New data privacy law will mandate reporting of ‘serious’ security incidents

The updated data breach legislation comes into effect tomorrow

New privacy laws will come into force across New Zealand tomorrow (December 1) as authorities tighten rules regarding data protection.

The Privacy Act 2020 will mandate that organizations must report “serious” data breaches immediately if there is a “risk of harm”.

The term “risk of harm” isn’t specifically defined in the Act (non-HTTPS link), however it is assumed to refer to any data that has been leaked outside of an organization or public body.

These rules apply to any data handlers based in New Zealand, as well as any overseas organizations that carry out business or collect data relating to New Zealand citizens.

The new law will replace the Privacy Act 1993.

Penalty notice

Under the Privacy Act 2020, data handlers could be fined up to NZ$10,000 ($7,000) for non-compliance.

While this may sound like a relatively low figure, the Office of the Privacy Commissioner can also make an official complaint to the Human Rights Tribunal, which carries a maximum penalty of NZ$230,000 ($162,000).

The Privacy Commissioner will also be granted broader powers to investigate a company or organization in relation to data protection practices or oversights.

Overseas services, such as cloud computing providers, acting in New Zealand will also have to ensure they comply with the country’s data protection laws.

A government tool, NotifyUs, has also been launched to help businesses and organizations ascertain whether they need to report a breach.


YOU MAY ALSO LIKE Changes to Japan’s data privacy law echo Europe’s GDPR


Businesses will be expected to appoint a privacy officer to oversee the compliance process and deal with any issues that arise.

They will liaise with the privacy regulator in the event of any breach of personal data, and will be responsible for issuing a report.

This is similar to Europe’s General Data Protection Regulation (GDPR), which also mandates that a privacy officer should be appointed to monitor internal compliance.

Privacy is precious

The new Privacy Act comes on the heels of a recent government campaign dubbed ‘Privacy is Precious’, which highlights the need to implement broader privacy protections.

“The Privacy Act 2020 introduces greater protections for individuals and some new obligations for businesses and organizations,” a notice on the New Zealand government website reads.

Ahead of the new law coming into effect, John Martin, senior security architect at IBM New Zealand, published a blog post on the (ISC)2 website advising organizations of any changes they might need to make.

“Remember the Privacy Act affects all organisations that collect, store and use personal information about their employees and/or customers,” Martin said.

“You must put in place appropriate controls to protect your data, wherever it exists and all the information that you use to run your organisation.”


READ MORE New Zealand launches data breach notification tool