NZ: update on data breach law

January 28, 2008 at 10:26 pm 3 comments

Back in August 2007, I had called the draft voluntary guidelines regarding data breach notifications as “quick and light.” The Dominion Post/Stuff website today says following public consultation the Privacy Commissioner will give the guidelines 18 months to two years to take effect before deciding whether mandatory rules are required.

Lessons from other countries as well as “how businesses and government agencies abide by the guidelines” will be taken into account to determine if the guidelines become mandatory.

The Privacy Commissioner is further quoted as saying, “Our research has definitely shown there are downsides to mandatory guidelines as well as to voluntary guidelines. Mandatory guidelines always become somewhat rigid.”

The comments Stephen Revill made in the original post are still relevant. He thought that “The criteria used to provide guidance as to what a “material” privacy breach is, can be best described as “fuzzy”….If there are no clear rules, no clear incentives to comply and no way to measure how far the guidelines are being adhered to, then the law makers will be not be in any better position when it comes time to decide whether a security breach notification law is needed.”

Hopefully this will be addressed over the next few weeks as the guidelines are finalised.

My personal opinion remains the same. I don’t think the level of data breaches in NZ is too high and that the actual consequent misuse rate is very low. However, I favour mandatory disclosure to the Office of Privacy Commissioner so that the actual size of the problem is clear, there is no wiggle room from discretion, and there is sufficient incentive for organisations to up their security of personal information they hold.

Entry filed under: data_breach, government, NZ, personal_info, privacy.

India: Re-learning privacy lessons 2FA is dead, right?

3 Comments Add your own

  • […] Original post by Vikram […]

  • 2. John Edwards  |  January 29, 2008 at 9:22 am

    I remain ambivalent about mandatory notification of breaches. What should be notified, and to whom? Should the obligation be to notify only “interferences with privacy”? If so, we need to be able to assess not only whether a breach of an information privacy principle has occurred, but whether it has caused some harm or significant humiliation etc. If the “victim” doesn’t know, how can they have been humiliated? Other values used are things such as “significant injury to feelings, or loss of dignity” – which are very subjective for an agency to determine.

    This week the Guardian has reported another security in transit breach in the UK. Ministry of Defence records with the personal information of 600 000 people on them have gone missing. Should the Ministry contact each of them? What about the records about 25 million that were lost in the post from HM Customs last year?

    If we move away from the “interference with privacy” threshold, and simply impose an obligation to notify after a breach of an information privacy principle, we are on even less certain ground. A privacy officer in a hospital comes across a trolley containing medical files unattended in a corridor. Clearly a breach of IPP 5 because some unauthorised person could have exploited that breach. For all they know someone could have browsed through a file or two? Should the hospital tell everyone whose files were on the trolley about the potential?

    On the other hand, where there is a clear and specific breach, I would agree that there should be a duty to notify. Where a police officer is detected vettiing his babysitter in the Police copmputer, and improperly accessing records about the babysitter and her family, they should be told.

    It seems to me that what is required, as with many adminstrative decisions in this field, is a proportional response depending on the facts of the case before you. This suggests that a mandatory regime might be unsuitable. Perhaps a preferable approach would be to encourage the Commissioner and Tribunal to consider notification/failure to notify as mitigating/aggravating factors when assessing remedies and damages.

  • 3. Vikram  |  January 29, 2008 at 10:18 pm

    Thanks John for your insightful comments as usual.

    I agree that mandatory disclosure is a blunt instrument and therefore needs to be used with care, especially where the variety of situations are so high.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: