Privacy Commissioner Marie Shroff is edging towards supporting a mandatory data-breach disclosure regime for government agencies now that voluntary guidelines have been finalised.
Shroff says that some people thought because she was promoting voluntary guidelines she did not support a change in the law to require organisations to notify affected individuals.
“However, I believe that there is a good case to require agencies by law to notify customers where a security breach puts those customers at risk,” she says.
Shroff says the voluntary guidelines are not inconsistent with such a move and will provide useful experience of disclosure.
“Both the Australian and Canadian Privacy Commissioners have called upon their governments to enact breach notification laws,” Shroff says. “The Australian Law Reform Commission has studied the question and proposed that this be done in Australia. I believe there is now enough experience to suggest that breach notification laws are a useful adjunct to comprehensive information privacy law.
“I encourage the Law Commission in its current privacy review to give special consideration to the usefulness and possible approach of a New Zealand breach notification law.”