sb-nz logo
Story image

Interview: Businesses must prepare for privacy regulation update

02 Aug 2019

As the risk of data breaches increases, regulators are tightening compliance requirements to ensure technology users can trust service providers with their data.

Kensington Swan commercial and technology partner Hayley Miller shares her views on the legal data privacy and compliance landscape in New Zealand and what companies can do to prepare for what’s coming.

Miller will also be presenting on the topic at the IT Architecture Forum in September.

What are some of the legislative and case law changes to be aware of at the moment?

The Privacy Act 1993 (Privacy Act) is currently the primary legislation for data privacy protection in New Zealand. 

It is principles-based, so has stood pretty well for the last 25 years of technological change. 

However, it is now out of step with many other jurisdictions approach to personal information. 

It is currently the subject of proposed repeal and replacement by a new Privacy Bill currently before Parliament.

Among some of the changes being put forward are the express inclusion of overseas agencies to the reach of the Bill, the introduction of a mandatory data breach reporting regime, and a provision requiring agencies that want to disclose personal information outside of New Zealand to satisfy specific criteria.

There will be a number of new criminal offences.

For example, it will be an offence (with a fine not exceeding $10,000) to mislead an agency in a manner that will affect another person’s information and to knowingly destroy documents containing personal information where a request has been made for it.

Agencies who fail to report breaches to the Commissioner under the new mandatory reporting regime will be liable for fines of up to $10,000.

Additionally, the Bill clarifies that if a cloud service provider is not using or disclosing a customer’s information for its own purposes, that information will be treated as being held by the customer.

As a consequence, it will be the cloud service provider’s customer who will be liable for any privacy breaches by the cloud service provider. (This was the generally accepted position anyway).

What are the trends driving the introduction of these law changes?

Because we live in a global digital economy, privacy regulation in New Zealand takes its cues from regulation in other jurisdictions - in particular, the GDPR.

Even though NZ privacy law doesn’t go anywhere near as far as the European Global Data Protection Regulation (GDPR), consumer expectations and the global privacy environment are changing thanks to the publicity the GDPR is bringing to the privacy landscape.

Consumers are becoming more aware of where and to whom their personal information is being disclosed and how it’s being collected, and have elevated their expectations of how transparent they expect businesses to be when it comes to the use of their online footprint.

Cyber-crime and technology have become more sophisticated, bringing with them many security and challenges and opportunities.

Data breaches are increasingly common and the potential consequences to an individual are not immaterial.

Large economies are looking to align their regulation to facilitate cross-border trade and act ‘in concert’ to temper the power of multinational technology companies that risk becoming laws unto themselves due to their ability to infiltrate every home or phone connected to the internet.

The fines under GDPR are also substantial, an indication of how serious data protection is being taken by regulators.

How will these affect current IT system design and development best practices?

Businesses will need to ensure that they engage with their consumers regarding privacy in a transparent and open manner, by developing user interfaces and processes which incorporate ‘privacy by design’ as a core principle.

This means whenever personal information is to be collected for any reason, privacy should be front of mind and the processes and procedures for collecting, using, sharing and storing that information should be developed in a manner that automatically builds in compliance with the law.

Data breaches are still the main risk.

There are certain data security practices companies can look to ingrain in their employees.

Invest in IT security. Delete information you no longer need. Training people is extremely important. Use encryption. Think about having protections to minimise human error risks, eg a timer on external emails to allow recall.

Think very carefully about who you trust with your customers’ data – don’t just hand it over.

Do your due diligence. Document your decisions. And ensure robust agreements in place – remedies for failure to look after the data; warranties and indemnities, and ensure cooperation mechanisms in place – especially for data breaches so you can respond promptly.

Which of these changes will be the most challenging in NZ?

The effectiveness of the current Privacy Act and the new Privacy Bill is largely reliant on PR and media pressure of ending up on the front page if things go wrong.

Fines remain at a very low level for New Zealand compliance. 

In contrast, GDPR and the high-profile sanctions made as a result of it has scared many businesses into compliance. 

Register for the IT Architecture Forum to hear more of Hayley's insights.

Story image
IDC names ESET a Major Player second year running
“ESET is strong in the areas of threat research, especially around Android malware identification and behavior detection.”More
Story image
Claroty and CrowdStrike form partnership to protect industrial control system environements
The integration will deliver visibility into industrial control system (ICS) networks and endpoints, with a one-stop-shop for information technology (IT) and OT asset information directly within The Claroty Platform.More
Story image
Forrester names Thycotic a Leader in privileged access management
Thycotic received the highest possible score in 11 of the 24 criteria in the study, including SaaS/cloud, innovation roadmap, and integrations, deployment, supporting products and services, commercial model, and PIM installed base.More
Story image
The retailer safety guide for the world of online shopping
Are you an online retailer? This guide details the threats that you need to be aware of to keep safe in the biggest ever year of online shopping.More
Story image
Trend Micro launches cloud native security solution for modern applications and APIs
“Application security is an invaluable part of the Cloud One platform, integrating technology to provide superior protection for customers deploying applications wherever it makes the most sense for them."More
Story image
Vectra expands NDR capabilities across all network environments
Vectra’s network threat detection and response (NDR) solution is designed to use cloud identities that track and link attacker activities and progression across all networks.More