2012 'The year of the data breach' - Privacy Commissioner

The Privacy Commissioner has labelled 2012 the "year of the data breach."

“This year has been marked for us by major public sector data breaches. Notable were the ACC spreadsheet breach in March and MSD kiosk breach in October. These losses of data have highlighted the urgent need for far better security and respect by government agencies for New Zealanders’ personal information,” said Privacy Commissioner Marie Shroff as she released her Annual Report today.

“The public sector can’t afford to be complacent. It’s quite clear that agencies holding large amounts of personal information need to place greater value on that information asset.  They need to develop strong leadership and a culture of respect for privacy, as well as day to day policies and practices to provide trustworthy stewardship of our personal information at every level of the organisation. There has been far too little focus on the fact that there are real people behind the masses of information that government agencies hold,” said Ms Shroff.

“A recent TV One Colmar Brunton poll showed that 60% of New Zealanders don’t trust government departments to protect their personal details. The public sector runs on trust – it’s the fuel in the government engine. Recent events threaten that in a very real way,” said Ms Shroff.

“Our own 2012 UMR privacy survey showed general concern about privacy has risen sharply in the last decade. 88% of respondents said they wanted business punished if they misused personal information, and 97% said I should have the power to order a company to stop the breaching the Privacy Act.”

“Data breach notification isn’t currently required by law, but the Law Commission recently recommended that it should be made compulsory where breaches put people at risk. That would bring New Zealand law into line with practice overseas,” said Ms Shroff.

Although the Commissioner supports a Privacy Act update that will require mandatory reporting of data breaches, the legislation is taking a while to wind its way through Parliament.

It had its first reading in February and the select committee reported back in June - but it has yet to find its way back to the floor of the house.

Credit reporting change
Ms Shroff's report also highlights Amendment 7 to the Credit Reporting Code, permitting more comprehensive credit reporting, came into effect in April 2012.

The amendments represent a fundamental shift in credit reporting in New Zealand. The new system will, for the first time, allow credit reporters to collect records on the actual amounts of credit extended to individuals. Lenders will upload information, on a monthly basis, showing whether or not individuals have met their monthly credit repayments.

The new system will amass much larger collections of detailed and sensitive financial information on New Zealanders. The Code changes have introduced special measures to ensure a high level of compliance and to provide protections to individuals. Annual assurance reports to the Privacy Commissioner will be required. A new provision for ‘credit freezes’ was introduced for individuals who are at special risk of identity fraud.

RAW DATA: Privacy Commissioner Annual Report 2012 (PDF)