Yes, the Government of New Zealand is planning to make it mandatory to report data breaches effectively in 2020. And it's true as per the article by Privacy Commissioner and the news published by popular media like stuff.
In March 2018, a bill was introduced in the parliamentary and that bill will replace the Privacy Act 1993 and give up to date Privacy Law framework in New Zealand. This reformed law will enforce that it is compulsory to report the incident of a data breach with potential harm to the Privacy Commissioner.
Here are some of the major changes that will be enforced in the data breach or privacy breach.
Privacy Bill 2018, Clause 117
The Clause defines "Privacy Breach" in a specific term as
Any unauthorized or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
An action that prevents the agency from accessing the information on either a temporary or permanent basis.
For example
Inadvertently information access;
Inadvertently sending information to the wrong person (often caused by auto-completion);
lost or stolen of the device containing customer information;
Hack of the database containing personal information;
Incorrect disposal of confidential documents;
Password sharing;
Data sharing using portable media
Privacy Bill 2018, Clause 118
This clause makes it mandatory to report the privacy breach incident to the Privacy Commissioner as soon as practicable and becomes aware of the notifiable privacy breach.
Privacy Bill 2018, Clause 119
In this clause, it deals with the notification to the affected individuals or give the public information about the occurrence of a privacy breach or is at risk of potential harm.
Privacy Bill 2018, Clause 121
This clause mentions about the information required to be included by an agency to the commissioner. The notification must include
Number of individuals affected (if known)
Suspect identification that may poses the information after the privacy breach (if known)
Steps intended to be taken or have taken in response to the privacy breach
Details of any other agency contact after the breach with reason, and
Contact person details within the agency for any inquiry ( Data Protection Officer if possible)
The agent must notify the affected individual regarding the same matter along with notification made to the commissioner and inform about his/her right to make a complaint to the commissioner.
Privacy Bill 2018, Clause 122
This clause makes a penalty up to $ 10,000 if the agent fails to comply with the about mention requirement. Besides that, the affected individual may also case a file of the Human Rights Tribunal for the interference with privacy.
The above information is derived from the following links:
Comments