Bill takes aim at privacy breaches
CDerek Cheng
politics ompanies will have to report every harmful privacy breach, regardless of whether it is due to negligence or a cyber attack, under a new Government bill to protect people’s private data.
But the Privacy Bill gives the Privacy Commissioner no power to penalise companies that do report such breaches, omitting Commissioner John Edwards’ request last year for the ability to fine individuals up to $100,000, and firms up to $1 million.
“Rogue agencies will continue to
The Balloons over Waikato festival continues today after its first day kicked off at 7.30am with clear blue skies. The event draws a large crowd of community members to Innes Common, beside Hamilton Lake, where people can enjoy a cup of coffee while they watch the balloons race to be the first off the ground. Among the colourful balloons this year are new balloons Bud E Beaver and a piranha with a bloody finger sticking out of its mouth. The balloons can be seen today, tomorrow and Saturday from 7.30am. On Friday evening they hit the road and visit Tokoroa, Waipa and Lake Karapiro from 6pm to 8pm.
thumb their nose at the regulation, meaning responsible organisations will disproportionately bear the cost of compliance, while cowboys will ignore their obligations,” he said.
The bill, introduced to Parliament this week, aims to modernise privacy law and give the commissioner teeth.
The commissioner currently helps parties to settle disputes, but has no power to issue fines for breaches. Nor is there any requirement on companies to notify breaches.
The bill would create new offences and make it mandatory for companies to report harmful privacy breaches. Failure to do so could result in a fine of up to $10,000.
Justice Minister Andrew Little said it was a significant step forward in protecting people’s privacy.
“If an organisation has a breach of privacy and doesn’t report to the Privacy Commissioner and it later becomes apparent, then they are going to be in big trouble.”
Little said the bill, which he expected to be improved at select committee, meant a $10,000 fine for failure to report harmful breaches could hypothetically add up to $1m, if a breach affected 100 people.
“Even accidental privacy breaches in this day and age usually entail a whole lot of people at the same time. Each one of those constitutes a privacy breach. Arguably, you could level a penalty on each one of them.”
But Edwards said that would only apply if the company failed to report the breaches. In that case Edwards would have no power to penalise it, except to issue a compliance order — with a maximum fine of $10,000 — to fix the problem.
“There is no consequence if a company loses 1000 records of 1000 individuals and 500 of those suffer harm, as long as they tell me . . . They stuffed it up, somebody was harmed, but there is no consequence.”
Edwards said he would lobby Parliament for the bill to include the ability to fine individuals up to $100,000 and organisations up to $1m, which would align New Zealand law with that in Australia, America, and one on the way in Europe.
Other new offences include pretending to be an individual to access that person’s information, and destroying any document containing personal information where that person has sought access to it.
Little said the Government was open to suggested improvements at the select committee stage.
It is expected to pass this year.