New Zealand’s Members of Parliament (MP) have revised the Privacy Bill regarding the required mandatory notifications to the Privacy Commissioner and affected individuals during a breach.
As reported, the Parliament’s justice select committee has increased the threshold from “harm” to “serious harm” in order to avoid a risk of ‘notification fatigue’, which may lead to “data breach complacency”.
Why increase the threshold?
Maintaining the threshold at “harm” may cause over-notification as this will force the holders of data to advise the public even if the data breaches are minor.
When data breach complacency is reached, such notices may eventually lose their effectiveness.
The revised bill has set out a range of factors that will determine if the breach is considered as “serious harm”. This includes:
- The actions the holder of data has taken to reduce the harm
- The sensitivity of the information
- The nature of the harm
- Those to whom the information might be disclosed
- Whether the information is protected by security measures
The new threshold would be similar to that which is operating in Australia, although the overall framework for Australia is slightly more complex.
With the revision, delay on the notification of a breach is allowed if it is determined that the holder of the data’s systems remains vulnerable, and making it known can accentuate any harm.
The new bill is more specific and clear, providing a much better framework to enable New Zealand businesses to protect the privacy of individuals as well as harness technology and data.
The select committee also proposed to extend the law to cover any actions of a New Zealand entity, which occurred whether they were inside or outside of the country.
The legislation will apply to all personal information collected or held by New Zealand entities, regardless of where the information was collected and where the person to whom the information relates, resides.
Plus, it will also apply to an overseas entity conducting business in the country, whether or not it had a bricks-and-mortar presence in New Zealand, or charged for goods or services, or made a profit from its business.
Entities with the intention of transferring information outside the country are required to consider proactively what privacy laws or safeguards apply to the organisation receiving the data.
New Zealand businesses need to ensure that their contracts with suppliers spelled out the circumstances of transferring data outside the country.
Exemptions to the Rule
Moreover, the select committee recommended that exemptions from the Privacy Act for news media be extended to include bloggers and investigative journalism that is published in book form.
State-owned broadcasters, such as TBNZ and RNZ, will also be granted the exemption for their news activities.
However, the exemption would be limited to those media that are subject to a regulator such as the Broadcasting Standards Authority or the country’s Media Council.
The Privacy Commissioner John Edwards said that the select committee had listened to submitters and its proposed bill would ensure the law addressed “some of the most pressing aspects of the modern digital economy”.