NZ: Data breach guidelines here
Following several months of consultation on the August 2007 draft data breach notification guidelines, the Privacy Commissioner has now released a final version of the voluntary guidelines accompanied by an information paper.
The guidelines consist of two documents- Key Steps for Agencies in Responding to Privacy Breaches and a Privacy Breach Checklist.
In announcing the launch of the guidelines, Privacy Commissioner Marie Shroff says there is “a good case to require agencies by law to notify customers where a security breach puts those customers at risk…The voluntary guidelines are not inconsistent with New Zealand moving in due course to make breach notification mandatory.”
The Privacy Commissioner will give the voluntary guidelines 18-24 months before deciding if mandatory rules are needed, using her own statutory powers or the Law Commission taking it up as a part of its current review of privacy laws.
The guidelines note that “agencies have duties to safeguard personal information under information privacy principle 5, and are encouraged to follow the guidance.” Guidance on four stages for managing a privacy breach has been described:
1. Containing the breach and preliminary assessment;
2. Evaluating the risks;
3. Considering or undertaking notification; and
4. Putting in place future prevention strategies.
The guidelines remain “harm based” and a critical part is an assessment of the foreseeable harm to the individuals, agencies, and general public. Direct notification to affected individuals is preferred over indirect means such as via a website or media. While “Agencies are encouraged to report material privacy breaches to the Office of the Privacy Commissioner” the guidelines are silent on what constitutes a material privacy breach.
Now that the guidelines are here, it is sensible for government agencies and businesses to proactively conduct a security audit and put into place contingency plans to deal with any breaches that may occur.
And, it is worth remembering, that the source of many security incidents are internal so a parallel review of policies and processes (including offsite backup or transportation of customer information) is a good idea.