SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Privacy Commissioner John Edwards tipped for top role as UK Information Commissioner
Fri, 27th Aug 2021
FYI, this story is more than a year old

Privacy Commissioner John Edwards could well be a shoo-in for a place amongst the United Kingdom's top ranks after being named the preferred candidate for UK Information Commissioner.

UK Parliament must now follow processes and decide on who will fill the Information Commissioner Role. The result is expected within the next few weeks.

A statement from the Office of the Privacy Commissioner says, “While this consideration reflects the expertise of the Commissioner, it also reflects the work of the strong and stable team within the Office of the Privacy Commissioner and the results they have achieved for privacy in New Zealand.”

The Office of the Privacy Commissioner and the Privacy Commissioner himself have been the driving forces behind the refresh of New Zealand's Privacy Act and holding New Zealand's public and private organisations to account.

Barely four months after the Privacy Act 2020 came into force in December 2020, the Office noted a 97% increase in privacy breach notifications compared to the six months prior.

This is because the Privacy Act mandates that any organisation must report a privacy breach if it has the potential to cause serious harm, such as emotional or financial harm and identity theft.

In May this year, Edwards commented, “The law change means that if an organisation suffers a serious privacy breach, it should tell my Office as soon as practicable after becoming aware of the breach.

“The law change means that the privacy breach information we receive will now be comprehensive and more accurate. We intend to publish this information as a regular anonymised summary to help all organisations know where the greatest privacy risks are.

The Office of the Privacy Commissioner has also been heavily involved in the Waikato District Health Board data breach saga, which occurred in May.

Edwards implored all DHBs to take a close look at their IT systems, especially gaps in their security identified in a review by the Ministry of Health.

“We understand from media reports that other DHBs may be aware of security vulnerabilities in their systems as a result of the audit undertaken last year,” Edwards said at the time.

“Our expectation would be that they should have taken, and if they have not, should now take, steps to act on any deficiencies in security.

“If we find that any DHB does not have adequate security, we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions.

The fallout from the DHB data breach grew even larger when it was discovered that Radio New Zealand (RNZ) had illegally used leaked personal information to report on a story.

“This reporting would appear to raise quite significant ethical questions, and I would be concerned to think of journalists trawling through illegally obtained deeply sensitive personal information to identify and generate stories. The fact that one media source would appear to have done so may prompt others to do so - effectively creating a market for, and monetising, this very personal material.

Beyond the last year's events, the Office of the Privacy Commissioner has undertaken significant work to ensure that New Zealand organisations are living up to the required privacy levels in all sectors.

The Office runs an annual Privacy Week, advocates for privacy regulations, and offers the Privacy Trust Mark to organisations products that meet privacy best practices.