Kia ora koutou,
Ngā mihi o te tau hou (happy new year) from New Zealand. As is customary down here, things are getting off to a slow start, with many privacy professionals still enjoying their summer vacations. However, as in the rest of the world, the overriding sentiment here in Aotearoa is hope that 2021 will be a better year than 2020.
The Office of the NZ Privacy Commissioner released its annual report at the end of December 2020. As well as outlining the office’s activities for the year ended 30 June 2020, the report provides some insight into the office’s new direction as part of implementing Privacy Act 2020. Dubbed “Privacy 2.0,” the commissioner’s reassessed approach includes establishing a new Compliance and Enforcement team to act on systemic issues that meet the office’s enforcement priorities and establishing a new Strategy and Insights function to develop a new Te Ao Māori and privacy strategy and monitor and understand emerging trends.
It is worth noting the commissioner’s strategic outcomes, reiterated in the report, which focuses on an enabling privacy approach and reflects the commissioner’s previous call to big tech companies to take more responsibility for protecting personal information. Of the three strategic outcomes — 1. Increased citizen and consumer trust in the digital economy; 2. Promoting and supporting innovation; and 3. Increased influence to improve personal information practices — the second will be of particular interest to privacy professionals. This outcome has seen and will see, the commissioner and his staff working with agencies to encourage innovation while keeping personal information safe. This pragmatic approach to privacy regulation, which ensures privacy is not seen as a barrier to progress, will be critical to maintaining the engagement of public and private sector agencies in the coming years. The Commissioner’s Privacy Trust Mark scheme has played an important part in rewarding agency efforts to design privacy into innovation and transformation, and this is likely to become more visible as NZ agencies mature in the privacy space.
The commissioner is also anticipating a five to seven times increase in the number of privacy breach notifications he receives as a result of the new mandatory breach notification scheme introduced in December 2020. In the last reporting period, the office received 205 voluntary notifications. If the commissioner’s prediction is correct, this will mean a significant new workload for the office but also a wealth of information for privacy professionals about trends and patterns in privacy breaches across NZ.
One such breach is receiving particular attention currently and has rocked the banking industry in NZ. The Reserve Bank of NZ (NZ’s central bank) reported 10 Jan. that one of its data systems (a third party file sharing service) had been breached by a potential hacker, exposing sensitive personal and commercial information. With media interest in the breach increasing daily, several outlets have reported that the RBNZ had previously been warned about underinvestment in cybersecurity.
Finally, the recent social media bans on U.S. President Donald Trump have received some interesting attention from the privacy commissioner here in NZ, with the commissioner stating publicly that he believes these bans are “arbitrary, cynical, unprincipled and further evidence that regulation of social media platforms is urgently required.”
As 2021 gets underway, expect to see some great content and virtual and in-person events coming from the IAPP. Here in NZ, we have appointed new chairs to our Auckland and Wellington KnowledgeNet chapters, who have already started the planning process for events in our major centers. The IAPP is also planning several events to mark international Data Privacy Day 28 Jan.
Ngā mihi nui