Draft Amendments Reform DPO Functions
The Ministry of Economy published - on 16 October 2013 - draft amendments to the Data Protection Act 1997 (the Act). The amendments offer a simplified registration procedure if an organisation appoints an Administrator of Information Security, which is similar to a Data Protection Officer (DPO). However, organisations choosing to appoint a DPO will be subject to a 'significant extension of obligations.' Under the current law, while appointing a DPO is optional, notifying the GIODO of all data filing systems containing personal data and registering all data filing systems containing sensitive personal data with the GIODO is mandatory. Under the proposed amendments, controllers who choose to appoint a DPO only have to keep an internal, publicly available, record of data filing systems containing personal data. They must still register any systems containing sensitive personal data. It seems that the draft may in practice introduce additional burdens for companies, which decide to appoint a DPO. The draft amendments also introduce several new obligations for data controllers concerning DPOs. Public consultations on the amendment are expected to begin on 12 November 2013.