[BreachExchange] New Zealand Privacy Act: Updated data breach legislation comes into effect tomorrow

[Destry Winant]

https://portswigger.net/daily-swig/new-zealand-privacy-act-updated-data-breach-legislation-comes-into-effect-tomorrow

New privacy laws will come into force across New Zealand tomorrow
(December 1) as authorities tighten rules regarding data protection.

The Privacy Act 2020 will mandate that organizations must report
“serious” data breaches immediately if there is a “risk of harm”.

The term “risk of harm” isn’t specifically defined in the Act
(non-HTTPS link), however it is assumed to refer to any data that has
been leaked outside of an organization or public body.

These rules apply to any data handlers based in New Zealand, as well
as any overseas organizations that carry out business or collect data
relating to New Zealand citizens.

The new law will replace the Privacy Act 1993.

Penalty notice

Under the Privacy Act 2020, data handlers could be fined up to
NZ$10,000 ($7,000) for non-compliance.

While this may sound like a relatively low figure, the Office of the
Privacy Commissioner can also make an official complaint to the Human
Rights Tribunal, which carries a maximum penalty of NZ$230,000
($162,000).

The Privacy Commissioner will also be granted broader powers to
investigate a company or organization in relation to data protection
practices or oversights.

Overseas services, such as cloud computing providers, acting in New
Zealand will also have to ensure they comply with the country’s data
protection laws.

A government tool, NotifyUs, has also been launched to help businesses
and organizations ascertain whether they need to report a breach.

Businesses will be expected to appoint a privacy officer to oversee
the compliance process and deal with any issues that arise.

They will liaise with the privacy regulator in the event of any breach
of personal data, and will be responsible for issuing a report.

This is similar to Europe’s General Data Protection Regulation (GDPR),
which also mandates that a privacy officer should be appointed to
monitor internal compliance.

Privacy is precious

The new Privacy Act comes on the heels of a recent government campaign
dubbed ‘Privacy is Precious’, which highlights the need to implement
broader privacy protections.

“The Privacy Act 2020 introduces greater protections for individuals
and some new obligations for businesses and organizations,” a notice
on the New Zealand government website reads.

Ahead of the new law coming into effect, John Martin, senior security
architect at IBM New Zealand, published a blog post on the (ISC)2
website advising organizations of any changes they might need to make.

“Remember the Privacy Act affects all organisations that collect,
store and use personal information about their employees and/or
customers,” Martin said.

“You must put in place appropriate controls to protect your data,
wherever it exists and all the information that you use to run your
organisation.”