Privacy Commissioner John Edwards expects data breach notification to become mandatory in New Zealand as part of changes to the Privacy Act now being drafted by the Ministry of Justice.
"Government has already agreed to bring our law up to speed with many of our comparative jurisdictions," Edwards said. "It's now well overdue that we have this measure."
Less certain is a system of civil penalties for more blatant breaches, something Edwards has also recommended.
Edwards has warned the new government that the country's competitive trade advantage with Europe is at risk because current privacy laws have fallen behind international standards. As a result, further reforms were now required urgently.
The Privacy Act was passed in 1993 and a Law Commission review recommended a number of changes in 2011.
Many of those recommendations, including mandatory reporting, were accepted by the previous government.
In the wake of a huge 2016 hack of Yahoo email accounts, a service then used by Spark locally, Edwards again pushed the case for mandatory reporting.
The Law Commission report did not recommend civil fines, Edwards said. However, in December 2016 he made a report to government recommending that the Privacy Commissioner should have the power to seek civil penalties in cases of "egregious or significant breaches of the Act."
Edwards recommended fines of up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate.
The commissioner never received a formal response to that recommendation from the previous government and does not know whether or not the new government will respond to it in the current draft bill.
In his October briefing to incoming Minister of Justice Andrew Little, Edwards said the new bill including mandatory reporting of serious data breaches was needed "to bring New Zealand into line with international best practice".
"At the June 2016 OECD Ministerial Meeting in Cancun, participating ministers declared the importance of building and strengthening trust in order to maximise the benefits of the digital economy," Edwards said.
"The declaration included a commitment to promote a general policy of accountability and transparency. Those ministers recognised that trust, privacy and transparency are essential elements of civic and digital engagement."
Edwards said his report to the previous minister in 2016 and presented to Parliament in January 2017 recommended that, in addition to the earlier reforms announced, the government should consider empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate).
In addition, the government should also examine protection against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised, alongside introducing data portability as a consumer right.
Furthermore, Edwards recommended power to require an agency to demonstrate its ongoing compliance with the Act, while narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner.
Finally, Edwards also suggested reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.
The Privacy Commission currently only receives voluntary data breach notifications. In its latest activity report to the minister, the commission said it received 50 such notifications during the most recent quarter, well ahead of the 34 projected for the full year.
Australia's mandatory data breach notification regime takes effect on 23 February, 2018.