Annual Report 2012 – The Year of the Data Breach
Privacy Commissioner’s Annual Report 2012 – The Year of the Data Breach
28 November 2012
“This year has been marked for us by major public sector data breaches. Notable were the ACC spreadsheet breach in March and MSD kiosk breach in October. These losses of data have highlighted the urgent need for far better security and respect by government agencies for New Zealanders’ personal information,” said Privacy Commissioner Marie Shroff when she released her Annual Report today.
“The public sector can’t afford to be complacent. It’s quite clear that agencies holding large amounts of personal information need to place greater value on that information asset. They need to develop strong leadership and a culture of respect for privacy, as well as day to day policies and practices to provide trustworthy stewardship of our personal information at every level of the organisation. There has been far too little focus on the fact that there are real people behind the masses of information that government agencies hold,” said Ms Shroff.
“A recent TV One Colmar Brunton poll showed that 60% of New Zealanders don’t trust government departments to protect their personal details. The public sector runs on trust – it’s the fuel in the government engine. Recent events threaten that in a very real way,” said Ms Shroff.
“Our own 2012 UMR privacy survey showed general concern about privacy has risen sharply in the last decade. 88% of respondents said they wanted business punished if they misused personal information, and 97% said I should have the power to order a company to stop the breaching the Privacy Act.”
“Data breach notification isn’t currently required by law, but the Law Commission recently recommended that it should be made compulsory where breaches put people at risk. That would bring New Zealand law into line with practice overseas,” said Ms Shroff.
ACC breach generated an extra inflow of complaints this
year, and the Office received 173 complaints about ACC.
Overall, 1,142 complaints were received, an increase on 968
complaints received in the 2010/11 year.
View the key points and introduction and the full report.
EU ticks NZ’s privacy law
New Zealand’s privacy law finally received the tick from the EU that indicates it meets international best practice. This involved a long process, involving a working party opinion as a first key step that indicated that our law ensures an adequate level of data protection consistent with European requirements. While final authorisations are to come, we expect shortly to have a formal legal determination from the European Commission that New Zealand is a safe destination for European companies to send personal data for processing. The finding will assist cross-border trade and will open doors for New Zealand businesses operating in Europe.
Credit reporting code
Amendment 7 to the Credit Reporting Code, permitting more comprehensive credit reporting, came into effect in April 2012.
The amendments represent a fundamental shift in credit reporting in New Zealand. The new system will, for the first time, allow credit reporters to collect records on the actual amounts of credit extended to individuals. Lenders will upload information, on a monthly basis, showing whether or not individuals have met their monthly credit repayments.
The new system will amass much larger collections
of detailed and sensitive financial information on New
Zealanders. The Code changes have introduced special
measures to ensure a high level of compliance and to provide
protections to individuals. Annual assurance reports to the
Privacy Commissioner will be required. A new provision for
‘credit freezes’ was introduced for individuals who are
at special risk of identity fraud.
Privacy Law Reforms
The Privacy (Information Sharing Bill) received its first reading in February 2012 and the select committee reported back in June 2012. The Bill proposes to allow information sharing agreements within the public sector and also between public and private sectors. We have voiced our support of the safeguards that have been placed in the bill.
The Information Sharing Bill forms only one part of the Law Commission’s recommendations for privacy law change detailed in its comprehensive Review of Privacy http://www.lawcom.govt.nz/project/review-privacy. The Commission’s final report was released in August 2011.
In March 2012, the Government provided a short response
to the other privacy law recommendations made by the Law
Commission. The principles-based approach of the Privacy
Act will be retained, and the recommendation that there be a
new Privacy Act has been accepted. A more detailed
Government response is still to come that will provide
details of which Law Commission recommendations have been
UMR public opinion survey
We released the results of our latest UMR public opinion survey in May. General concern about privacy has risen sharply in the last decade (up to 67%, from 47% in 2001). More specifically, the public expects businesses and government agencies to be held accountable for privacy breaches. The digital environment is driving many of these concerns.
Privacy is about protecting personal information, yours and others. To find out how, and to stay informed, subscribe to our quarterly Privacy Newsletter.