NZ: update on data breach law
Back in August 2007, I had called the draft voluntary guidelines regarding data breach notifications as “quick and light.” The Dominion Post/Stuff website today says following public consultation the Privacy Commissioner will give the guidelines 18 months to two years to take effect before deciding whether mandatory rules are required.
Lessons from other countries as well as “how businesses and government agencies abide by the guidelines” will be taken into account to determine if the guidelines become mandatory.
The Privacy Commissioner is further quoted as saying, “Our research has definitely shown there are downsides to mandatory guidelines as well as to voluntary guidelines. Mandatory guidelines always become somewhat rigid.”
The comments Stephen Revill made in the original post are still relevant. He thought that “The criteria used to provide guidance as to what a “material” privacy breach is, can be best described as “fuzzy”….If there are no clear rules, no clear incentives to comply and no way to measure how far the guidelines are being adhered to, then the law makers will be not be in any better position when it comes time to decide whether a security breach notification law is needed.”
Hopefully this will be addressed over the next few weeks as the guidelines are finalised.
My personal opinion remains the same. I don’t think the level of data breaches in NZ is too high and that the actual consequent misuse rate is very low. However, I favour mandatory disclosure to the Office of Privacy Commissioner so that the actual size of the problem is clear, there is no wiggle room from discretion, and there is sufficient incentive for organisations to up their security of personal information they hold.