NZ data breach law: quick and light

August 27, 2007 at 8:16 pm 5 comments

The Privacy Commissioner has swiftly followed up on her “something needs to be done” regarding data breach notifications by launching draft voluntary guidelines for public submissions.

Clearly timed to start the Privacy Awareness week with a bang, the guidelines are modelled on the Canadian ones (pdf, 253 KB).

The guidelines are “harm based” and leave it to organisations to make their own assessment and decisions about key aspects including which breaches require customers to be notified. They recommend that agencies ask the following questions to determine if notification is required:

  • What personal information was released or otherwise compromised?
  • How sensitive is the information?
  • What is the context (nature) of the personal information?
  • Is the personal information adequately encrypted, anonymised, or otherwise inaccessible?
  • How can the personal information be used?
  • Who received the personal information?
  • Will notification assist the affected individuals to mitigate harmful consequences?

All of this sounds sensible but the fact remains that they will be voluntary guidelines. How effective is that going to be? We’ll have to wait and see once the guidelines come into effect at the end of the year.

My guess is that they will be ineffective… and will become mandatory sooner rather than later. After all, most organisations when faced with a choice of burying an embarrassment with the help of legal eagles or coming clean in public are going to make the obvious choice.

The answer is to give them no choice.


Entry filed under: Canada, data_breach, fraud, identity, NZ, personal_info, privacy, security, strategy.

NZ Government authentication approach Aus: the folly of absolutes

5 Comments Add your own

  • 1. stephen revill  |  August 29, 2007 at 9:07 am

    I agree I think the guidelines (if unchanged) will not be effective.

    If mandatory security breach notification laws are to be avoided, then there needs to be some way to measure the extent to which organisations are complying with the voluntary guidelines.

    The guidelines themselves only require reporting to the Privacy Commssioner if the privacy breach is “material” . The criteria used to provide guidance as to what a “material” privacy breach is, can be best described as “fuzzy”.

    So too is are the guidelines around whether a privacy breach should be notified to the individuals concerned. The guidelines call on the organisation to make a number of judgement calls, before deciding whether or not to notify – being the same organisation whose reputation may be at risk if the occurrence of a major security breach should become public knowledge.

    If there are no clear rules, no clear incentives to comply and no way to measure how far the guidelines are being adhered to, then the law makers will be not be in any better position when it comes time to decide whether a security breach notification law is needed. Some form of register of those organisations who are preaped to comply, plus (say) some form of quarterly or half yearly reporting on the results of such compliance would be a useful first step.

    Stephen Revill

  • […] important given the moves to introduce guidelines or laws for data breach notifications, in both New Zealand and […]

  • 3. NZ: update on data breach law « Identity and Privacy Blog  |  January 28, 2008 at 10:26 pm

    […] 2007, I had called the draft voluntary guidelines regarding data breach notifications as “quick and light.” The Dominion Post/Stuff website today says following public consultation the Privacy […]

  • 4. NZ: Data breach guidelines here « Identity and Privacy Blog  |  February 25, 2008 at 10:53 pm

    […] 25, 2008 Following several months of consultation on the August 2007 draft data breach notification guidelines, the Privacy Commissioner has now released a final version of the voluntary guidelines accompanied […]

  • […] a kneejerk greeting to a latest headlines, such as Sony’s PlayStation Network hack. we had blogged about it behind in 2007. Many others have also called for creation presentation mandatory, […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter

Error: Twitter did not respond. Please wait a few minutes and refresh this page.


%d bloggers like this: