Many of us are not afraid of entrusting private companies with our personal information in exchange for free services over the internet. The rise of social media and data-driven giants such as Facebook and Google, whose users are quite happy to share their information for companies to hold, store and sometimes even use, has contributed to the indifference. When we do hand over our information though, we expect companies to protect and safeguard our data from leaks and unwanted use by other parties, and even more so if the information is sensitive. This expectation is inscribed in the Privacy Act 1993 in New Zealand which require organisations or persons that hold personal information to have reasonable security safeguards against such misuse or unauthorised disclosure.

Another expectation we have from such companies is that they notify us when there an unauthorised or accidental disclosure of our personal information happens, i.e. via a “data breach notification”. In New Zealand, data breach notifications are currently voluntary (though strongly encouraged as ‘good practice’). But this is likely to change in the near future. The government has been talking about implementing significant changes to New Zealand’s Privacy Act since around 2012, and one of these changes will most likely be new mandatory notification obligations for data breaches, which according previous government proposals may involve a two-tier notification regime:

  • Where breaches are “material”, entities would be required to notify the Privacy Commissioner as soon as reasonably practicable.
  • More serious breaches where "there is a real risk of harm" (such as actual or potential loss, injury, significant humiliation or adverse effects on rights or benefits) would require notification to the Privacy Commissioner and to affected individuals.

It will be up to the agency who holds the information to determine whether a data breach meets the thresholds for mandatory reporting. Failing to notify the Commissioner of a breach would be a criminal offence, and private entities would be liable for a fine of up to $10,000. Of course, agencies may also be liable for the breach itself (i.e. breach of principle 5 – requirement to keep information secure) or principle 11 (limits on disclosure of information). The Office of the Privacy Commission expects the change to occur next year. As for now, organisations aware of data breaches can refer to the Office’s online Data Safety Toolkit.