Proposed Changes to New Zealand's Privacy Act

Written by

A new bill to repeal and replace the 1993 Privacy Act of New Zealand is awaiting approval. If the changes are accepted, the bill would mandate that public and private sector agencies notify affected individuals and the Privacy Commissioner when they experience a data breach that poses a risk of harm, according to Stuff.

First introduced on 20 March 2018, the bill is currently in select committee. According to Parliament, “Its key purpose is to promote people’s confidence that their personal information is secure and will be treated properly.”

Australia made similar changes to its privacy regulations, which went into effect in February 2018. In the months that followed, the country was the target of some high profile breaches, most notably the takedown of PageUp in which information was potentially compromised after the Australian-based company that powers jobs and recruitment sites for companies around the world experienced a breach.

While New Zealand was impacted by the breach, they do not have the same mandatory data breach notification regulations.

The 2018 first quarter CERT NZ report showed for the first time “more than 500 incidents were reported in the quarter, and we have introduced new age data. Looking at the 180 reports about individuals that provided date of birth, all age ranges were affected. Overall financial loss continues to be high, with nearly $3m of losses reported. This is more than half the total losses reported to CERT NZ in 2017.”

By providing a framework for protecting an individual’s right to privacy of personal information, the bill aims to establish an internationally recognized standard for privacy obligations, which includes the Organisation for Economic Co-operation and Development (OECD) Guidelines and the International Covenant on Civil and Political Rights.

The proposed Privacy Bill would allow for two types of complaints to be filed by an aggrieved individual or their representative. The first is a complaint alleging that an action of an agency has interfered with the privacy of an individual. The second is a public register complaint.

What’s hot on Infosecurity Magazine?