Law change clamps down on data breaches


Privacy Commissioner John Edwards wants the power to fine individuals guilty of data breaches $100,000, and the organisations they work for up to $1 million.

Mr Edwards asked the Government for mandatory reporting of data breaches after a massive hack of Yahoo email addresses in 2016 which affected users of Spark’s xtra email service.

Mr Edwards told Reseller News he expected changes to the Privacy Act being drafted by the Ministry of Justice to make data breach notifications mandatory in New Zealand.

Although Mr Edwards did not know if the ministry was planning on including power for the Privacy Commissioner to seek civil penalties in cases of “egregious or significant breaches of the Act”. It is more likely than not.

Whether or not the commissioner gets the power to throw the book at individuals or businesses they work for, one thing is certain.

New Zealand is about to catch up with the rest of the developed world when it comes to data breaches. Whether accidental or deliberate, all data breaches will need to be reported to the Privacy Commissioner. It will be up to the commissioner whether to take any action after the reporting of a breach.

With the proposed change in the law it will become incumbent on any businesses throughout Waikato, and New Zealand, to ensure they handle data about workers and customers correctly. The law will apply to every business, no matter their size, even sole traders with a single computer and a customer database of half a dozen.

Some businesses have a chief privacy officer. If the concept is new to you, your business should investigate hiring one.

Chief privacy officers develop and implement privacy policies that protect employee and customer data safe from prying eyes. A privacy policy details how data is gathered and stored.

It also includes procedures that ensure privacy laws are met. Chief privacy officers are required to stay informed of changes in the privacy laws, and keep staff and customers informed about how it impacts them.

In the unlikely event of your business being involved in a data breach, having no chief privacy officer will not wash with the Privacy Commissioner. If you don’t have the resources to hire someone to do this job full time, consider getting some external advice or assign the job to a member of your leadership team. It’s always better to be prepared and have plan if it all goes wrong, than to be left uncertain of what to do.


About Author

David Hallett

David Hallett is a director of Hamilton software specialist Company-X.