Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

About OPC

Print | Email this page

Compliance and Regulatory Action Framework (CARAF)

A curly dark-haired woman in a sleeveless top sits behind a laptop. She has glasses and is similing. Download a copy of the Compliance and Regulatory Action Framework (CARAF) (opens to PDF, 2.1MB)

Our principles
Diagram of our compliance and regulatory action
What we consider when we decide on an action

The purpose of the Privacy Act is to promote and protect people’s privacy. Our mission is to use our functions and powers under the Privacy Act in a way that is meaningful and responsive and upholds the purpose of the Act.

We take a holistic approach to compliance, including: 
•    assisting and supporting agencies to understand their obligations
•    taking proportionate and appropriate action in response to breaches of the Act.

The kaupapa of our regulatory and compliance action is:

Public Trust - we are a critical part of New Zealand’s trust infrastructure

Independent oversight bodies like us are essential to maintaining public trust. Our independence is also central to our ability to celebrate best practice and call out poor compliance behaviour when we see it. Without public trust, it’s much more difficult for public and private sector agencies to engage with people, and this has flow-on effects to wider society and the economy. 

Respect for privacy is part of the essential social licence between an individual and the agencies they deal with.

Education - we promote good practice and seek to facilitate compliance

We provide agencies with tools, resources, guidance and advice about how they can best protect individual privacy. We also provide people with their own resources to help them exercise their rights and entitlements under the Privacy Act. 

We want agencies to understand their obligations and for individuals to know their rights, as together this facilitates compliance.

We celebrate agencies who go above and beyond what is required of them by making privacy an embedded value in their products or services.  

Accountability – we hold agencies to account for their actions

Our approach is designed to take account of the need to protect individual privacy while ensuring agencies can operate efficiently and effectively. We support agencies to uphold individuals’ rights to privacy but take a robust, fair and considered approach to non-compliance. In these cases, we seek to hold agencies to account for their actions. We will act proactively and take prompt action where we see poor compliance with the Privacy Act.

Our principles

We will be guided by the following principles in our approach to compliance and regulatory action. 

Fairness

We take a considered approach to compliance and regulatory efforts to get the best outcomes for New Zealanders. As a Crown Entity, OPC acts independently in accordance with the principles of natural justice.

Consistency and transparency

OPC will act consistently and transparently. OPC will be open about how it uses its powers, including through publishing guidance. OPC will also act in accordance with the principles of good decision making, including as set out in the Office of the Ombudsman’s guidance on good decision making by state sector agencies (opens to PDF, 568KB).

Proportionality

Any regulatory or compliance action OPC choose to take will be proportionate to the conduct which has occurred and the benefits which are expected to result.

Accountability

OPC is accountable for any regulatory action we take, including through review and appeal rights. We will ensure stakeholders are advised of these rights. Download a copy of the diagram below (opens to PDF, 139KB).

A diagram showing our principles to compliance

Our principles in our approach to compliance and regulatory action.

What we consider when we decide on an action

We prioritise certain matters for compliance or regulatory action and select the most appropriate response in the circumstances. We seek to use our limited resources to best effect. In addition to the Privacy Act, we consider: 

Seriousness

  • the nature and seriousness of a privacy issue, or the potential impact, including:
    • the adverse consequences caused (or likely to be caused) to the affected individual/s
    • whether the matter involves sensitive information
    • the number of individuals potentially affected
    • whether disadvantaged, vulnerable, or a particular group of individuals have been or may be adversely affected
    • whether the conduct indicates a potential systemic issue (either within the agency concerned or within a sector or industry) or an increasing issue which may pose ongoing compliance or enforcement issues.

Public interest 

  • the level of public interest in the issue, or in compliance or regulatory action being taken including:
    • the educational, deterrent or precedential value of acting
    • whether the issue would clarify or test a matter of law
    • the way the issue came to OPCs attention, and if relevant, failure or delay by the relevant individual or agency to notify OPC of the breach or issue
    • whether the agency responsible for the incident or conduct has been the subject of prior compliance or regulatory enforcement action by OPC, and the outcome of that action
    • the need to inform individuals to provide a full picture, or correct inaccurate, incomplete or misleading information. 

Attitude and conduct of the agency

  • the attitude to compliance, and conduct of the agency concerned, including:
    • the state and nature of any protective or preventative policies, technology or other measures being used by the agency at the time since the actual or alleged issue occurred
    • the agency’s general approach to compliance and engagement with OPC
    • action taken by the agency to remedy and address the consequences of the conduct, including whether they attempted to remedy their conduct, and whether the agency cooperated   with affected individuals
    • whether the conduct is or appears to be wilful, negligent or intentional
    • whether the conduct is an isolated instance, and the likelihood of the agency repeating the behaviour at issue in the future
    • the position, seniority and level of experience of the person or persons responsible for the conduct.  

Statutory factors

The Commissioner must also consider certain matters when exercising any functions under the Privacy Act. These include:

  • Other human rights and interests such as the desirability of facilitating the free flow of information, and government and business efficiency in achieving their objectives
  • Cultural perspectives on privacy  
  • New Zealand’s international obligations, including international technology of communications
  • International guidelines relevant to the better protection of individual privacy
  • Information Privacy Principles.

Other factors

  • the time since an actual or alleged breach or issue occurred
  • the appropriateness and proportionality of taking compliance or regulatory action, including:
    • whether the burden on the agency likely to arise from the regulatory action is proportionate to the risk posed to the protection of personal information
    • whether another regulator, law enforcement body, or authority is already taking (or has already taken) action in respect of the same matter
    • the cost and time to OPC to achieve an appropriate remedy or improved compliance
    • whether there is adequate evidence available to prove a breach, 
      alleged breach , interference, or infringement
  • any other factors which OPC considers relevant in the circumstances, including factors which are relevant to the specific compliance function or regulatory power being exercised.
Back to top