review
pieces of advice are
Communications target the right people at
the prioritisation of
cycle support the
maximized by
the right time. The Office seizes on
communication resource
structured assessment
alignment with other
opportunities to tell good, useful stories.
(repository)
and planning of sector
agencies and
There are high levels of voluntary engagement
• Education tools for agencies
specific and cross-
organisations, by
eg attendance of events, use of education tools
• E-learning modules
cutting initiatives.
utilizing existent
channels and
establishing new and
targeted mechanisms.
Strategy and consistent key messages are
• Leadership facilitates team discussions of the
• The leadership team
•
.
communicated internally.
Teams and staff are
strategic direction and
encourage/ empower teams
puts mechanisms in
empowered to develop a response to
to address the strategic objectives as they see fit.
place to ensure
strategic chal enges and opportunities.
The role of leadership is to make sure, objectives and
strategic decisions are
desired outcomes/ key results are clear and the
communicated
teams are enabled to work on them (eg. through
consistently.
capacity and resource, training, skil s, advice)
Communication and Education
“Our communications promote privacy and empower individuals”
Mandate
Description
Delivery
The Office has a role in educating both
Inform people about their privacy rights. Promote privacy
• SLT member to lead T-shaped function
agencies and individuals about privacy
understanding and competence, using media, opinion
• Communication and education strategy and implementation to
good practice. The Office also has a role
writing, stakeholder engagement. Produce material and
be developed and overseen by dedicated team
in promoting privacy positive behaviours
resources to inform, guide and educate. Reduce the need for
• Key messages and opinions are known and shared by all staff
and technology. Section 13(1)(a, g, h, n)
enforcement and dispute resolution through education
Measure of success
IT/ System/ Tools People/ Skills
Processes and practices
Relationships
The mandate and functions of the OPC are well
• A website refresh
• Contact people for different
• The resources, advice and guidance of the OPC are easily
• Good
understood.
The public is privacy literate– they
makes the structure
topics are clear and
accessible. The Office utilises diverse communications
relationships to
understand their rights and know where to go to
more intuitive and
communicated.
mechanisms and takes a flexible approach to writing.
media outlets
get privacy info.
easier to navigate.
• Find new channels for the engagement with the youth/ young
facilitate
adults and schools (eg. by working with education specialists)
accurate and
favourable
comms
The office engages in more targeted education
• Use eLearning
Put processes in place to:
efforts for industries, agencies and different types
modules more.
• Inform organisations about their systemic issues.
of organisations (eg. SME, Corporate, NGOs)
• Put systems in place
• Providing maturity self-assessment tools for the private sector
that allow the Office
• Give guidance on ‘how to run privacy at scale’
to identify systemic
• Conduct more research to help agencies understand what is
issues.
important to consumers
Enquiries are handled swiftly.
• Processes encourage online-first responses (e.g. AskUs)
The office engages effectively with Maori
• People are trained in
• Targeted channels and messages are developed as part of
• Relationship
engaging with Maori and
OPC communications where appropriate
management
build networks to discuss
strategy with iwi
the focus and tone for
and hapū
messaging
Advice and Advocacy
“Our advice is engaging, persuasive and pragmatic”
Mandate
Description
Delivery
The Office has a role in advising on draft
Research and analysis supports advice on privacy issues that is context aware,
• Manager or SLT member to lead
legislation and advocating for privacy good
evidence based and clear and informed. Advice reflects diverse perspectives and
function
practice in both government’s and the
recognises risks and competing interests. Effective interventions include the
• Advice and advocacy strategy and
private sector’s policy proposals. (Section
development of Privacy Codes, advise government on the evolution of the Privacy
implementation to be developed and
13(1) (f, j, k, l, o, q, r) and Section 26)
Act and changes to other legislation. Advocacy for privacy positive outcomes,
overseen by dedicated team
including privacy by design.
Measure of success
IT/ System
People/ Skills
Processes and practices
Relationships
Advice is impactful and makes
• Processes allow time for proactive work.
agencies adapt a privacy friendly
• Strategic priorities are clear and allow staff to prioritise work
approach to their activities. Advice
• Staff are enabled to work flexibly
supports compliance.
The OPC has a
high brand
Mechanisms and engagement strategies are put in place to
allow
recognition across sectors,
the Office to anticipate relevant chal enges and trends. The
recognised expertise and mana.
anticipated issues of importance wil inform agenda-setting activities of
Leaders are asked to attend
the Office to make sure privacy remains a top-level agenda item.
international forums / contribute to
The Office communicates a
clear strategic direction.
publications. The office has
Special initiatives emphasise and support the Commissioner in building
international influence and is sought
his high public profile.
out by international partners for advice.
The office is
well connected to
The resourcing for proactive
Establish a
relationship management strategy.
government, private sector industries
communications wil be
and the general public.
Relationships
reviewed. Make relationship
are managed and developed
management part of roles
consciously. Sector and target group
(where applicable).
insights inform targeted
communications and advice.
High engagement from agencies with
Relationship management strategy.
the Office. Office views and advice are
sought after.
