Mandatory reporting of privacy breaches incoming

Almost daily, new privacy breaches are revealed.  Property valuer, Landmark White, recently reported its valuation dataset had been compromised.  Hundreds of thousands of valuation and individual records were available on the dark web for ten days in late January 2019.  No-one knows how many times the dataset was accessed during the ten-day period. New Zealand’s antiquated Privacy Act 1993 is not set up to deal with privacy breaches of this type.  The world has of course changed considerably since 1993.

The Law Commission recommended updating New Zealand’s privacy legislation in 2011.  A mere seven years later, Andrew Little introduced a new Privacy Bill on 20 March 2018.  There are a range of changes made to the old legislation, with the objective being to: promote people’s confidence that their personal information is secure and will be treated properly. The changes proposed by the Bill will impact on any organisation or business that holds personal information about clients or customers.

While the Bill is still not in final form, one massive change is a proposal to have mandatory reporting of privacy breaches by organisations that hold identifiable personal information. Mandatory reporting is common overseas, with Australia adopting the process early last year.  Such a requirement would create the need for processes and policies to be put in place to quickly identify and report breaches to the relevant parties, in order to avoid fines.

It is proposed that privacy breaches (unauthorised or accidental access to, or disclosure of, personal information) that pose a risk of harm to people would require notification to the Privacy Commissioner, and to affected individuals. A public notification would be required if it would not be practical to contact the affected individuals or each group of affected individuals.

All organisations that hold identifiable personal information will need to pay attention to the threshold requirements for a ‘notifiable privacy breach’, should the Bill become law. A breach is deemed to qualify as “notifiable” if it meets two thresholds:  

  1. The action breaches an Information Privacy Principle, or provisions of an approved information sharing agreement, or breaches the requirement to notify an individual or the wider public; and

  2. The action:

 a. Has caused, or may cause, loss, detriment, damage or injury to the individual; or

b. Has adversely affected, or may adversely affect, the rights, benefits, privileges, obligations or interests of the individual; or

c. Has resulted in, or may result in, significant humiliation, significant loss of dignity, or significant injury to the feelings of the individual.

The inclusion of ‘may’ creates a far broader range of circumstances in which it is necessary for an agency to report a breach. Thus, an organisation has to consider not just what has happened, but also what ‘may’ happen.  This is often likely to be a difficult exercise in practical terms.

One concern is that if this Bill is passed, then the demands on the Office of the Privacy Commissioner will substantially increase. A submission by the Insurance Council of New Zealand pointed out that when a similar law was instituted in Australia, the equivalent body to the Privacy Commissioner received 63 notifications in the first weeks of the Australian scheme’s implementation.

While mandatory reporting of privacy breaches is at the heart of the Bill, other important changes to note include:

  1. Compliance notices: The Privacy Commissioner will be able to issue compliance notices that require an agency to do something, or stop doing something, in order to comply with privacy law. The Human Rights Review Tribunal will be able to enforce compliance notices and hear appeals.

  2. Strengthening cross-border data flow protections: New Zealand agencies will be required to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. The Bill also clarifies the application of our law when a New Zealand agency engages an overseas service provider.

  3. New criminal offences: It will be an offence to mislead an agency in a way that affects someone else’s information and to knowingly destroy documents containing personal information where a request has been made for it. The penalty is a fine not exceeding $10,000.

  4. Commissioner making binding decisions on access requests: This reform will enable the Privacy Commissioner to make decisions on complaints relating to access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions will be able to be appealed to the Tribunal.

  5. Strengthening the Privacy Commissioner’s information gathering power: The Commissioner’s existing investigation power is strengthened by allowing him or her to shorten the time frame within which an agency must comply, and also increasing the penalty for non-compliance to $10,000.

A fine not exceeding $10,000 is a very small amount compared to many overseas jurisdictions. Further, the Privacy Commissioner has pushed for civil remedies to be made available, to be more in line with the Australian approach. The maximum fine may well increase after the Select Committee reports back on the Bill.

The Select Committee’s Report is due to be released on 13 March 2019. We will update this In Brief article following the release of that Report.

Comment from Craig Langstone

“Cyber security will take on a whole new importance for organisations if mandatory privacy/data breach notification becomes the law in New Zealand,” says partner Craig Langstone.  “The Australian experience is likely to be a good guide as to what will happen in New Zealand, should the proposal become law, and in Australia there has been a massive increase in the work around data breaches and how best to handle a breach.”

Craig Langstone is a Partner at Fee Langstone

Craig Langstone is a Partner at Fee Langstone