What CIOs must know about the NZ Privacy Act in practice

The Privacy Commission has clarified expectations on the 2020 law’s enforcement, and in a separate move the Government is preparing to bring a consumer data right (CDR) to New Zealand.

cso siem visibility gap in security apps legacy eyes crack breach privacy
DNY59 / Getty Images

As cyberattacks continue apace, New Zealand IT leaders must come to grips with privacy laws that require their organisations to notify the Privacy Commission of data breaches in a timely manner.

Privacy Commissioner John Edwards says while the Privacy Act 2020 doesn’t specifically state the time frame between the breach taking place and notification, his office has determined it should be within three days, unless there are extenuating circumstances.

“There is still not much in the Privacy Act that can result in a prosecution. But one of them is failing to notify us of a serious breach as soon as reasonably practicable. So there has been a little bit of room for uncertainty there. The act doesn’t specify a time limit. What we’ve done is put our money down and said: ‘If you’re going to be longer than 72 hours, you better have a pretty good story about why that is, because that’s our expectation,’” he says.

Organisations mustn’t wait to notify Privacy Commissioner of breaches

The Privacy Commission has outlined three examples of where organisations were warned about possible breaches of the Privacy Act. In two of those cases, the commission took issue with the amount of time it took to notify of the breach; in one case it was three months and in another it was two months.

To continue reading this article register now

Watch out for these 6 IT management traps to avoid