Enforcement and Compliance
“Our interventions are effective and investigations rigorous”
Mandate
Description
Delivery
The Office has a role in supporting and where necessary
Investigating individual complaints where dispute resolution is
• Manager or team leader to lead semi-permanent function
enforcing compliance with its Codes, notices, directions,
inappropriate. Identifying and assessing systemic issues, using the right
• Small permanent team to lead the identification, triaging and
information sharing programs and principles. The Office
tools to get the best privacy outcomes for New Zealanders, including:
monitoring of investigations
also has a role in conducting inquiries and investigations
enforcing the Codes, assessing value of prosecution, fol owing up on
• Temporary ‘task forces’ with the right experts are established
into matters affecting the privacy of individuals. (Section
compliance work, referring cases to the Director and issuing compliance
13(1) (b, k, m, s), 96W, 96 X, Part 8 and new Bil clauses)
notices and access directions.
based on the needs of the case
Measure of success
IT/ System/ Data
People
Processes and practices
•
Relationships
Detecting issues before
• Better tools for
• Assessment criteria to prioritise where to focus • Good/successful use of
complaints or media requests are
searching data and
(which industries/ sectors/ agencies)
partnering to achieve
raised
recording issues
compliance eg other oversight
• Better data about
bodies
agencies/ sectors
Impacting change at economy /
• Staff understands different sector realities and
• Identify industries and critical components of a
• Good/successful use of
sector level.
displays situational awareness in their
sector that wil lead to most ‘bang for buck’
partnering to achieve
approach.
compliance (eg other
oversight bodies)
Using individual
complaints as a
• Complaints
• Empowering staff to be flexible with the tools
• Triage process of issue/complaints –Intuitive
• Buy in and engagement with
mechanism to achieve
Management
and processes that they use (tight-loose-tight)
pathway system to allow for individuals to
stakeholders to comply with
compliance with Privacy Act 1993
System
raise different types of issues e.g. compliance
our compliance legislation
and 2020 (regardless of settlement)
issue complaint
Using the
right tools at the right
• Training for staff to triage and use compliance
• Design processes to allow for innovative and
• Be transparent and develop
time and become more deliberate,
tools in accordance to principles and
thoughtful use of tools in use of various
good comms – across
innovative and comfortable in the
guidelines.
mechanisms to encourage/achieve
enforcement mechanisms
approach to enforcement.
• Empowered staff (re risk escalations), that is
compliance
(targeted to drive compliance
encouraged to act principles based and flexible • Clear policies and good procedures manual on
and better behaviour in the
• Clear ownership and responsibilities between
how to use tools and when to use them
future)
the compliance and enforcement function and
• Principles and clear assessment criteria to
the dispute resolution.
guide assessments
• There are clear processes to support and align
with the dispute resolution process
Enforcement and Compliance
“Our interventions are effective and investigations rigorous”
Mandate
Description
Delivery
The Office has a role in supporting and where necessary
Investigating individual complaints where dispute resolution is
• Manager or team leader to lead semi-permanent function
enforcing compliance with its Codes, notices, directions,
inappropriate. Identifying and assessing systemic issues, using the
• Small permanent team (2 FTEs) to lead the identification,
information sharing programs and principles. The Office
right tools in our toolbox to get the best privacy outcomes for New
triaging and monitoring of investigations
also has a role in conducting inquiries and investigations
Zealanders. Including, enforcing the Codes, assessing value of
• Temporary ‘task forces’ with the right experts are established
into matters affecting the privacy of individuals. (Section
prosecution, following up on compliance work, referring cases to the
13(1) (b, k, m, s), 96W, 96 X, Part 8 and new Bil clauses)
Director and issuing compliance notices and access directions.
based on the needs of the investigations case
Measure of success
IT/ System/ Data
People
Processes and practices
Relationships
The
right expertise is brought in to
• Establish and resource a dedicated
• An agreed process to identify and ‘borrow’
best address the challenges of
compliance team (permanent and temporary
staff for task forces is in place/. Staff that has
individual investigations.
members)
handled an unsuccessful dispute resolution
process wil take part in further compliance
activities, where possible.
Dispute Resolution
“Our process is efficient, effective and enabling”
Mandate
Description
Delivery
This Office has a strong dispute resolution
Work with parties to achieve a fair outcome using dispute
• Manager or team leader to lead function
mandate to both attempt to resolve
resolution techniques.
• Team of dispute resolution staff
disputes prior to investigation and to make
• Strong alignment with compliance and enforcement function
best endeavours to settle complaints if
they have merit. Section 74 and 77.
Measure of success
IT/ System
People
Processes and practices
Relationships
Decide to engage in dispute
• Super- charged, intuitive triage system
resolution, when this is the right tool
• Provide and plan for alternative pathways/mechanisms for
individuals to raise concerns
Good outcomes for parties (a solution
Provide formal training (more
• Employ quality assurance processes
that addresses their grievances) and
certified dispute resolution
good natural justice (give effect to
mediators)
complainants and respondents needs)
Al ow for enough time to run
good process (resource
sufficiently)
Efficient delivery, transparent
Complaints management
More resources to get to the
processes, keeping parties looped in
system
disputes quickly
Provide consistency in the end-to-end
Conscious assignment of staff
process from the complainants
to cases, ideally allowing for
perspective
the same person to handle an
entire process.
Crosscutting initiatives
1. Some
processes should be clarified and streamlined, eg.with regards to sign-off processes or internal communication on
cross-cutting prioritisation (e.g. OMIs)
2. The Office could do more to understand the
cultural dimension of our work and to communicate in a more inclusive way.
Build
community engagement capability and work on Maori engagement expertise
3. Staff retention is subject to different challenges in different teams. Overall, the Office should aim to get better at retaining
experienced staff and fostering talent.
4. The office should strengthen
technological expertise both, as a whole (understand the privacy dimension to technology)
and through explicit resource/ expertise (to assess particular technologies).
Engage in ‘softer’ approaches to better
privacy protection of NZers by commenting on a wider and topical range of issues publicly, eg. around technological
change and its’ privacy impact.
5. Empowerment of staff is key to allow for an innovative and fit-for-purpose use of compliance and enforcement tools as
well as enabling a layered relationship management strategy and communications. To achieve empowered staff, strategic
direction and expected outcomes must be very clear, and the development of solutions and initiatives in teams is
facilitated. (tight-lose-tight)
Document Outline