Law Commission backs mandatory breach notification

Updated: InternetNZ and NZCS hail move; Commission recommends compliance-order, audit power for Privacy Commissioner

The Law Commission has added its weight to Privacy Commissioner Marie Shroff’s view in recommending that report of serious privacy breaches be made mandatory.

The point is included among 136 recommendations for Review of the Privacy Act in a document bearing that title, which forms the fourth and last stage of the Commission’s massive four-part review of the law of privacy.

The Law Commission also recommends new powers for the Privacy Commissioner, in particular the power to issue a compliance notice to an organisation that has breached the Act’s privacy principles, requiring that it bring its practices in line with the Act. “Subject to some limitations,” says the Commission’s report, “the notice would bind the agency to comply and failure to do so would result in a penalty.”

This takes the Privacy Commissioner’s powers beyond the current emphasis on negotiation following a complaint. The power to issue compliance orders provides a remedy for cases where “breaches have been identified but there has been no complaint”, perhaps because those offended against fear the consequences of complaining, says the Law Commission. It also allows action in the event that the organisation has simply ignored the provisions of a negotiated settlement.

The suggested power to require an organisation to act even in the absence of a complaint is, however, seen as involving a specific offending organisation or an identified group of them, says law commissioner Professor John Burrows, who coordinated the privacy study. There is no power to require an industry in general to remedy a widespread fault – what current Privacy Commissioner Marie Shroff has called “privacy pollution”. Such a provision could be too “vague” and hence difficult to interpret and enforce, says Burrows.

The Law Commission also recommends the Privacy Commissioner have the power to require an audit to be conducted of an organisation’s privacy practices. Currently, this can only be done if the organisation requests an audit.

The advance of digital technology and the specific challenges that presents are cited as a key reason for a number of the recommendations. The report recommends new provisions for information on NZ subjects that is sent overseas or placed in a cloud that may be powered by an overseas data centre.

“Where a New Zealand agency sends personal information offshore to be stored or processed on its behalf, the agency should remain fully responsible for what happens to that information,” the report says.

Information sharing and information matching is discussed early in the report, which recommends defining sharing agreements more rigorously. “Currently, attempts to share information do not always work satisfactorily,” says the report, “with agencies taking different views on what the law permits.”

The government last year requested a separate report from the Commission on information sharing in advance of the Privacy Act report; this was published at the end of March this year and is included as an appendix to the present report. Another appendix summarises the Commission’s thinking on information matching. Much of this is technical, seeking to resolve ambiguities in definition.

The Commission recommends against extending the strictures against government data matching to the private sector, but suggests public private partnerships raise particular issues. These should be “revisited when the Act is next reviewed”, something Burrows says he hopes will happen in about five years, not the 28 years between the passage of the Act, in 1993 and the present review.

The report, having been tabled in Parliament, will now be considered by government before it drafts the amendments to the law that it sees as desirable.

NZCS, InternetNZ laud move

The NZ Computer Society and InternetNZ both issued statements [on 2 August] welcoming the Law Commission’s recommendation and particularly the recommendation to introduce mandatory reporting of “data breaches”. The Commission uses this term, it says, to cover the overlapping classes of “privacy breach” and “security breach”.

NZCS CEO Paul Matthews says “NZCS strongly supports the mandatory disclosure of serious security breaches and welcomes the recommendation from the Law Commission to finally put this in place in New Zealand.

“One of the fundamental concepts of privacy is control of your own information. Being made aware of when this information falls into the wrong hands is essential,” Matthews says.

InternetNZ chief executive Vikram Kumar says “the Law Commission has done a fantastic and thorough job in addressing an area that’s of increasing concern to many New Zealanders. The internet provides us with a great platform for innovation. Yet its very nature challenges societal norms like privacy that are themselves evolving. The Law Commission’s report is therefore very welcome.”

A number of recommendations that InternetNZ made to the Commission have been adopted, Kumar says. “The biggest one is making it mandatory for people to be notified if their personal information has been lost, stolen, or inappropriately accessed. It’s a way to let people know what’s occurred and what steps they can take.

“By making notification contingent upon seriousness of breaches, rather than a blanket requirement, it addresses the downside of too many notifications leading to ‘notification fatigue’,” Kumar says.