Pipa guidance notes released for public feedback
After a 2024 awareness campaign for the 2025 onset of the new privacy regime, officials are encouraging public feedback to the new, updated Financial Services and Personal Information Protection Act Guidance Notes.
The Privacy Office has been posting the various steps for companies to prepare themselves for compliance with the Act, which ushers in a new regime in January for all organisations.
The financial services guidance notes have been in addition to templates, checklists and instructions for the major pieces of Pipa compliance.
It was developed through engagement with cohorts in 2023, to provide organisations with practical steps to prepare.
Officials will continue with quarterly engagements with the community to hear concerns, answer questions and establish a media presence.
The privacy office has scheduled 37 full weeks of articles, resources, templates and events.
Privacy Commissioner Alexander White said: “Whenever anyone reaches out to our office with a question, we are usually able to refer them to an existing guidance note from the Road to Pipa, our Guide to Pipa, or other guidance.”
Mr White said shifts needed in mindset included thinking of personal information as an asset that belongs to the individual.
He said: “Thinking about information as an asset will help us all to start thinking about the value of information and how it should be protected.
“We are used to thinking about money, vehicles, or computers as assets and putting them behind lock and key. We have to think of personal information as something of value that needs to be protected according to its value – or the risk of harm to individuals.
“Second, we need to shift our thinking from ownership of personal information to stewardship. When a person shares details about themselves with an organisation, they place it temporarily in the organisation’s care in order to accomplish a specific purpose. The organisation is carrying out the instructions of the individual and should consider the duties of care and otherwise that such a role implies.
“I find this idea of stewardship especially useful as quite often the highest duty of care arises when one is a steward, charged with protecting property on behalf of someone who has placed a great deal of trust in you.”
Mr White said: “Pipa allows an individual to request access to, correction of, or even deletion of their own information. Individuals go straight to the organisations with those requests, so the organisations need to be ready to respond. In many ways, it is a customer-service matter.”
Organisations may have legal reasons to deny a request and there are some that require the use of a lot of personal information but do not have the personnel resources to respond to requests, assess the risk of harm when using personal information and implement security safeguards. Compliance, however, is expected on day one.
Mr White said: “My office has a regulatory philosophy of “constructive oversight”, which involves working with organisations in the community to protect rights in a reasonable manner.
“My officers will seek proactive and constructive engagement to help organisations understand the merits of protecting privacy rights, as well as the financial value that information management programmes can bring to a business.
“Pipa gives my office order-making power and, as a first option, those orders will be drafted to correct errors or non-compliance.
“If those orders are not followed, then the matter may be referred for prosecution as an offence. Individuals will also have the ability to seek compensation for financial loss or distress through the courts if they have been harmed by an organisation’s non-compliance.”
Deadline for consultation submissions is October 25.
• For more on the Financial Services and Personal Information Protection Act Guidance Notes, see Related Media
Need to
Know
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service