Menu
Data breach notification expected to become mandatory in NZ

Data breach notification expected to become mandatory in NZ

Privacy Commissioner says while notification is included in a draft bill, his recommended penalty regime is less certain

Privacy Commissioner John Edwards is advising newly-minted Justice Minister Andrew Little that compulsory data breach notification is required urgently. Photo: Privacy Commission.

Privacy Commissioner John Edwards is advising newly-minted Justice Minister Andrew Little that compulsory data breach notification is required urgently. Photo: Privacy Commission.

Privacy Commissioner John Edwards expects data breach notification to become mandatory in New Zealand as part of changes to the Privacy Act now being drafted by the Ministry of Justice.

"Government has already agreed to bring our law up to speed with many of our comparative jurisdictions," Edwards said. "It's now well overdue that we have this measure."

Less certain is a system of civil penalties for more blatant breaches, something Edwards has also recommended.

Edwards has warned the new government that the country's competitive trade advantage with Europe is at risk because current privacy laws have fallen behind international standards. As a result, further reforms were now required urgently.

The Privacy Act was passed in 1993 and a Law Commission review recommended a number of changes in 2011.

Many of those recommendations, including mandatory reporting, were accepted by the previous government.

In the wake of a huge 2016 hack of Yahoo email accounts, a service then used by Spark locally, Edwards again pushed the case for mandatory reporting.

The Law Commission report did not recommend civil fines, Edwards said. However, in December 2016 he made a report to government recommending that the Privacy Commissioner should have the power to seek civil penalties in cases of "egregious or significant breaches of the Act."

Edwards recommended fines of up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate.

The commissioner never received a formal response to that recommendation from the previous government and does not know whether or not the new government will respond to it in the current draft bill.

In his October briefing to incoming Minister of Justice Andrew Little, Edwards said the new bill including mandatory reporting of serious data breaches was needed "to bring New Zealand into line with international best practice".

"At the June 2016 OECD Ministerial Meeting in Cancun, participating ministers declared the importance of building and strengthening trust in order to maximise the benefits of the digital economy," Edwards said.

"The declaration included a commitment to promote a general policy of accountability and transparency. Those ministers recognised that trust, privacy and transparency are essential elements of civic and digital engagement."

Edwards said his report to the previous minister in 2016 and presented to Parliament in January 2017 recommended that, in addition to the earlier reforms announced, the government should consider empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate).

In addition, the government should also examine protection against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised, alongside introducing data portability as a consumer right.

Furthermore, Edwards recommended power to require an agency to demonstrate its ongoing compliance with the Act, while narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner.

Finally, Edwards also suggested reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.

The Privacy Commission currently only receives voluntary data breach notifications. In its latest activity report to the minister, the commission said it received 50 such notifications during the most recent quarter, well ahead of the 34 projected for the full year.

Australia's mandatory data breach notification regime takes effect on 23 February, 2018.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacyprivacy commissionerprivacy actdata breach notification

Featured

Slideshows

Reseller News Platinum Club celebrates leading partners in 2019

Reseller News Platinum Club celebrates leading partners in 2019

The leading players of the New Zealand channel came together to celebrate a year of achievement at the annual Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months.

Reseller News Platinum Club celebrates leading partners in 2019
Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosted its second annual alumnae breakfast for the Women in ICT Awards in New Zealand, designed to showcase the leading female leaders in the industry. Held at The Cordis in Auckland, attendees came together to hear inspiring keynotes and panel discussions, alongside high-level networking among peers. Photos by Gino Demeer.

Reseller News hosts alumnae breakfast for Women in ICT Awards
Reseller News Innovation Awards 2019: meet the winners

Reseller News Innovation Awards 2019: meet the winners

Reseller News honoured the standout players of the New Zealand channel in front of more than 480 technology leaders in Auckland on 23 October, recognising the achievements of top partners, emerging entrants and innovative start-ups.

Reseller News Innovation Awards 2019: meet the winners
Show Comments