What CIOs must know about the NZ Privacy Act in practice

As cyberattacks continue apace, New Zealand IT leaders must come to grips with privacy laws that require their organisations to notify the Privacy Commission of data breaches in a timely manner.

Privacy Commissioner John Edwards says while the Privacy Act 2020 doesn’t specifically state the time frame between the breach taking place and notification, his office has determined it should be within three days, unless there are extenuating circumstances.

“There is still not much in the Privacy Act that can result in a prosecution. But one of them is failing to notify us of a serious breach as soon as reasonably practicable. So there has been a little bit of room for uncertainty there. The act doesn’t specify a time limit. What we’ve done is put our money down and said: ‘If you’re going to be longer than 72 hours, you better have a pretty good story about why that is, because that’s our expectation,’” he says.

Organisations mustn’t wait to notify Privacy Commissioner of breaches

The Privacy Commission has outlined three examples of where organisations were warned about possible breaches of the Privacy Act. In two of those cases, the commission took issue with the amount of time it took to notify of the breach; in one case it was three months and in another it was two months.

On the latter case, the commission noted: “We advised the organisation it should have reported the breach to our office at the same time as it tried to rectify the breach. It was unnecessary to wait until all steps had been taken to resolve the matter before notifying us.”

Mandatory reporting, which can result in a fine of up to $10,000 if not adhered to, is one of just a couple of new obligations introduced under the new law. The second major change cited by Edwards is the information privacy principle which restricts the transfer of personal information overseas. He previously toldCIO New Zealand that this new principle won’t affect cloud storage arrangements, but it might apply when organisations use third-party platforms that use the data for their own purposes, such as advertising.

“The big shift is that we have more levers now than just complaints. I’ve got a compliance and enforcement team. … Under the new act, I can actually go out and look for noncompliance and start issuing those noncompliance notices whether or not anybody’s experienced harm,” Edwards says.

Prosecution remains a multistep process, in that the Privacy Commissioner can’t prosecute for ordinary breaches under the act without first issuing a compliance order. As Edwards explains: “If an organisation was really stupid in its IT management and as a direct provable result becomes a victim of a ransomware attack, I still wouldn’t be able to prosecute. What I could do under the new act is serve a compliance notice saying: ‘Here’s what you need to fix’, and if they didn’t comply with that, then I could prosecute,’” he says.

Privacy Office geared up to enforce compliance: What CIOs should consider

Since the new act came into law in December 2020, Edwards says his office has undergone a restructure to “be ready to make the most of the new legislative framework.” That means taking a more “proactive approach” to reminding organisations of their responsibilities and sharing examples on its website. When sharing the warnings publicly, the organisations have not been named, as Edwards says the commission’s “starting presumption for all that we do under the Privacy Act is that we’re bound by secrecy.”

The exception is when the commissioner believes that they need to publicise the data breach to inform consumers or promote compliance. “But we also want to create an environment where agencies are comfortable coming to us and are candid with us about what is going on. It won’t be a default position to identify organisations, but we will do so where necessary to enforce the act and warn consumers,” he says.

As for CIOs grappling with what changes they may need to make to ensure compliance, Edwards says understanding the reporting pathways in their organisations is a good start.

“They should know who should be receiving breach notifications and assessing them and what they can learn from them. They should be looking at the ransomware attacks we are seeing and saying: ‘are we ready for these, what would happen if they happened to us?’. ‘Do we do offsite backups, have we been patching, have we been reminding staff of the tactics that are used to create and exploit vulnerabilities?” he says.

Consumer data right is on its way

Edwards had advocated for the establishment of a consumer data right (CDR) to be included in the Privacy Act, but this will be tackled separately. Following public consultation that attracted 59 submissions, Commerce and Consumer Affairs Minister David Clark has announced the government will look to introduce the relevant legislation in 2022.

Clark defines a CDR as “mechanism that requires data holders, such as banks and electricity retailers, to safely and securely share data with third parties (like fintech companies) following consent from the customer. This means New Zealanders gain access to a wider range of products and services that better meet their needs.”

Development of a regulatory framework to enable the CDR will be done with the Digital Trust Framework, announced earlier in 2021. The CDR will also be rolled out on a sector-by-sector basis and will be closely aligned with the Australian CDR model introduced in 2019.

In Australia, the banking and energy sectors were the first to be designated under the CDR legislation, and IT leaders in those sectors in New Zealand will be watching developments closely, as well the prepare for the new legislation here. Bank of New Zealand executive general manager for technology and operations Russell Jones previously told CIO New Zealand that it would “lean very heavily” on the experience of its parent company National Australia Bank (NAB) in implementing a CDR locally.