NZ govt proposes mandatory data breach reporting

A proposed overhaul of privacy legislation in New Zealand would force organisations to report instances of a data breach or face fines of up to NZ$10,000 (A$9150).

The changes to the NZ Privacy Act were announced by Justice Minister Judith Collins today. Collins said the proposed legislation was based on the Law Commission's 2011 recommendation to update the existing 1993 law to account for changes in technology.

The changes to the Act would mean the onus is on information holders to identify and address risks before they occur.

“Large amounts of personal information are now stored online and transmitted digitally – this has benefits, but also poses potential risks. It’s now possible for huge amounts of data to be released in a single privacy breach, potentially affecting large numbers of people,” Collins said.

Notifications would also be required in cases where someone impersonates an individual in order to obtain personal information, again backed by fines of up to NZ$10,000.

The New Zealand Privacy Commissioner's office would be given more teeth to enforce the new law, including a five-fold increase in fines to NZ$10,000 for obstruction and the ability to issue compliance orders.

Businesses and organisations would be offered guidance by the Privacy Commissioner's Office on how to comply with the new law, including advice on best practice and responsibilities on storing data overseas. The Office recently received a $7 million (A$6.4 million) budget boost for the next four years.

Consultation on the technical details of the proposal will be conducted by the government before the bill is brought before Parliament, Collins said.

The NZ Council for Civil Liberties, a digital rights lobby group, issued a cautious welcome to the proposal, expressing support for the strengthening of the Privacy Commissioner's powers.

But Thomas Beagle of the NZCCL expressed concern that the changes to the Privacy Act could go beyond what's indicated and rewrite the principles to make data sharing easier for business and government, without receiving explicit permission from the people that the information is about.

An attempt to modify the Australian Privacy Act with provisions outlining serious data breaches and a requirement to notify, as well as secure, information prior to compromises on pain of hefty fines failed to be heard in the Senate ahead of the federal election last year.

The bill was however reintroduced in identical form in the Senate in March this year by Tasmanian Labor Senator Lisa Singh, and has the support of the Greens, although it is unclear if the Coalition Government supports the proposed law changes.