By Murray Griffin
March 25 – As he starts a five-year term as the new privacy commissioner for New Zealand, John Edwards told Bloomberg BNA in a March 25 interview that he is moving quickly to make full use of his limited powers to deal with organizations that ignore their privacy obligations.
Edwards said he will do more to bring into line businesses and other covered entities that show little interest in compliance, despite being limited by a lack of authority to issue fines or compliance notices with injunctive requirements.
In December 2013, Edwards was named to take over from former Privacy Commissioner Marie Shroff, who served in the role for a decade. He took over the post in mid-February.
Edwards said his existing powers make him “mostly an influencer or a persuader,” rather than a regulator.
“I think we need to be thinking a bit more creatively about how to deploy the tools that we have so that we drive some compliance where we see people flouting the law,” he said.
“One of things that I will be doing more of is ‘naming and shaming,’ ” he said.
“So I will be identifying organizations who I believe fall short of the legal requirements, and I believe that has some power,” he said.
Edwards proved his willingness to highlight poor privacy practices by issuing a March 25 notice that named Veda Advantage, one of the largest credit reporting companies in the country, charges consumers an “unreasonable sum” for urgent requests for credit information. The notice accompanied a report on the office's investigation of Veda.
Edwards said in the notice that he was considering examining the charging practices of other credit reporters, adding that people making urgent requests are likely to be in a vulnerable position.
Although he can't issue fines for data protection violations, Edwards noted that he can refer a complaint to the Human Rights Review Tribunal, which can award damages of up to NZ$200,000 ($170,927).
Edwards added that punishments meted out either by his office or the tribunal aren't the only risks facing organizations that fail to meet their privacy obligations.
These days, personal information is one of the most important assets held by many companies and agencies, he said.
If organizations lose the trust and confidence of customers and interest groups that personal information will be protected, then that will “erode their brand value and shareholder value,” he said.
Edwards may also soon find his powers augmented somewhat. The government is considering its response to a major Law Reform Commission inquiry into privacy that reported in 2011.
“We are awaiting decisions on what parts of the Law Reform Commission recommendations will be adopted,” Edwards said. “But certainly we have heard that the government is looking favorably on compliance notices.”
In November 2013, however, the government was unable to move legislation that would have given the privacy commissioner expanded powers to audit government agencies and issue notices requiring them to remedy data security and privacy problems.
Edwards said that he was also keen to reduce privacy compliance costs for industry and government.
A central element will be doing more to disseminate useful information to organizations concerning privacy obligations, he said.
That could include sharing the lessons learned from investigations into data breaches, Edwards said.
It could also include developing generic information for activities such as recruitment practices, rather than requiring each organization to “think hard and come up with its own answers on what constitutes best practice.”
To contact the reporter on this story: Murray Griffin in Melbourne at firstname.lastname@example.org.
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
To view additional stories from Privacy & Security Law Report® register for a free trial now