Holding organisations to account: mandatory data breach reporting
Accountability and transparency – everyone else is doing it
Data protection is at the forefront of our minds. We only need to look at the media coverage of the Facebook and Cambridge Analytica scandal, the incoming European General Data Protection Regulation and the reform of our own Privacy Act (which is now a quarter of a century old). The spotlight is on all public and private sector organisations to be accountable for the personal information they hold and be transparent in their practices.
The changes proposed by the Privacy Bill have two primary aims: restoring individuals’ confidence that agencies will keep their personal information secure; and providing the Privacy Commissioner with greater powers to address failures by agencies to handle personal information appropriately.
A new feature of the Privacy Bill that seeks to achieve these aims is mandatory breach reporting. It is intended to bring New Zealand’s regime into line with the approaches in Europe, the majority of the United States, Canada and Australia, and follow the recommendations in the Law Commission’s review of the Privacy Act.
What is proposed?
While mandatory breach reporting is consistent with the approach in comparable jurisdictions, it has sparked debate in the business community. This is particularly because of the breadth of the Privacy Bill’s mandatory reporting of “harmful” privacy breaches.
As currently proposed, the Privacy Bill would require an agency to notify the Privacy Commissioner and affected individuals if there has been unauthorised or accidental access to, or disclosure of, personal information, that caused harm, or if there is a risk that it could cause harm, to an individual. The definition of a harmful privacy breach is framed very broadly. For example, it includes action that has caused, or may cause, loss, detriment, damage, or injury to the individual or has resulted in, or may result in, significant humiliation, significant loss of dignity, or significant injury to the feelings of the individual.
An unreasonable compliance burden?
As the Bill is currently drafted, the regime arguably creates a tension between satisfying the objectives of breach reporting and placing an unreasonable compliance burden on agencies. For example, it would require companies to adopt robust procedures to ensure self-reporting of a breach that may affect only one person.
There are also related issues such as what the Commissioner would do with such information. Would the Commissioner publish something similar to the Commerce Commission’s list of traders that generate Fair Trading Act complaints? This would certainly meet the “deterrent” objective of mandatory breach reporting and buy into the “name and shame” approach that some regulators take.
In speaking to the NBR recently, the Privacy Commissioner commented that “in terms of substance, there is anxiety I think about how mandatory breach notification will work and whether the formulation in the current Bill is clear enough for people to know their obligations”.
In our view, the anxiety is well-founded. This is particularly so when considering the approach to mandatory breach reporting in Australia which came into force in February this year. The Australian legislation includes an express reasonableness standard that is not reflected in the Privacy Bill. In Australia, a data breach must be reported when a reasonable person concludes that the unauthorised action is likely to result in serious harm to the individual. Canada has also adopted the reasonableness standard in their federal law which comes into force in November this year.
Reasonableness standard – will we follow?
With mandatory breach reporting likely to feature in any new legislation, at least in some form, it will be interesting to see whether the Select Committee recommends adopting an express reasonableness standard to narrow down the circumstances in which an agency is required to report. This would be in line with comparable jurisdictions and may reduce some of the anxiety felt by New Zealand businesses.
Submissions on the Privacy Bill close on 24 May 2018.