As the risk of data breaches increases, regulators are tightening compliance requirements to ensure technology users can trust service providers with their data.
Kensington Swan commercial and technology partner Hayley Miller shares her views on the legal data privacy and compliance landscape in New Zealand and what companies can do to prepare for what's coming.
Miller will also be presenting on the topic at the IT Architecture Forum in September.
What are some of the legislative and case law changes to be aware of at the moment?
The Privacy Act 1993 (Privacy Act) is currently the primary legislation for data privacy protection in New Zealand.
It is principles-based, so has stood pretty well for the last 25 years of technological change.
However, it is now out of step with many other jurisdictions approach to personal information.
It is currently the subject of proposed repeal and replacement by a new Privacy Bill currently before Parliament.
Among some of the changes being put forward are the express inclusion of overseas agencies to the reach of the Bill, the introduction of a mandatory data breach reporting regime, and a provision requiring agencies that want to disclose personal information outside of New Zealand to satisfy specific criteria.
There will be a number of new criminal offences.
For example, it will be an offence (with a fine not exceeding $10,000) to mislead an agency in a manner that will affect another person's information and to knowingly destroy documents containing personal information where a request has been made for it.
Agencies who fail to report breaches to the Commissioner under the new mandatory reporting regime will be liable for fines of up to $10,000.
Additionally, the Bill clarifies that if a cloud service provider is not using or disclosing a customer's information for its own purposes, that information will be treated as being held by the customer.
As a consequence, it will be the cloud service provider's customer who will be liable for any privacy breaches by the cloud service provider. (This was the generally accepted position anyway).
What are the trends driving the introduction of these law changes?
Because we live in a global digital economy, privacy regulation in New Zealand takes its cues from regulation in other jurisdictions - in particular, the GDPR.
Even though NZ privacy law doesn't go anywhere near as far as the European Global Data Protection Regulation (GDPR), consumer expectations and the global privacy environment are changing thanks to the publicity the GDPR is bringing to the privacy landscape.
Consumers are becoming more aware of where and to whom their personal information is being disclosed and how it's being collected, and have elevated their expectations of how transparent they expect businesses to be when it comes to the use of their online footprint.
Cyber-crime and technology have become more sophisticated, bringing with them many security and challenges and opportunities.
Data breaches are increasingly common and the potential consequences to an individual are not immaterial.
Large economies are looking to align their regulation to facilitate cross-border trade and act ‘in concert' to temper the power of multinational technology companies that risk becoming laws unto themselves due to their ability to infiltrate every home or phone connected to the internet.
The fines under GDPR are also substantial, an indication of how serious data protection is being taken by regulators.
How will these affect current IT system design and development best practices?
Businesses will need to ensure that they engage with their consumers regarding privacy in a transparent and open manner, by developing user interfaces and processes which incorporate ‘privacy by design' as a core principle.
This means whenever personal information is to be collected for any reason, privacy should be front of mind and the processes and procedures for collecting, using, sharing and storing that information should be developed in a manner that automatically builds in compliance with the law.
Data breaches are still the main risk.
There are certain data security practices companies can look to ingrain in their employees.
Invest in IT security. Delete information you no longer need. Training people is extremely important. Use encryption. Think about having protections to minimise human error risks, eg a timer on external emails to allow recall.
Think very carefully about who you trust with your customers' data – don't just hand it over.
Do your due diligence. Document your decisions. And ensure robust agreements in place – remedies for failure to look after the data; warranties and indemnities, and ensure cooperation mechanisms in place – especially for data breaches so you can respond promptly.
Which of these changes will be the most challenging in NZ?
The effectiveness of the current Privacy Act and the new Privacy Bill is largely reliant on PR and media pressure of ending up on the front page if things go wrong.
Fines remain at a very low level for New Zealand compliance.
In contrast, GDPR and the high-profile sanctions made as a result of it has scared many businesses into compliance.