back

Privacy Commissioner issues first “Compliance Notice”

Article date: 2021-09-17
Authors: Richard Massey
More Info Contacts: Laura Littlewood Tania Goatley Richard Massey Kristin Wilson
Related AoE: Expertise>Privacy and data protection; Expertise>Information, communications and technology; Expertise>Cyber security; Expertise>Consumer law

The Office of the Privacy Commissioner (OPC) has used new powers under the Privacy Act 2020 to issue its first “Compliance Notice”.

The Office of the Privacy Commissioner (OPC) has used new powers u​​​nder the Privacy Act 2020 to issue its first “Compliance Notice." 

The notice was issued to the Reserve Bank of New Zea​​land (RBNZ), in relation to the highly publicised cyber-attack in 2020 which exposed various weaknesses in the RBNZ's security measures.

Compliance Notices are one of a range of new enforcement powers introduced under the Privacy Act in December last year. The new powers reflect the OPC's broader focus on proa​​ctively managing compliance with the Privacy Act, rather than being focused predominantly on responding to complaints.

Backgrou​​​nd

RBNZ was the victim of a cyber-attack in December 2020 causing a significant breach to one of RBNZ's security systems. The breach raised the possibility of systemic weakness in RBNZ's ​​systems and processes for protecting personal information. RBNZ notified the breach to the OPC and engaged KPMG to undertake an independent review of its systems and processes. The OPC and KPMG's investigations ultimately found multiple instances of non-compliance with Information Privacy Principle (IPP) 5. IPP 5 requires agencies to ensure the safe storage and security of personal information.

What is a “Compliance N​otice"?

Under the new Privacy Act, the OPC now has the power to issue a Compliance Notice​ to any agency that is not meeting its obligations under the Act. A Compliance Notice may require an agency to do o​​r stop doing something in order to comply with the Privacy Act. Failure to comply with a Compliance Notice carries a fine of up to $10,000 (enforceable by the Human Rights Review Tribunal) and may attract adverse publicity.

The Compliance Notice issued to the RBNZ sets out specific i​​mprovements required to its internal policies and procedures to safeguard personal information and satisfy IPP 5. These must be achieved within stipulated timeframes and will be monitored by the OPC. The OPC has highlighted the “positive" way the RBNZ dealt with the aftermath of the attack, reminding other agencies of the benefits of adopting a cooperative approach.

Imp​​lications

The Compliance Notice provides a timely reminder for all agencies to ensure that their privacy practices (including security policies and procedures) are up to date with the requirements of the new Privacy Act. For further information, including a summary of all changes, refer to our Guide to the Privacy Act 2020.

If you require assistance please get in touch with our​​ privacy team or your usual Bell Gully advisor.