X close menu
Data breaches in New Zealand: You told what, to who? - Innovate - Parry Field Lawyers - Menu
back to previous page

Data breaches in New Zealand: You told what, to who?
18 Nov 2016

parry-field

In an increasingly online world we are sharing and disclosing more and more online and that information is being held digitally. There are frequent examples in the news of leaks and data breaches. This article looks at this issue in detail and examines what the legal requirements are in this area.  Understanding what to do when there are data breaches is vital in these times when it is an increasingly common event.

So you’ve had a Data Breach. What are you legally required to do?

In New Zealand there is no legal obligation to notify affected individuals or other bodies about a data breach. Even so, there may be commercial and reputational reasons why you would want to take action right away in the event of data breaches. If you do not take immediate action you are likely to have a large amount of criticism directed your way. By contrast, responding in a proactive way may transform the data breach from a disaster into a positive public relations story.

Privacy Commissioner view: The recommended position

There is no legal obligation to notify affected individuals or other bodies, but the Privacy Act 1993 does provide information privacy principles. Five of these principles require all agencies that hold personal information to take reasonable steps to protect that information. An individual could complain to the Privacy Commissioner about any information leak or other conduct which breaches any of the information privacy principles. By following the process outlined by the Office of the New Zealand Privacy Commission (below), this may show that you have complied with these principles.

Organisations are encouraged by the Office of the New Zealand Privacy Commission to adhere to their Privacy Breach Checklist and guidance material.

The Checklist suggests four key steps in responding to a privacy breach:

It is important to note that while this is the current position, it will likely soon change and follow the lead of other jurisdictions. The Law Commission have made a number of recommendations in relation to updating the Privacy Act including provisions making it mandatory to notify data breaches. It is likely an exposure draft of the new Privacy Bill will be released before the end of 2016 prior to being introduced to Parliament in 2017. We will monitor this situation closely and provide updates from time to time as new information emerges.

John Edwards, Privacy Commissioner, has commented that he expects there to be a two-tiered system in the future which would mean an organisation would need to notify the Office of the New Zealand Privacy Commission once it becomes aware of a data breach. The Privacy Commissioner would then decide whether a general alert should go out to customers.

If you have any questions about this topic please contact us and we would be happy to discuss further.

 

For other articles see: http://www.parryfield.com/resources/articles/

We'll help you find the way through
X