Last review date: 20 December 2024
Yes.
☒ general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
IPP 5 of the Privacy Act requires an agency to ensure that personal information it holds is protected by such security safeguards as it is reasonable in the circumstances to take, against loss, and access, use, modification, or disclosure (except with the authority of the agency that holds the information), and other misuse.
☒ other
If it is necessary for an agency to give personal information it holds to a person in connection with the planner of a service to the agency, the agency must ensure everything reasonably within the power of the agency is done to prevent unauthorized use or unauthorized distribution of the information.
Last review date: 20 December 2024
☒ telecommunication requirements
The Telecommunications (Interception Capability and Security) Act 2013 (TICS Act) places network security obligations on telecommunications network operators.
Last review date: 20 December 2024
☒ Data privacy
The OPC issued a media statement on 25 September 2024 that after its inquiry into a grocery retailer’s facial recognition trial (initiated in April 2024), the Privacy Commissioner is now evaluating the results to better understand its privacy impacts and compliance with the Privacy Act. We expect to see the Privacy Commissioner’s findings in early 2025.
The OPC also issued a media release on 16 May 2024 clarifying its expectations around the 72-hour timeframe for reporting notifiable privacy breaches. The Privacy Act requires organizations to notify the Privacy Commissioner of serious privacy breaches as soon as practicable after becoming aware that it is a notifiable breach. The OPC’s expectation is that organizations will notify them within 72 hours of becoming aware of a notifiable breach, but intended the timeframe to be a guide only and to initiate prompt notification to the OPC. Furthermore, the OPC clarified that in some cases:
☐ financial services
The Financial Markets Authority (FMA) has introduced a new standard condition for certain market license holders. The new license came into effect in July 2024 and will focus on business continuity and technology systems. The standard condition is relevant to the following types of market service licenses:
The new standard condition requires license holders to have and maintain a business continuity plan that is appropriate for the scale and scope of its service. License holders will also be required to make sure that their critical technology systems are operationally resilient. If the license holder suffers an event that materially affects the supply of its service, it must notify the FMA as soon as possible, or no later than 72 hours after it has determined the event is a material incident. Notification can be made through the FMA’s secure online notification form. The form is intended to be light-touch and, for Reserve Bank-regulated entities, be compatible with the Reserve Bank cyber incident notification process.
The Reserve Bank of New Zealand ("Reserve Bank") has consulted about cyber data collection. The proposals on which it is consulting relate to:
The Reserve Bank published the submissions and its response in March 2024. Generally, the respondents supported the direction of the Reserve Bank’s work on cyber resilience and supported the proposed approach to work closely with the FMA to make the reporting requirements consistent.
Last review date: 20 December 2024
Yes.
Privacy Act 2020
Under the Privacy Act 2020 (Privacy Act), there is a mandatory requirement for agencies to notify the regulator (New Zealand Privacy Commissioner) and affected individuals of "notifiable privacy breaches."
Under the Privacy Act:
A privacy breach, in relation to personal information held by an agency, means:
A notifiable privacy breach is a privacy breach that is reasonably believed to have caused or is likely to cause, serious harm to an affected individual or individuals.
The Privacy Act does not define "serious harm." However, when assessing the likelihood of serious harm, an agency must consider (among other things): [1]
If, on assessment of all factors concerning the privacy breach, an agency determines that a notifiable privacy breach has occurred, the agency must, as soon as practicable after becoming aware that a notifiable privacy breach has occurred:
An agency may delay notifying an affected individual or giving public notice of a notifiable privacy breach (but not the Privacy Commissioner) if the agency believes that a delay is necessary because notification/public notice may have risks to the security of personal information held by the agency and those risks outweigh the benefits of informing affected individuals. The delay must only occur for a period during which such risks continue to outweigh the benefits.
If an agency fails to notify the Privacy Commissioner of a notifiable privacy breach without reasonable excuse, it could be liable on conviction to a fine not exceeding NZD10,000. If an agency fails to notify an affected individual or give public notice, this could be considered an interference with the privacy of an individual under the Privacy Act.
NotifyUs Tool and Data Safety Toolkit
The Privacy Commissioner's office has developed the NotifyUs tool (see https://www.privacy.org.nz/responsibilities/privacy-breaches/notify-us/), which can be used by organizations and businesses to determine whether or not a privacy breach is a notifiable privacy breach and to report them to the Privacy Commissioner.
____________________________________________________
[1] For a full list of factors to be considered by an agency in assessing "serious harm," please see section 113 of the Privacy Act here: https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS139444.html.
Last review date: 20 December 2024
☒ data protection authorities
☒ affected individuals
Controllers/owners of the personal information that is subject to the notifiable privacy breach are required to notify the Privacy Commissioner and affected individuals in accordance with the Privacy Act.
Last updated: 20 December 2024
To the extent that a processor/agency is only processing/storing the personal information that is subject to the notifiable privacy breach, then the processor/agency is not required to notify the Privacy Commissioner or affected individuals. The notification obligations under the Privacy Act are imposed on the controller/agency holding the personal information (which includes the agency on whose behalf the information is processed/stored).