NZ govt proposes mandatory data breach reporting

 

Privacy Commissioner could get bite added to bark.

A proposed overhaul of privacy legislation in New Zealand would force organisations to report instances of a data breach or face fines of up to NZ$10,000 (A$9150).

The changes to the NZ Privacy Act were announced by Justice Minister Judith Collins today. Collins said the proposed legislation was based on the Law Commission's 2011 recommendation to update the existing 1993 law to account for changes in technology.

The changes to the Act would mean the onus is on information holders to identify and address risks before they occur.

“Large amounts of personal information are now stored online and transmitted digitally – this has benefits, but also poses potential risks. It’s now possible for huge amounts of data to be released in a single privacy breach, potentially affecting large numbers of people,” Collins said.

Notifications would also be required in cases where someone impersonates an individual in order to obtain personal information, again backed by fines of up to NZ$10,000.

The New Zealand Privacy Commissioner's office would be given more teeth to enforce the new law, including a five-fold increase in fines to NZ$10,000 for obstruction and the ability to issue compliance orders.

Businesses and organisations would be offered guidance by the Privacy Commissioner's Office on how to comply with the new law, including advice on best practice and responsibilities on storing data overseas. The Office recently received a $7 million (A$6.4 million) budget boost for the next four years.

Consultation on the technical details of the proposal will be conducted by the government before the bill is brought before Parliament, Collins said.

The NZ Council for Civil Liberties, a digital rights lobby group, issued a cautious welcome to the proposal, expressing support for the strengthening of the Privacy Commissioner's powers.

But Thomas Beagle of the NZCCL expressed concern that the changes to the Privacy Act could go beyond what's indicated and rewrite the principles to make data sharing easier for business and government, without receiving explicit permission from the people that the information is about.

An attempt to modify the Australian Privacy Act with provisions outlining serious data breaches and a requirement to notify, as well as secure, information prior to compromises on pain of hefty fines failed to be heard in the Senate ahead of the federal election last year.

The bill was however reintroduced in identical form in the Senate in March this year by Tasmanian Labor Senator Lisa Singh, and has the support of the Greens, although it is unclear if the Coalition Government supports the proposed law changes.

Copyright © iTnews.com.au . All rights reserved.


NZ govt proposes mandatory data breach reporting
 
 
 
Top Stories
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
 
Doubts cast on Queensland's ICT Dashboard
Opposition, former Govt CIO say it can't be trusted.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  25%
 
Application integration concerns
  3%
 
Security and compliance concerns
  29%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  5%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 819

Vote