Menu
Data breach notification expected to become mandatory in NZ

Data breach notification expected to become mandatory in NZ

Privacy Commissioner says while notification is included in a draft bill, his recommended penalty regime is less certain

Privacy Commissioner John Edwards is advising newly-minted Justice Minister Andrew Little that compulsory data breach notification is required urgently. Photo: Privacy Commission.

Privacy Commissioner John Edwards is advising newly-minted Justice Minister Andrew Little that compulsory data breach notification is required urgently. Photo: Privacy Commission.

Privacy Commissioner John Edwards expects data breach notification to become mandatory in New Zealand as part of changes to the Privacy Act now being drafted by the Ministry of Justice.

"Government has already agreed to bring our law up to speed with many of our comparative jurisdictions," Edwards said. "It's now well overdue that we have this measure."

Less certain is a system of civil penalties for more blatant breaches, something Edwards has also recommended.

Edwards has warned the new government that the country's competitive trade advantage with Europe is at risk because current privacy laws have fallen behind international standards. As a result, further reforms were now required urgently.

The Privacy Act was passed in 1993 and a Law Commission review recommended a number of changes in 2011.

Many of those recommendations, including mandatory reporting, were accepted by the previous government.

In the wake of a huge 2016 hack of Yahoo email accounts, a service then used by Spark locally, Edwards again pushed the case for mandatory reporting.

The Law Commission report did not recommend civil fines, Edwards said. However, in December 2016 he made a report to government recommending that the Privacy Commissioner should have the power to seek civil penalties in cases of "egregious or significant breaches of the Act."

Edwards recommended fines of up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate.

The commissioner never received a formal response to that recommendation from the previous government and does not know whether or not the new government will respond to it in the current draft bill.

In his October briefing to incoming Minister of Justice Andrew Little, Edwards said the new bill including mandatory reporting of serious data breaches was needed "to bring New Zealand into line with international best practice".

"At the June 2016 OECD Ministerial Meeting in Cancun, participating ministers declared the importance of building and strengthening trust in order to maximise the benefits of the digital economy," Edwards said.

"The declaration included a commitment to promote a general policy of accountability and transparency. Those ministers recognised that trust, privacy and transparency are essential elements of civic and digital engagement."

Edwards said his report to the previous minister in 2016 and presented to Parliament in January 2017 recommended that, in addition to the earlier reforms announced, the government should consider empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate).

In addition, the government should also examine protection against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised, alongside introducing data portability as a consumer right.

Furthermore, Edwards recommended power to require an agency to demonstrate its ongoing compliance with the Act, while narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner.

Finally, Edwards also suggested reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.

The Privacy Commission currently only receives voluntary data breach notifications. In its latest activity report to the minister, the commission said it received 50 such notifications during the most recent quarter, well ahead of the 34 projected for the full year.

Australia's mandatory data breach notification regime takes effect on 23 February, 2018.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Tags securityprivacydata breachprivacy commissionerprivacy actdata breach notification

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments