Currently, if an organisation in New Zealand suffers a data breach affecting personal information, it is not legally obliged to alert people who have been affected or notify the Privacy Commissioner.
However, the new Privacy Bill could change this.
Why has the Bill been introduced?
The Privacy Bill was introduced in March and is currently in select committee. If approved, it will come into force on 1 July 2019, repealing and replacing the Privacy Act 1993.
The New Zealand Parliament says the Bill’s key purpose is “to promote people’s confidence that their personal information is secure and will be treated properly”.
It aims to reflect new technologies and how these have changed the way personal information is used.
The proposed changes will better align New Zealand’s privacy law with international developments, such as the EU GDPR (General Data Protection Regulation), which came into force in May 2018.
Key changes proposed
One of the main changes proposed in the Privacy Bill is a mandatory data breach notification that, if approved, would require both public- and private-sector agencies to notify affected individuals and the Privacy Commissioner when they suffer a data breach.
Failure to do so could result in fines of up to $10,000.
If approved, the Privacy Bill would also allow an aggrieved person or their representative to file two types of complaint:
- A complaint alleging that an action of an agency has interfered with the privacy of an individual.
- A public register complaint.
If passed, the Bill will allow the Privacy Commissioner to “issue compliance notices that require an agency to do something, or stop doing something, in order to comply with privacy law”.
How to prevent a data breach
In conjunction with this change, organisations should be focusing their efforts on preventing data breaches.
ISO 27001 is the international standard that describes best practice for an ISMS (information security management system).
The Standard provides a proven framework that helps organisations protect their information with a combination of effective technology, auditing and testing, organisational policies and processes, and staff awareness programmes.
Kiwi organisations can be better prepared for a cyber attack by implementing an ISO 27001-compliant ISMS.
Learn about ISO 27001 best practice and how to achieve compliance
IT Governance’s ISO27001 Certified ISMS Foundation (Distance Learning) training course provides a complete introduction to the key elements required to achieve compliance with the Standard.
Delivered by ISO 27001 experts, this recorded training session is built on the foundations of our practical experience helping companies achieve ISO 27001 certification.
It is an ideal training option for organisations based in New Zealand, and across the Asia-Pacific region, as participants can study at their own pace and take the first steps towards a career in ISO 27001.