Actions we've taken

Openness, transparency and accountability are important in all aspects of legal and regulatory action.

Our Strategic Plan sets out our regulatory focus:

We believe that we can be an effective regulator by ensuring we take action in four areas in relation to data harms:

  1. Predict

    Intelligence gathered from our 'detect' and 'enforce' helps us predict where the potential for harm is.

  2. Prevent

    Knowing where there is potential for harm allows us to raise awareness and empower citizens to try to prevent harms from happening. We do this awareness-raising via

  3. Detect

    When data harms have occurred we must have effective mechanisms for individuals affected to make a formal complaint about an organisation, and we must have a mechanism that allows controllers/processors to report a data breach to us.

  4. Enforce

    Enforcement action is the last resort, and cannot undo the harm that has occurred. Where we find that an organisation has not complied with their statutory obligations, our findings will be made public here on this page* as this allows other organisations to learn from what went wrong.

    * unless to do so would cause further harm to the complainants