It was truly an honour and a pleasure to take part in this year’s Privacy Week and contribute to the conversations happening across the event. It was a busy and engaging week, with a significant increase in attendance compared to last year (and, in 2024 the viewership nearly doubled from the 2023 numbers, as I recall).
Overall, it was a fantastic event, and I want to congratulate the organisers, the team at the Office of the Privacy Commissioner, for creating a successful format that continues to attract strong interest and engagement.
A few words about my contributions:
(1) Privacy on Purpose in AI Governance: Balancing Innovation and Protection
This session was very well attended (see the video or slides). My key messages included:
- In New Zealand, we still need to develop effective ways to guide people through the changes involved in implementing AI systems.
- I presented a range of technical options for safely introducing generative AI in organisations. These options vary in their levels of control, effectiveness, and risk.
- I addressed core privacy concerns, particularly around the use of personal information in AI, highlighting both general approaches and specific risks.
- I emphasised that AI literacy and strong data governance are foundational to successful implementation. People must understand how to use AI to achieve business goals, and organisations need to ensure their internal data is prepared for AI applications.
(2) Privacy Officers’ Role: Getting Ahead of Risks Before They Become Breaches
Delivered together with Laura Rodriguez, a seasoned privacy professional, this session proved even more popular (see the video or slides). Our main points included:
- Privacy officers need to act as both strategists and responders: identifying and mitigating risks before they materialise, and responding effectively when incidents occur.
- To manage risks, it is not enough to understand the nature of privacy problems/threats. It’s also crucial to understand how personal information flows throughout the organisation and its partners. This requires cross-functional collaboration to map data flows and assess associated risks.
- A strong privacy breach management framework should include clear breach definitions, response plans, designated roles and responsibilities, and incident handling procedures. These must be prepared and rehearsed in advance.
- Effective collaboration, both within the organisation and with third parties involved in breach response, is essential for containing incidents, assessing harm, and notifying the OPC when necessary. The goal is always to minimise harm to individuals (and the organisation alike).
The two sessions had very different focuses. The AI session was more technical and policy-oriented, and I received a lot of detailed (and challenging!) questions. The second session was more practical, focusing on operational best practices. I think Laura and I shared plenty of actionable advice in that presentation.
You can watch recordings of all the Privacy Week 2025 sessions here:
👉 https://www.privacy.org.nz/news/events/privacy-week
Leave a Reply