Lunch and Learn
Upcoming Sessions
New to privacy or stepping into a privacy role in New Zealand? This series is designed to give you the confidence and tools to navigate the essentials of the Privacy Act 2020. Across five practical lunchtime sessions, we’ll explore the full information lifecycle, how to handle breaches, responding to privacy requests, managing risk with PTAs and PIAs, and building a roadmap for privacy maturity in your organisation.
The Information Lifecyle - What do the IPPs require?
Get to grips with the Information Privacy Principles (IPPs) at the heart of the Privacy Act. This session covers what counts as personal information, the information lifecycle, and the obligations each of the 13 IPPs impose. Perfect for anyone building their privacy foundation.
Breach Management - Do I need to notify?
Privacy breaches happen at every organisation, what matters is how you respond. Learn what qualifies as a notifiable breach, when and how to report to the Privacy Commissioner and impacted individuals, and the practical steps to contain and recover.
Privacy Requests - Can I redact that?
When individuals ask to view, access, or correct their personal information, you need to be ready. This session explains the rules around privacy requests, statutory timeframes, and common exemptions — including when redactions are justified.
Managing Risk - Do we need a PIA?
Privacy Threshold Assessments (PTAs) and Privacy Impact Assessments (PIAs) are the best tools to spot privacy risks before they become problems. In this session, we will cover when is a PTA and/or PIA needed, how to structure one, and how to use it to influence projects from the start.
Privacy Maturity - What are the next steps for our organisation?
In this final session, we’ll discuss how to measure your privacy maturity. We will also discuss how to build a sustainable privacy programme s and how to create a privacy roadmap tailored to your organisation’s needs.
Why may we need contractual changes as a result of IPP3A?
As part of this session, we will cover common types of relationships between organisations and how this impacts indirect collection. As a result of indirect collection where you are collecting personal information from another organisation you are likely to want to introduce requirements into their contracts enabling you to be exempt from providing notice at the time of collection as they have already been provided notice by the disclosing organisation. Equally however where you are disclosing information to another organisation, they are likely to want to introduce similar requirements.
How do we deal with the requirement to provide notice?
The upcoming changes introduce the requirement to provide a privacy notice to individuals where their information is collected indirectly unless one of the exceptions applies. During this session we will explore how this can be practically achieved and what exceptions may apply to the requirement to provide notice.
How do we identify indirect collection in our business processes?
With the upcoming changes around providing notice when collecting personal information indirectly it is important to be able to identify where in your business indirect collection is occurring. During this session we will discuss common scenarios in which indirect collection occurs. We will also cover how previous and future Privacy Impact Assessments can be used to identify indirect collection.
Previous Sessions
How do we identify indirect collection in our business processes?
With the upcoming changes around providing notice when collecting personal information indirectly it is important to be able to identify where in your business indirect collection is occurring. During this session we will discuss common scenarios in which indirect collection occurs. We will also cover how previous and future Privacy Impact Assessments can be used to identify indirect collection.
How do we deal with the requirement to provide notice?
The upcoming changes introduce the requirement to provide a privacy notice to individuals where their information is collected indirectly unless one of the exceptions applies. During this session we will explore how this can be practically achieved and what exceptions may apply to the requirement to provide notice.
Why may we need contractual changes as a result of IPP3A?
As part of this session, we will cover common types of relationships between organisations and how this impacts indirect collection. As a result of indirect collection where you are collecting personal information from another organisation you are likely to want to introduce requirements into their contracts enabling you to be exempt from providing notice at the time of collection as they have already been provided notice by the disclosing organisation. Equally however where you are disclosing information to another organisation, they are likely to want to introduce similar requirements.