Flexibility mechanisms

The Privacy and Data Protection Act 2014 (PDPA) contains mechanisms to provide flexibility in the application of some Information Privacy Principles (IPPs) and (in the case of IUAs), information handling provisions of other Acts. The mechanisms are public interest determinations (PIDs) and information usage arrangements (IUAs). In urgent circumstances the Commissioner may also make a temporary PID. A PID or IUA may not be made in respect of IPP 4 (Data Security) or IPP 6 (Access and Correction).

The Commissioner also has a power of certification under the PDPA that enables him to certify that a specified act or practice of an organisation is consistent with an IPP, approved code of practice, or an information handling provision in another Act.

The Commissioner may only approve a PID or issue a certificate for an IUA, where he is satisfied that there is a substantial public interest in doing so.

Public Interest Determination (PID)

A PID is a written determination by the Commissioner that permits a public body to depart from an IPP (except IPP 4 - Data Security or IPP 6 - Access and Correction). In order to issue a PID, the Commissioner must be satisfied that the public interest in the departure from privacy substantially outweighs the public interest in complying.

Temporary Public Interest Determination (TPID)

A TPID is a PID (see above) that may be issued by the Commissioner in urgent circumstances. A TPID may last no more than 12 months.

Information Usage Arrangement (IUA)

A IUA is an arrangement that sets out acts or practices for handling personal information for public purposes where any of the acts or practices modify the application of an IPP (other than IPPs 4 and 6), provides that the act or practice doe not need to comply with a specified IPP (again, other than IPPs 4 and 6) and/or permits handling of personal information for the purposes of an information handling provision. An IUA may only be approved by relevant Ministers, provided the Commissioner has first approved the draft IUA.

In order to approve an IUA, the Commissioner must be satisfied that the public interest in the organisation handling personal information in the way specified in the IUA substantially outweighs the public interest in complying with the specified IPP or code.

Certification

Under the PDPA, the Commissioner has the power to certify that a specified act or practice of an organisation is consistent with an IPP, and approved code of practice, or an information handling provision of another Act.

Certification may be useful where an organisation is uncertain about the interpretation of an IPP, approved code of practice, or an information handling provision. An organisation acting in good faith in reliance on a current certificate issued under the PDPA will not be taken to be acting in breach of the elevant IPP, code or provision.

See Guidelines to Public Interest Determinations, Temporary Public Interest Determinations, Information Usage Arrangements and Certification for more information.