NZ data breach law: quick and light
Clearly timed to start the Privacy Awareness week with a bang, the guidelines are modelled on the Canadian ones (pdf, 253 KB).
The guidelines are “harm based” and leave it to organisations to make their own assessment and decisions about key aspects including which breaches require customers to be notified. They recommend that agencies ask the following questions to determine if notification is required:
- What personal information was released or otherwise compromised?
- How sensitive is the information?
- What is the context (nature) of the personal information?
- Is the personal information adequately encrypted, anonymised, or otherwise inaccessible?
- How can the personal information be used?
- Who received the personal information?
- Will notification assist the affected individuals to mitigate harmful consequences?
All of this sounds sensible but the fact remains that they will be voluntary guidelines. How effective is that going to be? We’ll have to wait and see once the guidelines come into effect at the end of the year.
My guess is that they will be ineffective… and will become mandatory sooner rather than later. After all, most organisations when faced with a choice of burying an embarrassment with the help of legal eagles or coming clean in public are going to make the obvious choice.
The answer is to give them no choice.