Menu
Data breach notification expected to become mandatory in NZ

Data breach notification expected to become mandatory in NZ

Privacy Commissioner says while notification is included in a draft bill, his recommended penalty regime is less certain

Privacy Commissioner John Edwards is advising newly-minted Justice Minister Andrew Little that compulsory data breach notification is required urgently. Photo: Privacy Commission.

Privacy Commissioner John Edwards is advising newly-minted Justice Minister Andrew Little that compulsory data breach notification is required urgently. Photo: Privacy Commission.

Privacy Commissioner John Edwards expects data breach notification to become mandatory in New Zealand as part of changes to the Privacy Act now being drafted by the Ministry of Justice.

"Government has already agreed to bring our law up to speed with many of our comparative jurisdictions," Edwards said. "It's now well overdue that we have this measure."

Less certain is a system of civil penalties for more blatant breaches, something Edwards has also recommended.

Edwards has warned the new government that the country's competitive trade advantage with Europe is at risk because current privacy laws have fallen behind international standards. As a result, further reforms were now required urgently.

The Privacy Act was passed in 1993 and a Law Commission review recommended a number of changes in 2011.

Many of those recommendations, including mandatory reporting, were accepted by the previous government.

In the wake of a huge 2016 hack of Yahoo email accounts, a service then used by Spark locally, Edwards again pushed the case for mandatory reporting.

The Law Commission report did not recommend civil fines, Edwards said. However, in December 2016 he made a report to government recommending that the Privacy Commissioner should have the power to seek civil penalties in cases of "egregious or significant breaches of the Act."

Edwards recommended fines of up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate.

The commissioner never received a formal response to that recommendation from the previous government and does not know whether or not the new government will respond to it in the current draft bill.

In his October briefing to incoming Minister of Justice Andrew Little, Edwards said the new bill including mandatory reporting of serious data breaches was needed "to bring New Zealand into line with international best practice".

"At the June 2016 OECD Ministerial Meeting in Cancun, participating ministers declared the importance of building and strengthening trust in order to maximise the benefits of the digital economy," Edwards said.

"The declaration included a commitment to promote a general policy of accountability and transparency. Those ministers recognised that trust, privacy and transparency are essential elements of civic and digital engagement."

Edwards said his report to the previous minister in 2016 and presented to Parliament in January 2017 recommended that, in addition to the earlier reforms announced, the government should consider empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate).

In addition, the government should also examine protection against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised, alongside introducing data portability as a consumer right.

Furthermore, Edwards recommended power to require an agency to demonstrate its ongoing compliance with the Act, while narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner.

Finally, Edwards also suggested reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.

The Privacy Commission currently only receives voluntary data breach notifications. In its latest activity report to the minister, the commission said it received 50 such notifications during the most recent quarter, well ahead of the 34 projected for the full year.

Australia's mandatory data breach notification regime takes effect on 23 February, 2018.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityprivacydata breachprivacy commissionerprivacy actdata breach notification

Featured

Slideshows

Ingram Micro maintains Showcase 2018 momentum in Wellington

Ingram Micro maintains Showcase 2018 momentum in Wellington

Ingram Micro maintained Showcase 2018 momentum in Wellington, hosting more than 40 vendors at TSB Arena. Under the banner of Leading the Way, the event demonstrated what’s new, what’s next and how it can be used to improve business and everyday life.

Ingram Micro maintains Showcase 2018 momentum in Wellington
Ingram Micro launches Showcase 2018 in Christchurch

Ingram Micro launches Showcase 2018 in Christchurch

Ingram Micro kickstarted Showcase 2018 in Christchurch, hosting more than 40 vendors at Horncastle Arena. Under the banner of Leading the Way, the event demonstrated what’s new, what’s next and how it can be used to improve business and everyday life.

Ingram Micro launches Showcase 2018 in Christchurch
Data breach notification laws in NZ: How can partners prepare?

Data breach notification laws in NZ: How can partners prepare?

This exclusive Reseller News Roundtable outlined the responsibilities facing security partners today, assessing risk while evaluating the role of the vendor in providing added layers of protection.

Data breach notification laws in NZ: How can partners prepare?
Show Comments