Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: 20 December 2024

Yes.

☒  general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

IPP 5 of the Privacy Act requires an agency to ensure that personal information it holds is protected by such security safeguards as it is reasonable in the circumstances to take, against loss, and access, use, modification, or disclosure (except with the authority of the agency that holds the information), and other misuse.

☒  other

If it is necessary for an agency to give personal information it holds to a person in connection with the planner of a service to the agency, the agency must ensure everything reasonably within the power of the agency is done to prevent unauthorized use or unauthorized distribution of the information.

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: 20 December 2024

☒  telecommunication requirements

The Telecommunications (Interception Capability and Security) Act 2013 (TICS Act) places network security obligations on telecommunications network operators.

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

Last review date: 20 December 2024

☒  Data privacy

The OPC issued a media statement on 25 September 2024 that after its inquiry into a grocery retailer’s facial recognition trial (initiated in April 2024), the Privacy Commissioner is now evaluating the results to better understand its privacy impacts and compliance with the Privacy Act. We expect to see the Privacy Commissioner’s findings in early 2025.

The OPC also issued a media release on 16 May 2024 clarifying its expectations around the 72-hour timeframe for reporting notifiable privacy breaches. The Privacy Act requires organizations to notify the Privacy Commissioner of serious privacy breaches as soon as practicable after becoming aware that it is a notifiable breach. The OPC’s expectation is that organizations will notify them within 72 hours of becoming aware of a notifiable breach, but intended the timeframe to be a guide only and to initiate prompt notification to the OPC. Furthermore, the OPC clarified that in some cases:

  • it will be clear from the outset that a breach has occurred and it is notifiable; or
  • an organization may not discover the breach immediately or may need to undertake some enquiries to figure out whether a breach has occurred or is serious.

☐  financial services

The Financial Markets Authority (FMA) has introduced a new standard condition for certain market license holders. The new license came into effect in July 2024 and will focus on business continuity and technology systems. The standard condition is relevant to the following types of market service licenses:

  • Managers of registered schemes (but not restricted schemes)
  • Providers of discretionary investment management services
  • Derivatives issuers
  • Prescribed intermediary services (peer-to-peer lending providers and crowdfunding service providers)

The new standard condition requires license holders to have and maintain a business continuity plan that is appropriate for the scale and scope of its service. License holders will also be required to make sure that their critical technology systems are operationally resilient. If the license holder suffers an event that materially affects the supply of its service, it must notify the FMA as soon as possible, or no later than 72 hours after it has determined the event is a material incident. Notification can be made through the FMA’s secure online notification form. The form is intended to be light-touch and, for Reserve Bank-regulated entities, be compatible with the Reserve Bank cyber incident notification process.

The Reserve Bank of New Zealand ("Reserve Bank") has consulted about cyber data collection. The proposals on which it is consulting relate to:

  • A requirement to report all material cyber incidents as soon as practicable, but within 72 hours
  • A requirement to report all cyber incidents periodically, and
  • A periodic cyber resilience survey about organization capabilities

The Reserve Bank published the submissions and its response in March 2024. Generally, the respondents supported the direction of the Reserve Bank’s work on cyber resilience and supported the proposed approach to work closely with the FMA to make the reporting requirements consistent.

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: 20 December 2024

Yes.

Privacy Act 2020

Under the Privacy Act 2020 (Privacy Act), there is a mandatory requirement for agencies to notify the regulator (New Zealand Privacy Commissioner) and affected individuals of "notifiable privacy breaches."

Under the Privacy Act:

A privacy breach, in relation to personal information held by an agency, means:

  • Unauthorized or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information, or
  • An action that prevents the agency from accessing the information on either a temporary or permanent basis, and
  • Includes any of the above matters, whether or not caused by a person inside or outside the agency or attributable in whole or in part to any action by the agency.

A notifiable privacy breach is a privacy breach that is reasonably believed to have caused or is likely to cause, serious harm to an affected individual or individuals.

The Privacy Act does not define "serious harm." However, when assessing the likelihood of serious harm, an agency must consider (among other things): [1]

  • Any action taken by the agency to reduce the risk of harm following the breach
  • Whether any personal information is sensitive in nature, and
  • The nature of the harm that may be caused to affected individuals

If, on assessment of all factors concerning the privacy breach, an agency determines that a notifiable privacy breach has occurred, the agency must, as soon as practicable after becoming aware that a notifiable privacy breach has occurred:

  • Notify the Privacy Commissioner in accordance with the notification requirements under the Privacy Act, and
  • Notify the affected individual(s) in accordance with the requirements under the Privacy Act, unless:
    • Notification to each affected individual is not reasonably practicable, in which case the agency must instead give public notice of the breach in accordance with the requirements under the Privacy Act; or
    • An exception to notifying the affected individual under the Privacy Act applies. Exceptions include (among other things) where the agency believes that the notification would be likely to prejudice the security or defense of New Zealand or the international relations of the Government of New Zealand, or endanger the safety of any person.

An agency may delay notifying an affected individual or giving public notice of a notifiable privacy breach (but not the Privacy Commissioner) if the agency believes that a delay is necessary because notification/public notice may have risks to the security of personal information held by the agency and those risks outweigh the benefits of informing affected individuals. The delay must only occur for a period during which such risks continue to outweigh the benefits.

If an agency fails to notify the Privacy Commissioner of a notifiable privacy breach without reasonable excuse, it could be liable on conviction to a fine not exceeding NZD10,000. If an agency fails to notify an affected individual or give public notice, this could be considered an interference with the privacy of an individual under the Privacy Act.

NotifyUs Tool and Data Safety Toolkit

The Privacy Commissioner's office has developed the NotifyUs tool (see https://www.privacy.org.nz/responsibilities/privacy-breaches/notify-us/), which can be used by organizations and businesses to determine whether or not a privacy breach is a notifiable privacy breach and to report them to the Privacy Commissioner.

____________________________________________________

[1] For a full list of factors to be considered by an agency in assessing "serious harm," please see section 113 of the Privacy Act here: https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS139444.html.

Controllers/Owners have to notify:

Last review date: 20 December 2024

  data protection authorities

  affected individuals

Controllers/owners of the personal information that is subject to the notifiable privacy breach are required to notify the Privacy Commissioner and affected individuals in accordance with the Privacy Act.

Processors/Agents have to notify:

Last updated: 20 December 2024

To the extent that a processor/agency is only processing/storing the personal information that is subject to the notifiable privacy breach, then the processor/agency is not required to notify the Privacy Commissioner or affected individuals. The notification obligations under the Privacy Act are imposed on the controller/agency holding the personal information (which includes the agency on whose behalf the information is processed/stored).

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: 20 December 2024

Yes.

☒  financial services requirements

☒  telecommunication requirements