In a move that is a stark reminder to employers of their obligations when collecting and holding personal information, the Office of the Privacy Commissioner has issued its first ever compliance notice under the new Privacy Act 2020 (Act).
On 15 September 2021, the Privacy Commissioner issued the Reserve Bank of New Zealand (RBNZ) a compliance notice informing it that it was in breach of its statutory obligations under the Act and a direction to comply with the Act’s requirements.
The Act, which came into force on 1 December 2020, strengthened privacy protections in New Zealand and sets out 12 Information Privacy Principles on how personal information should be collected, stored and disclosed. Personal information means information about an identifiable, living natural person.
The notice followed a cyber-attack that RBNZ suffered in December 2020, which lead to a serious data breach.
After identifying the cyber-attack RBNZ notified the Office of the Privacy Commissioner, which undertook a review of the breach. The findings revealed multiple areas of non-compliance with Information Privacy Principle 5.
Information Privacy Principle 5 (Storage and Security of Personal Information) requires agencies to ensure that personal information “is protected, by such security safeguards as are reasonable in the circumstances…” from loss and unauthorized access, modification, disclosure and other misuse.
Privacy Commissioner John Edwards considered that the cyber-attack was “a significant breach of one of the Bank’s security systems and raised the possibility of systemic weakness in the Bank’s systems and processes for protecting personal information”. RBNZ consequently failed to adequately protect a subset of personal information it held, despite security safeguards.
The compliance notice requires RBNZ to improve its policies and processes to make its systems more secure for handling personal information. RBNZ’s compliance with the notice will be monitored by the Privacy Commissioner.
Failure to follow a compliance notice risks a $10,000 fine and negative publicity.
The details of the breach and RBNZ’s identity have been published by the Commissioner in accordance with his powers under the Act, on the grounds that it is desirable to do so in the public interest.
The Commissioner stated: “This compliance notice … provides a learning opportunity for the Bank, and for other agencies. We appreciate the maturity and openness the Bank have shown throughout this process, and hope that others, too, can learn from this situation.”
If they have not already done so, employers should implement a privacy policy to ensure that risks of a privacy breach are effectively identified and mitigated specifically in terms of the storage and security of personal information.
Please do not hesitate to reach out to a member of Lane Neave’s Employment Law Team if we can assist.
Click here for other Employment Law articles.