Notes from the Asia-Pacific region: Breach could spark shift in New Zealand privacy law

The Office of the Privacy Commissioner of New Zealand's Phase 1 inquiry into the Manage My Health data breach may ultimately have long lasting significance. 

Among the recommendations in the May report is a proposal to amend the Privacy Act 2020 to make third-party service providers directly liable for failing to implement reasonable security safeguards. If adopted, the change would represent a notable shift in New Zealand's privacy framework.

The Privacy Act does not currently impose direct security obligations on processors equivalent to those found in some overseas jurisdictions. The Manage My Health inquiry exposed the limitations of that approach. The OPC found that both Manage My Health and Health New Zealand breached Rule 5 of the Health Information Privacy Code by failing to maintain reasonable security safeguards. The inquiry also identified shortcomings in governance, assurance and oversight arrangements. 

Yet, New Zealand's existing legislative framework provides no direct accountability for service providers whose systems and controls contribute to such failures.

The recommendation is consistent with international regulatory approaches. Under the EU General Data Protection Regulation, for example, processors are subject to direct obligations to implement appropriate technical and organizational security measures. European regulators can investigate processors directly and impose significant penalties where those obligations are breached.

The rationale is straightforward. Modern organizations increasingly rely on cloud platforms, software-as-a-service providers and outsourced technology partners. In many cases, the processor controls key aspects of the security environment, including system architecture, vulnerability management, access controls and monitoring. Where processors exercise that level of operational control, it is difficult to argue that accountability should rest exclusively with the customer organization.

Importantly, direct processor liability would not diminish the responsibilities of customer organizations, which would still need to conduct due diligence, negotiate appropriate contractual protections and maintain effective oversight of suppliers. The Manage My Health inquiry itself demonstrates that inadequate vendor assurance can be a contributing factor in privacy failures.

Instead, the proposal would expand the accountability framework so that responsibility better reflects the realities of modern information processing. It would recognize that privacy and security outcomes are often shaped by decisions made by both organizations and their service providers.

Whether the recommendation ultimately results in legislative reform remains uncertain. However, it signals a potentially important shift in regulatory approach. If this proposal is accepted, the Manage My Health inquiry may be remembered not only as a major privacy breach investigation, but also as the catalyst for a fundamental change in New Zealand privacy law. 

Coupled with the possible introduction of a financial penalties' regime, this change would lift the risk profile for processors and move New Zealand closer to global best practice.