NZ: Data breach guidelines here

February 25, 2008 at 10:53 pm 3 comments

Following several months of consultation on the August 2007 draft data breach notification guidelines, the Privacy Commissioner has now released a final version of the voluntary guidelines accompanied by an information paper.

The guidelines consist of two documents- Key Steps for Agencies in Responding to Privacy Breaches and a Privacy Breach Checklist.

In announcing the launch of the guidelines, Privacy Commissioner Marie Shroff says there is “a good case to require agencies by law to notify customers where a security breach puts those customers at risk…The voluntary guidelines are not inconsistent with New Zealand moving in due course to make breach notification mandatory.”

The Privacy Commissioner will give the voluntary guidelines 18-24 months before deciding if mandatory rules are needed, using her own statutory powers or the Law Commission taking it up as a part of its current review of privacy laws.

The guidelines note that “agencies have duties to safeguard personal information under information privacy principle 5, and are encouraged to follow the guidance.” Guidance on four stages for managing a privacy breach has been described:

1. Containing the breach and preliminary assessment;
2. Evaluating the risks;
3. Considering or undertaking notification; and
4. Putting in place future prevention strategies.

The guidelines remain “harm based” and a critical part is an assessment of the foreseeable harm to the individuals, agencies, and general public. Direct notification to affected individuals is preferred over indirect means such as via a website or media. While “Agencies are encouraged to report material privacy breaches to the Office of the Privacy Commissioner” the guidelines are silent on what constitutes a material privacy breach.

Now that the guidelines are here, it is sensible for government agencies and businesses to proactively conduct a security audit and put into place contingency plans to deal with any breaches that may occur.

And, it is worth remembering, that the source of many security incidents are internal so a parallel review of policies and processes (including offsite backup or transportation of customer information) is a good idea.


Entry filed under: data_breach, NZ, personal_info, privacy, security.

Booze and privacy UK: selling your browsing data

3 Comments Add your own

  • […] Original post by Vikram […]

  • 2. vikram kumar  |  February 29, 2008 at 12:53 am

    HI, i am also vikram kumar , having a startup firm in Data Leakage Prevention. Your blog are really great. May i request you to write blogs for us. The url is If u r not interested to move from here then atleast keep in touch. We wud surely something from u. BBye

  • 3. Vikram  |  February 29, 2008 at 8:11 am

    Hello namesake! You guys seem to be doing some interesting stuff so good luck. Thanks for the offer but I think I’ll stick with trying to reduce personal data collected and let you guys prevent it from getting breached.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter

Error: Twitter did not respond. Please wait a few minutes and refresh this page.


%d bloggers like this: